Security

We've evaluated ClearPass before and found it a unsuitable for our needs vs running FreeRADIUS ourselves and writing unlang based policy rules with SQL checks and LDAP/AD.  

 

We're interested in deploying AirGroup in the following way:

 

We'd like to set up by default that users can only see devices owned by the same user.

 

Additionally we'd like to set up an SQL table which each row defining a pairing of role and MAC address where if you're in the role and in the same building then you can additionally see the device associated with the MAC address in addition to your own devices.

 

 

My understanding is the CleanPass integration with AirGroup occurs over RADIUS.  I see FreeRADIUS has added the following attributes to the aruba dictionary file:

 

Aruba-CPPM-Role

Aruba-AirGroup-User-Name

Aruba-AirGroup-Shared-User

Aruba-AirGroup-Shared-Role

Aruba-AirGroup-Device-Type

 

Is there documentation on how to populate those fields?

 

I'd rather not have to spend time figuring this out from packet captures from a trial version.

 

Thanks.

 

---

@blocke wrote:

We've evaluated ClearPass before and found it a unsuitable for our needs vs running FreeRADIUS ourselves and writing unlang based policy rules with SQL checks and LDAP/AD.  

 

We're interested in deploying AirGroup in the following way:

 

We'd like to set up by default that users can only see devices owned by the same user.

 

Additionally we'd like to set up an SQL table which each row defining a pairing of role and MAC address where if you're in the role and in the same building then you can additionally see the device associated with the MAC address in addition to your own devices.

 

 

My understanding is the CleanPass integration with AirGroup occurs over RADIUS.  I see FreeRADIUS has added the following attributes to the aruba dictionary file:

 

Aruba-CPPM-Role

Aruba-AirGroup-User-Name

Aruba-AirGroup-Shared-User

Aruba-AirGroup-Shared-Role

Aruba-AirGroup-Device-Type

 

Is there documentation on how to populate those fields?

 

I'd rather not have to spend time figuring this out from packet captures from a trial version.

 

Thanks.

 

---

That is not possible.  There is a great deal more into CPPM airgroup than just radius attributes and SQL.

 

 

So what exactly does CPPM airgroup do that can't be done with a RADIUS server and writing your own script?  The documentation is a tad too detail free for my liking.

 

Thanks.

 

---

@blocke wrote:

 

So what exactly does CPPM airgroup do that can't be done with a RADIUS server and writing your own script?  The documentation is a tad too detail free for my liking.

 

Thanks.

 

---

I think you are a good candidate for a briefing from your Aruba Sales person. 

 

Oh boy oh boy oh boy!  :smileyhappy:

 

Thanks.  I'll ping the respective party when I get a moment.

 

Feel free to read this explanation of Airgroup Capabilities here:  http://www.arubanetworks.com/pdf/technology/TB_AirGroupWLANServices.pdf

 

 

I feel your pain, blocke! We're in the same boat. We're investigating how to have similar functionality as Airgroup/ClearPass without ClearPass and it's ridiculous license fees. 

 

We own and currently are using it for radius authentication but don't feel good about paying so much for a repackaged open source solution.

 

Luckily for us, the requests for Airgroup functionality have decreased since Apple introduced the Bluetooth discovery mechanism. 

 

Fred

If you already own it and are using it for RADIUS, why don't you use it for AirGroup? There are no additional licenses.

The ridiculous license fees I mentioned are for everything else. It gets a bit expensive when you're dealing with up to 92,000 unique devices per day. And the only way to increase CPPM licenses is to buy another server? There's a hard max of 25K licenses per server.

But my question is, if you are already using CP as your radius server, why not enable the AirGroup functionality?

 

Because we no longer want to use ClearPass as our radius authentication server. We would much rather go back to what we previously used which was a Radiator based solution which worked great and did not require expensive endpoint licenses for auth. We just need to find an alternative solution for Airgroup functionality.

Months later I still haven't managed to get through a ClearPass eval.

 

Between the cost of the product on the state price lists, my less than fond view of the UI, and the complexity of figuring out how to port our existing FreeRADIUS/PostgreSQL/Samba based policy over to ClearPass's UI my eval of the product keeps finding it's way on the bottom of my very long TODO list.

