@dg27 wrote:
Could somebody explain how the role/location restrictions work for shared resources defined in Clearpass.
I have been testing AirGroup with Clearpass used for device registration and the role and location restrictions on devices seem a bit hit and miss. My understanding is that the restrictions have an 'AND' logic so if you place a role and location restriction on the user must have the specified role and be in the specified location. Is this correct?
Also, how does the individual AP-Name location restriction work? I have added a shared resource of an Apple TV and added a single AP to the shared locations. Does this then mean anybody on that AP only can access the resource or does it also include the AP that the Apple TV is associated to?
Any advice would be greatly appreciated.
Thanks
David
Here is a couple of things to keep in mind:
- AP-Name is not exclusive to that specific AP. What I mean by this is the controller does a sort of 'show ap arm neighbors' to find the nearby APs around the AP-Name that you have entered. So, as long as you are in that area, you can see the AppleTV (assuming other conditions are met).
- Here is a breakdown of how the conditions work: (Shared Location AND Shared Role) OR (Shared Location AND Shared User). What this means is that you could have ATV1 with a shared location of AP1 and a shared role of employee. Only employee role users in the area of AP1 would see ATV1. However, if you added a shared user student1 in addition to those conditions, then any employee in the area of AP1 would be able to see ATV1 and student1, if student1 was in the area of AP1, would be able to see ATV1.
- If you upgrade to ClearPass 6.1, we give you the multi-selection tool for locations and roles (so you don't have to worry about the format of AP-Name). We pull this information directly from the controllers.
#1 is a very important concept. In a dense environment, you cannot guarantee which AP the user is going to connect to. This AP area feature makes setup much easier. You don't have to add every possible AP that the user could be connected to.
As far as your question about the AP that the Apple TV is connected to: no, only if that AP is in the area of the AP-Name. In fact, we really don't care where the Apple TV is connected. Even though the restrictions are set for the MAC address of the Apple TV, we are enforcing those restrictions on the client connection. My favorite example for this is that you could have an Apple TV in Paris and the shared location be in New York. As long as the controller in NY sees Apple TV in Paris (think L2 to an untrusted port on the controller in NY or an AP terminating on the controller in NY), then only the people in NY would be able to Airplay to the Apple TV in Paris (assuming the location was set to an AP in NY).
Hope this makes sense. Also, keep in mind that you do not need to disable drop broadcast/multicast on the controller, in order for AirGroup to work. In fact, I recommend dropping broadcast/multicast, especially in dense environments.