Internet of Things (IoT) and Industrial IoT (IIoT)

I have a new device (Listen EVERYWHERE 2 Channel Server - Listen Technologies) on our network that allows users in one of our concert halls to connect to an audio stream for hearing assistance and/or language translation services.  It uses mDNS for discovery and I'm using AirGroup to manage who can find it.  If a user is connected to our 802.1x network it's all working great.  The issue is that most of the people who will be using the service are community members who will be on our guest network.  

My guest network currently limits users to http(s) and necessary network services (dhcp, dns, icmp, etc).  To enable discovery and access to this new device my plan is to add policies to the guest role to allow mDNS for discovery and to allow the specific UDP ports that the device needs for streaming.  Is there anything else I need to do?  Also, any advice on how to create a policy to enable AirGroup discovery?

------------------------------
David King
------------------------------

Howdy David,

Can you share a little more detail about your wireless network? Specifically, is the network controller based or controller-less (ie Instant). How are your guest users being authenticated currently? Captive portal? Internal captive portal or external on ClearPass?

Charlie

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 07, 2022 08:29 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

I have a new device (Listen EVERYWHERE 2 Channel Server - Listen Technologies) on our network that allows users in one of our concert halls to connect to an audio stream for hearing assistance and/or language translation services.  It uses mDNS for discovery and I'm using AirGroup to manage who can find it.  If a user is connected to our 802.1x network it's all working great.  The issue is that most of the people who will be using the service are community members who will be on our guest network.  

My guest network currently limits users to http(s) and necessary network services (dhcp, dns, icmp, etc).  To enable discovery and access to this new device my plan is to add policies to the guest role to allow mDNS for discovery and to allow the specific UDP ports that the device needs for streaming.  Is there anything else I need to do?  Also, any advice on how to create a policy to enable AirGroup discovery?

------------------------------
David King
------------------------------

Sorry, yes.  This is a controller based network.  My guest users are authenticated via a CPPM captive portal page.  All of the AirGroup authorization is handled through CPPM and I have the device set to be shared with anyone who connects to a specific AP group.  That's working great for users on my 802.1x network but I want it to work for users on my guest network too.  

Thanks for the help

------------------------------
David King
------------------------------

Original Message:
Sent: Jan 08, 2022 11:22 AM
From: Charlie Clemmer
Subject: Policies to allow AirGroup discovery on guest network

Howdy David,

Can you share a little more detail about your wireless network? Specifically, is the network controller based or controller-less (ie Instant). How are your guest users being authenticated currently? Captive portal? Internal captive portal or external on ClearPass?

Charlie

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 07, 2022 08:29 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

I have a new device (Listen EVERYWHERE 2 Channel Server - Listen Technologies) on our network that allows users in one of our concert halls to connect to an audio stream for hearing assistance and/or language translation services.  It uses mDNS for discovery and I'm using AirGroup to manage who can find it.  If a user is connected to our 802.1x network it's all working great.  The issue is that most of the people who will be using the service are community members who will be on our guest network.  

My guest network currently limits users to http(s) and necessary network services (dhcp, dns, icmp, etc).  To enable discovery and access to this new device my plan is to add policies to the guest role to allow mDNS for discovery and to allow the specific UDP ports that the device needs for streaming.  Is there anything else I need to do?  Also, any advice on how to create a policy to enable AirGroup discovery?

------------------------------
David King
------------------------------

If it helps I added the 'allowall' policy to the top of my guest role and everything works now!  The one down side is that now I don't have any restrictions on my guest role and my security team won't be happy about that.  I'm going to start pruning that back to see when it breaks but if anyone knows how to craft a policy to just allow mDNS discovery from AirGroup that would save me a ton of time.

Thanks!

------------------------------
David King
------------------------------

Original Message:
Sent: Jan 10, 2022 08:42 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

Sorry, yes.  This is a controller based network.  My guest users are authenticated via a CPPM captive portal page.  All of the AirGroup authorization is handled through CPPM and I have the device set to be shared with anyone who connects to a specific AP group.  That's working great for users on my 802.1x network but I want it to work for users on my guest network too.  

Thanks for the help

------------------------------
David King

Original Message:
Sent: Jan 08, 2022 11:22 AM
From: Charlie Clemmer
Subject: Policies to allow AirGroup discovery on guest network

Howdy David,

Can you share a little more detail about your wireless network? Specifically, is the network controller based or controller-less (ie Instant). How are your guest users being authenticated currently? Captive portal? Internal captive portal or external on ClearPass?

