Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Airgroup on OS8 with CPPM

This thread has been viewed 5 times

  • 1.  Airgroup on OS8 with CPPM

    Posted Jul 11, 2019 05:18 PM

    I've run into a problem with AP groups not showing up in Clearpass Guest for Airgroup device shared locations. The APs are there, but the only AP groups to appear are the two default groups defined on the MM node hierarchy. 

     

    I'm having all sorts of problems with airgroups just not working very well, and have a call in with TAC to try and understand what's happening... however in the meantime it would be useful to know whether I should expect to see the AP groups that are defined at the md node hierarchy in Clearpass guest.



  • 2.  RE: Airgroup on OS8 with CPPM

    Posted Jul 12, 2019 10:45 AM

    What version of code are you running on AOS8 and ClearPass ?

     

    I am currently using 8.3.0.7 and 6.8.1 with no issues.

     

    Did you add the MM (IPs) and all MCs (IPs , Cluster IPs) in the Guest Module under Administration > AirGroup Services ?

     

     



  • 3.  RE: Airgroup on OS8 with CPPM

    Posted Jul 12, 2019 11:16 AM

    Aha, no, only the MM. We haven't interpreted any of the documentation as suggesting the MDs need to be added. I can do that of course, but can you point to documentation that says this?

     

     



  • 4.  RE: Airgroup on OS8 with CPPM

    Posted Jul 15, 2019 11:29 AM

    That's been helpful, and now means our AP groups show up in Clearpass guest. The whole thing still doesn't work though. :(



  • 5.  RE: Airgroup on OS8 with CPPM
    Best Answer

    Posted Jul 16, 2019 05:55 PM

    Alrighty... I think the problem is documentation of Airgroups is not what it should be. In part this is probably because things have changed a bit with new versions of ArubaOS and the Clearpass integrations however, turns out I've wasted literal days of my life try to diagnose problems that didn't exist. Here's what I've learned.

     

    By default specifying a location of an AP name for an Airgroup server also makes that server available to clients on RF neighbours (neighbors for you US searchers) of that AP. This might be a well known behaviour but it isn't in the current AOS docs. If you have registered an Airgroup server in Clearpass Guest and specificed an AP name location, the same behaviour takes effect and you'll be able to discover that server when associated with the specified AP and any RF neighbour.

     

    It isn't possible to prevent this from happening with the combination of ArubaOS 8.4/8.5 and CPPM 6.8 as far as I can tell. The Airgroup servers CLI output doesn't show anything in the hop column which, I think, means 1 hop rather than no hops.

     

    The main reason this caused me such an incredible amount of head scratching was testing in dev environment where all the APs can see each other, at least on 2.4GHz.

     

    I've setup some Airgroup servers using the controller policy, rather than CPPM, where it's possible to set the neighbour to "no" and then everything works just as expected.

     

    It's also possible to select both AP-groups and AP-names as locations in Clearpass Guest. It appears one or the other works, trying both breaks the location restriction.