Security

We have a single controller environment that was running 6.5 code. We used the migration tool to upgrade to 8.3, then did a standard upgrade to 8.5.0.7 to gain support for some new AP-515s. The migration tool took care of most everything - SSIDs, ClearPass integration, PEF policy rules, etc. However, AirGroup is no longer functioning.

I see both AirGroup servers and clients in the UI and via CLI. We have forced registration turned on, and AirGroup server devices are registered in CPPM. We are using distributed mode. No domain is defined.

show airgroup status

indicates that MDNS, DLNA, etc. are enabled, along with the services that we had set to allow before the upgrade (airplay, airprint, and so on).

I notice that both:

show airgroup cppm entries

and

show airgroup policy-entries

return 0 results. And, on CPPM Access Tracker, there are no entries for the AirGroup Authorization Service since the upgrade to 8.3.

Also looks like all the AirGroup RADIUS calls are timing out:

show airgroup cppm-server radius statistics

AirGroup RADIUS Server Statistics
---------------------------------
Server PAP Rq Mismatch Rsp Bad Auth Acc Rej Ukn Rsp Tmout AvgRspTm Tot Rq Tot Rsp Uptime (d:h:m) SEQ Total/Free
------ ------ ------------ -------- --- --- ------- ----- -------- ------ ------- -------------- --------------
CPPM01 59574 0 0 0 0 0 238270 0 59574 0 0:0:0 765/718
Orphaned requests = 0

I'm still digging around, but wanted to ask if anyone has a tip, or has run into this situation after a similar upgrade. Thanks.

I would look at the CPPM event viewer and see if your requests are being rejected.  Also look at the audit viewer in cppm and see if anything was changed recently.

A bunch of auth errors in the CPPM Event Viewer, coming from the controller's VLAN 1 IP address and port 41019. But, Authentication > Advanced > RADIUS Client is set to use the correct IP and source VLAN interface for talking to CPPM and 802.1X and other auths are working.

show airgroup cppm-server aaa
AirGroup AAA profile "default" undefined.

I noticed this, as well, and am trying to find where it lives. Under Services > AirGroup, I have a profile selected, and that profile has correct CPPM information included.

In 8.x, if you are using clustering the radius source ip address becomes the ip address of the cluster VRRP.  Whatever ip address is appearing in the event viewer, just add it as a NAD device in ClearPass to get it working.

If this is critical, I would open a Technical Support case in parallel to this.

Standalone controller in this case. We will open a TAC case after we've done a bit more searching.

Still working with TAC on this issue. The auth errors in Event Viewer were remedied by setting the controller IP address via CLI. The correct address was already selected in the web UI, but the AirGroup service was not using that one as the source to communicate with CPPM.

What we've seen during testing is that if we share devices using individual user names, AirGroup works as expected. If we share by AP group, it does not or discovery is intermittent, even for a group with a small number of APs. Multiple services exhibit this problem - AirPlay, Chromecast, etc.

TAC has asked us to go ahead and upgrade from 8.5.0.7 to 8.5.0.8 and test again, so we will do that next.

This issue persists, still working with TAC. What we see is that if we flip a device in ClearPass from shared via AP group to shared with specific user names, it shows up immediately for those users as an available AirPlay device. If we flip it back to sharing by AP group, it is no longer discovered.

The device and client are in same location, and can be on same or different APs within the same AP group.