 

Since Apple shipped Bluetooth LE based discovery my interest in AirGroup has frankly evaporated.  We hardwire the Apple TVs with static IPs, tell the implementers to set the rotating on-screen passcode option, and poke the firewall holes needed for iPads on wireless to get to them.  It's work as well as an Apple TV can be expected to work with no need to over engineer it with proprietary mDNS proxying schemes.

 

Apple wireless device discovery of wired printers can be accomplished through static DNS entries via DNS-SD and DHCP settings.

 

The last piece I'm waiting for is Google to ship the Chromecast update they demoed during Google I/O in June.  If they implement the geolocation based discovery via Google Cloud Services as I'd expect then we have a screencasting solution for Android.  At that point we'd have all of our bases covered. The only wrenches in this are if Android screenshare somehow doesn't work the same way Chromecast enabled apps work and the fact the Chromecast is 2.4GHz only.  Hoping the first won't be a problem and praying they do a hardware rev that adds 5 GHz soon.

 

At the end of the day I can't justify the financial cost and time cost that deploying AirGroup would be to implement. This also hurts the cost/benefit of ClearPass in view of us having something that already works.

 

I am still considering deploying a small ClearPass install just for guest functionality but screenshots I see of it are not flattering when compared to PacketFence's screenshots. They need some serious web and graphic designer love for the out of the box experierence.

 

 

Have you expressed these concerns to your Aruba team?

Also, while the Bluetooth LE feature might seem easier, how do you restrict certain users from accessing the device?

Yep.

 

We're a college campus.  

 

Both faculty, students, and guests have a legitimate need and expectation for potentially anyone in a classroom to stream and control the Apple TV powering the projector or that new sweet 60"+ TV in the front of the room.  That makes AirGroup restriction by user type pointless.  If you've managed to get on our 802.1x network then you're an authorized user.

 

As for restriction of access to the screen that is controlled by the access control methods built into the Apple TV's conference room mode.  The one I'm recommending is for turning on the on-screen password that rotates between uses. This requires you to enter a passcode shown on the projector or TV screen before your device is allowed access.  It requires you to be in the physical room (or at least have a mole planted in the room) and anyone who can find the Aircast button to tap can easily figure it out.  

 

No it's not a 100% perfect solution but it's much simpiler and frees me from having to worry about AirGroup settings and dealing with Apple TVs next door being allowed by AirGroup due to high classroom density vs AP location mappings etal.  I see nothing in AirGroup to stop "Apple TV bombing" from neighboring classrooms any better than the on-screen passcode.

 

As for residence halls if you don't know how to put a passcode on your Apple TV we'll tell you how.  I'm trying to get some documentation put up to encourage this. 

 

 

 

Aruba will skin it for you for ~2000 bucks. Without paying the fee all you can do is change some basic HTML.

 

Anyway thanks for the update! We're very interested in pursuing the same route.

 

Also, I sent you a linkedin connection request. We're working with FSU on some wireless solutions and it would be great to work with you guys also.

 

Thanks,

Fred 

You can completely customize the UI without a skin. Ohio State is a great example of this.

the guest portal is very customizable without the skinning. You can use css formating, html etc. There are a ton of how-to articles on arubapedia. Not everyone has someone that knows html that is why Aruna offers the skinning feature. There have been some example from other customers in the forms. I believe the guys from OSU shared some of the pages they made for mac trac.

 

We have a Creative Services department which handles all of our university's web design and aesthetics. When we mentioned to Aruba that we were going to have our Creative Services department skin the ClearPass portal page they told us that it would be better to purchase the skinning professional services from Aruba. They told us Aruba did not give the customer the same access granted to Aruba's skinning team. Were we misinformed by Aruba?

 

Thanks,

Fred

The skin is a deliverable that is added to your account and you simply install in ClearPass.

 

Without a skin, you can still re-theme/customize the look and feel using HTML/CSS in your forms/views.

I realize this is an older thread, but in case you're googling the "Airgroups without Clearpass" question, there a number of ways to limit visibility to ATVs using only controller settings in 6.4.3 and above.  Probably the most useful way is by AP-Group, but you can also be restricted by RF neighborhood, AP-name, role or user.  

Granted, a lot of manual labor for a large deployment but if you don't otherwise need Clearpass, might be a useable option.