Security

AirGroup is configured with Clearpass Registration with Mobility Controllers. When connecting a newly registered device to the network, it will authenticate and also trigger the AirGroup Authorization service. Clearpass will send down proper enforcement with the list of shared users. 

How can we trigger the Airgroup Authorization service again? If a change is made to the Device Registration, such as adding a new Shared User, we would like this to notify the controller. CoA'ing the device, disconnect/reconnect, etc. will reauthenticate the device but it does not trigger a hit to the AirGroup Authorization Service to send the new list of shared users.

The Airgroup Clearpass profile on the Mobility Controllers has a default "periodic interval to query ClearPass server" set to 10 hours. Is that the only time it will update? Seems there has to be a way to make this faster/dynamic. 

Thanks! 

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Dynamic updates occur via Dynamic Authorization. You won't see a separate request.

------------------------------
Tim C
------------------------------

Original Message:
Sent: May 13, 2021 10:28 AM
From: Philip Wightman
Subject: Clearpass AirGroup Authorization Service


AirGroup is configured with Clearpass Registration with Mobility Controllers. When connecting a newly registered device to the network, it will authenticate and also trigger the AirGroup Authorization service. Clearpass will send down proper enforcement with the list of shared users. 

How can we trigger the Airgroup Authorization service again? If a change is made to the Device Registration, such as adding a new Shared User, we would like this to notify the controller. CoA'ing the device, disconnect/reconnect, etc. will reauthenticate the device but it does not trigger a hit to the AirGroup Authorization Service to send the new list of shared users.

The Airgroup Clearpass profile on the Mobility Controllers has a default "periodic interval to query ClearPass server" set to 10 hours. Is that the only time it will update? Seems there has to be a way to make this faster/dynamic. 

Thanks! 

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Answering my own question...

When a registered device, such as an AppleTV,  connects to the network for the first time after registration, Airgroup will create a new Server Entry on the controller. Since it is new, it will send a request to CPPM (hits AirGroup Authorization service) to pull back and cache the details for the device. Clearpass will return the list of shared users, groups etc. 

That entry on the controller does not get refreshed until the "CPPM Server Query Interval" as defined in the Airgroup configuration which by default is 10 hours. This default can be changed. So if a new user is added to the shared list, the controller will not learn this until after the cache period is expired. 

show airgroup cppm-server query-interval

You can manually clear the device from the controller. Next time it connects, it will pull CPPM again for the shared list. 

clear airgroup server aa:bb:cc:dd:ee:ff


------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Original Message:
Sent: May 13, 2021 10:28 AM
From: Philip Wightman
Subject: Clearpass AirGroup Authorization Service


AirGroup is configured with Clearpass Registration with Mobility Controllers. When connecting a newly registered device to the network, it will authenticate and also trigger the AirGroup Authorization service. Clearpass will send down proper enforcement with the list of shared users. 

How can we trigger the Airgroup Authorization service again? If a change is made to the Device Registration, such as adding a new Shared User, we would like this to notify the controller. CoA'ing the device, disconnect/reconnect, etc. will reauthenticate the device but it does not trigger a hit to the AirGroup Authorization Service to send the new list of shared users.

The Airgroup Clearpass profile on the Mobility Controllers has a default "periodic interval to query ClearPass server" set to 10 hours. Is that the only time it will update? Seems there has to be a way to make this faster/dynamic. 

Thanks! 

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------