Charlie

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 07, 2022 08:29 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

I have a new device (Listen EVERYWHERE 2 Channel Server - Listen Technologies) on our network that allows users in one of our concert halls to connect to an audio stream for hearing assistance and/or language translation services.  It uses mDNS for discovery and I'm using AirGroup to manage who can find it.  If a user is connected to our 802.1x network it's all working great.  The issue is that most of the people who will be using the service are community members who will be on our guest network.  

My guest network currently limits users to http(s) and necessary network services (dhcp, dns, icmp, etc).  To enable discovery and access to this new device my plan is to add policies to the guest role to allow mDNS for discovery and to allow the specific UDP ports that the device needs for streaming.  Is there anything else I need to do?  Also, any advice on how to create a policy to enable AirGroup discovery?

------------------------------
David King
------------------------------

Great info, and helps understand what's going on.

First off, Airgroup is only related to the multicast discovery mechanism for devices to find services provided by other devices. Once the discovery is done, the user role still needs to permit the connection between the two devices. 

Since things work when you added "allowall" to the guest user role, you validated that Airgroup can and does work across both WLANs in your environment. The next step would be to identify and adapt the guest user role to permit the necessary traffic. There will be two types of traffic to be permitted for the role: the multicast discovery (assuming that was also not working prior to the allowall change), and then the unicast traffic stream between the guest device and the audio stream source. 

You mentioned that the guest role initially was restricted to just http and core network services (dhcp, dns, icmp), so likely the two traffic types above are being filtered and need to be added. With a guest device connected and accessing the streaming server, you can use the CLI command "show datapath session table <guest_device_ip>" to see all the traffic from the guest device. The multicast discovery process will likely be using a multicast destination of 224.0.0.251. If you know the IP address of your audio streaming server, you can find that traffic in the datapath output to identify whether the stream is UDP or TCP, and the port(s) used in order to permit.

With this data in hand, the guest user role can be updated to permit the communication to the audio server, while also keeping the internal/external restrictions largely in place. Just make sure any permits for the streaming service come before the deny rules, and the guest role is processed from top down.

Does that help?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 10, 2022 12:18 PM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

If it helps I added the 'allowall' policy to the top of my guest role and everything works now!  The one down side is that now I don't have any restrictions on my guest role and my security team won't be happy about that.  I'm going to start pruning that back to see when it breaks but if anyone knows how to craft a policy to just allow mDNS discovery from AirGroup that would save me a ton of time.

Thanks!

------------------------------
David King

Original Message:
Sent: Jan 10, 2022 08:42 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

Sorry, yes.  This is a controller based network.  My guest users are authenticated via a CPPM captive portal page.  All of the AirGroup authorization is handled through CPPM and I have the device set to be shared with anyone who connects to a specific AP group.  That's working great for users on my 802.1x network but I want it to work for users on my guest network too.  

Thanks for the help

------------------------------
David King

Original Message:
Sent: Jan 08, 2022 11:22 AM
From: Charlie Clemmer
Subject: Policies to allow AirGroup discovery on guest network

Howdy David,

Can you share a little more detail about your wireless network? Specifically, is the network controller based or controller-less (ie Instant). How are your guest users being authenticated currently? Captive portal? Internal captive portal or external on ClearPass?

Charlie

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 07, 2022 08:29 AM
From: David King
Subject: Policies to allow AirGroup discovery on guest network

I have a new device (Listen EVERYWHERE 2 Channel Server - Listen Technologies) on our network that allows users in one of our concert halls to connect to an audio stream for hearing assistance and/or language translation services.  It uses mDNS for discovery and I'm using AirGroup to manage who can find it.  If a user is connected to our 802.1x network it's all working great.  The issue is that most of the people who will be using the service are community members who will be on our guest network.  

My guest network currently limits users to http(s) and necessary network services (dhcp, dns, icmp, etc).  To enable discovery and access to this new device my plan is to add policies to the guest role to allow mDNS for discovery and to allow the specific UDP ports that the device needs for streaming.  Is there anything else I need to do?  Also, any advice on how to create a policy to enable AirGroup discovery?

------------------------------
David King
------------------------------