Security

Reply
Regular Contributor I

Airgroup on OS8 with CPPM

I've run into a problem with AP groups not showing up in Clearpass Guest for Airgroup device shared locations. The APs are there, but the only AP groups to appear are the two default groups defined on the MM node hierarchy. 

 

I'm having all sorts of problems with airgroups just not working very well, and have a call in with TAC to try and understand what's happening... however in the meantime it would be useful to know whether I should expect to see the AP groups that are defined at the md node hierarchy in Clearpass guest.

MVP Guru

Re: Airgroup on OS8 with CPPM

What version of code are you running on AOS8 and ClearPass ?

 

I am currently using 8.3.0.7 and 6.8.1 with no issues.

 

Did you add the MM (IPs) and all MCs (IPs , Cluster IPs) in the Guest Module under Administration > AirGroup Services ?

 

 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: Airgroup on OS8 with CPPM

Aha, no, only the MM. We haven't interpreted any of the documentation as suggesting the MDs need to be added. I can do that of course, but can you point to documentation that says this?

 

 

Regular Contributor I

Re: Airgroup on OS8 with CPPM

That's been helpful, and now means our AP groups show up in Clearpass guest. The whole thing still doesn't work though. :(

Highlighted
Regular Contributor I

Re: Airgroup on OS8 with CPPM

Alrighty... I think the problem is documentation of Airgroups is not what it should be. In part this is probably because things have changed a bit with new versions of ArubaOS and the Clearpass integrations however, turns out I've wasted literal days of my life try to diagnose problems that didn't exist. Here's what I've learned.

 

By default specifying a location of an AP name for an Airgroup server also makes that server available to clients on RF neighbours (neighbors for you US searchers) of that AP. This might be a well known behaviour but it isn't in the current AOS docs. If you have registered an Airgroup server in Clearpass Guest and specificed an AP name location, the same behaviour takes effect and you'll be able to discover that server when associated with the specified AP and any RF neighbour.

 

It isn't possible to prevent this from happening with the combination of ArubaOS 8.4/8.5 and CPPM 6.8 as far as I can tell. The Airgroup servers CLI output doesn't show anything in the hop column which, I think, means 1 hop rather than no hops.

 

The main reason this caused me such an incredible amount of head scratching was testing in dev environment where all the APs can see each other, at least on 2.4GHz.

 

I've setup some Airgroup servers using the controller policy, rather than CPPM, where it's possible to set the neighbour to "no" and then everything works just as expected.

 

It's also possible to select both AP-groups and AP-names as locations in Clearpass Guest. It appears one or the other works, trying both breaks the location restriction.  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: