Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Airgroup issues in CPPM 6.7.3 ?

This thread has been viewed 1 times

  • 1.  Airgroup issues in CPPM 6.7.3 ?

    Posted May 09, 2018 06:49 AM

    Hi,

    Are there any known issues with airgroups in CPPM 6.7.3 ? I've had airgroups runnnig for a long long time with no issues, then we upgraded to 6.7.3 on my dev cluster.

     Last friday I started looking at the policies I have assigned to an airgroup device ... there was an allow all at the end of the ACL list that I wanted to replace with a more repesentative group of ACLs and integrate it into our general user acl policy as part of moving from my "playtoy" to something general users can use.

     

    Normally I can  make some acl changes and then do a CoA reauth on the device and you can see the 802.1x auth service happening followed by the Airgroup service kicking in.

     

    What I was seeing on  Friday was just the dot1x service and no airgroup service being invoked. Tried restarting/powercycling the airgroup server devices ( 2nd gen apple tv device and 2 chromecast devices) and again every device with my role assigned had a dot1x auth but no airgroup service called.

     

    Logging onto the mobility controller ( sh airgroup server) showed no servers.

    Tried reverting the acl list to what it weas before to no avail.

    Eventually left them as was and went away.

     

    This morning ( Wednesday) have a look and the chromecast devices appeared again. could see them on the controller, could see them on google home app on my iphone  could stream to the chromcvast 4K via YouTube.

     

    Only thing missing was the apple TV which was still dot1x'ing but no airgroup service invocation.

     

    Did a change to Apple TV config in clearpass guest .... and now although I can see the chromecast devices from the controller CLI my iphone can't see them :-(

     

    Even more annoyingly for other devices on our wifi with a different role are using both dot1x service and airgroup service. It's only devices with my specific playtoy role that aren't working. 

     

    This stuff has been working for months and months. The only thing I did to stop things worknig was change the policy ACL list associated with the role

     

    Short of  switching the controler off and on again bit of a loss as to what to do next

    Controller running 6.5.4.6

     

    Rgds

    Alex