Security

I am slightly confussed about the airgroup functionality.  We have had it running without the clearpass tie in allowing users to just access everything.  We would like to starting using the clearpass piece but only somewhat selectivly.  For example, if student puts and apple tv in there dorm room i want it to connect and be visible to everyone.  But I want the ability to let them register it and then share it with there roomates or soemthing.  Basically i want to allow things work as they do now, but give people control if they want it. I was told it does not work this way, but then i found this section of the Airgroup guide which seems to say otherwise.

The AirGroup solution allows users to view all mDNS devices by default.AirGroup provides a set of policy definitions to allow or disallow one of more AirGroup servers from being visible to specific AirGroup users. If an AirGroup server is not registered on a CPPM server, by default, the server will be visible to all AirGroup users. The administrator has to register an AirGroup server to allow or disallow this server from being visible to specific AirGroup users. The following procedure registers an AirGroup server on a CPPM server:

When i enable "AirGroup CPPM enforce registration"  all devices disapear  from my airplay list.  It does not matter if i register and share the device in clearpass or not.  

With "AirGroup CPPM enforce registration" disabled, i see every device but the sharing rules in clearpass still dont have any effect.

I worked with an engineer to configure clearpass for this, so its added as a aigroup AAA server and as an RFC 3576 server.  I saw log entries for airgroup as soon as i added them in there, so i believe they are talking correctly. so....

1.  Can I do what i am trying to do?

2. How do i get it to do that?

And that is why i am confused.  This line from the guide seems to indicate otherwise:

Quote:

If an AirGroup server is not registered on a CPPM server, by default, the server will be visible to all AirGroup users.

/quote

That sounds exactly like what i want.  Visible to everyone unless i specify otherwise.  If the system truly cannot do that it seems to be a glaring flaw to me.....

So you are saying the guide is incorrect?  or am i reading it wrong?

My controler is on 6.4.2.3, and clearpass is on  6.5.0.71095

The guide i am referencing is:

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/15478/1/ArubaAirGroup-6136-DG.pdf

 I looked in the downloads section and this is the newest version of this guide.

Unfortunately the same language is in the new 6.4.3.x userguide here:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/AirGroup_CPPM_Interface.htm%3FTocPath%3DAirGroup%7C_____3

We will check it out and correct it, but I do not think the way that it is stated is accurate.

Thank you for the replies.  I would LOVE for it to work like the guide says.  I think i will suggest that as a feature, and i will also probably call TAC as i dont think its working right anyway since i cant get devices to show up even if Enfore Registration is enabled, and the device is registered and shared.  

---

@mwallen wrote:

Thank you for the replies.  I would LOVE for it to work like the guide says.  I think i will suggest that as a feature, and i will also probably call TAC as i dont think its working right anyway since i cant get devices to show up even if Enfore Registration is enabled, and the device is registered and shared.  

---

mwallen,

What is the output of 

show airgroup cppm entries

Is there a pdf version of this document? its a pin having to read it on line.

A

---

@mwallen wrote:

So you are saying the guide is incorrect?  or am i reading it wrong?

---

mwallen,

Please let us know if you have a link to that guide so we can check it out.

Quote:

If an AirGroup server is not registered on a CPPM server, by default, the server will be visible to all AirGroup users.

/quote

This line is true, if you don't enforce clearpass registration then by default the aruba controller airgroup functionnality is set to allow all, you need to manually disallow Vlans and roles after.

You should enforce Clearpass Registration, then you need to manually create the device in Clearpass Guest and enable the airgroup sharing option. From that point you select Allowall for the role to share the device with.

You can also create a operator account which will have the rights to add these devices to Clearpass Guest and select who to share it with.

Also enable the [AirGroup Authorization Service] which is disabled by default in CPPM's services list.

Sure :)

There is a complete Tech note dedicated to it : https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=8478

You need to login under support.arubanetworks.com and then go within the tech notes folder of Clearpass, file is named : TechNote v1.3 - AirGroup Configuration with ClearPass 6.0.1

That document is dated. Are you working with a ClearPass partner?