07-11-2019 02:18 PM
I've run into a problem with AP groups not showing up in Clearpass Guest for Airgroup device shared locations. The APs are there, but the only AP groups to appear are the two default groups defined on the MM node hierarchy.
I'm having all sorts of problems with airgroups just not working very well, and have a call in with TAC to try and understand what's happening... however in the meantime it would be useful to know whether I should expect to see the AP groups that are defined at the md node hierarchy in Clearpass guest.
Solved! Go to Solution.
Re: Airgroup on OS8 with CPPM
07-12-2019 07:44 AM - edited 07-12-2019 07:45 AM
What version of code are you running on AOS8 and ClearPass ?
I am currently using 18.104.22.168 and 6.8.1 with no issues.
Did you add the MM (IPs) and all MCs (IPs , Cluster IPs) in the Guest Module under Administration > AirGroup Services ?
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-16-2019 02:54 PM - edited 07-16-2019 02:58 PM
Alrighty... I think the problem is documentation of Airgroups is not what it should be. In part this is probably because things have changed a bit with new versions of ArubaOS and the Clearpass integrations however, turns out I've wasted literal days of my life try to diagnose problems that didn't exist. Here's what I've learned.
By default specifying a location of an AP name for an Airgroup server also makes that server available to clients on RF neighbours (neighbors for you US searchers) of that AP. This might be a well known behaviour but it isn't in the current AOS docs. If you have registered an Airgroup server in Clearpass Guest and specificed an AP name location, the same behaviour takes effect and you'll be able to discover that server when associated with the specified AP and any RF neighbour.
It isn't possible to prevent this from happening with the combination of ArubaOS 8.4/8.5 and CPPM 6.8 as far as I can tell. The Airgroup servers CLI output doesn't show anything in the hop column which, I think, means 1 hop rather than no hops.
The main reason this caused me such an incredible amount of head scratching was testing in dev environment where all the APs can see each other, at least on 2.4GHz.
I've setup some Airgroup servers using the controller policy, rather than CPPM, where it's possible to set the neighbour to "no" and then everything works just as expected.
It's also possible to select both AP-groups and AP-names as locations in Clearpass Guest. It appears one or the other works, trying both breaks the location restriction.