Security

Clearpass 6.7.0 / AOS 8.3.0

I believe I have AOS / Airgroup setup correctly:

Configured under managed node (contains two clustered controllers)

Distributed mode, RFC 3576 / AAA servers pointing to CPPM. Default-allowall service. Forced Registration is enabled.
I see the CPPM entries and appropriate servers and users in the various Airgroup diag commands. 

CPPM: I enabled Airgroup service, I see successful requests coming across. I added the particular device to test with (as admin). I shared it with a user that is not logged on anywhere on the network. 

 

1. I logged into the network as a different .1X user. I can still see every mDNS device. (even when force registration is on) including the one that I registered.

2. Logging into the .1X network with the user I shared the device, I can see every device.

It was my understanding that if I enable "AirGroup server enforce registration", then no devices should be visible to anyone.. It's like the controllers are 'viewing' the requests, but are not enforcing anything.

You should consider upgrading to 6.7.4 , allow all services doesn’t mean you are allowing all the services ..it means that it will advertise services you didn’t configured





Thank you

Victor Fabian

Pardon typos sent from Mobile

I have 6.7.4 downloaded. I just haven't installed it.

To your point though, if I only have allowAll service enabled then I definitely shouldn't be able to see other devices such as chromecast, correct?

AirGroup in centralized mode is currently broken in 8.3.0.0

Is distributed ok then? That's what I'm using.



Sent from my Sprint Samsung Galaxy Note8.

---

@zemerick1 wrote:
Is distributed ok then? That's what I'm using.



Sent from my Sprint Samsung Galaxy Note8.

---

Curious how your envirionment is doing now. We're beginning our migration to ArubaOS 8.3.0.1 - but then discovered issues with "Centralized AirGroup". We switched to "Distrubuted Mode" and enabled "Airgroup Domains" - unfortuntately as I feared - if an AirGroup Server is on another controller - and a client is on a separate active controller - discovery is not working. Have a TAC case opened currently. Interestingly, when I switched back to "Centralized" just for the heck of it - it's working as desired. But wondering if it was a "fluke" - so now we're debating between 8.3.0.1 or going to 8.2.1.1 at the moment.

Glad I found your post... Airprint with Airgroup was working fine for us for ages... 6.xxxx something finally bit the bullet and went to 8.3.0.6 a few months ago, and didn't seem to have any issues... we're a small school, and only have 1 admin who ever uses Airprint, and not that often...  a few weeks ago he complained that his printer wasn't showing up on his ipad... rebooted printer. resolved issue. he printed 2 documents and it disappeared... repeat repeat repeat.... been banging my head against the wall for a while now... thought it was the printer (also relatively new). finally found your post, disabled airgroup for bonjour... printers back online... not optimal, but it works....

 

any indication that there's a fix in the works, so we can turn Airgroup back on and keep the kids from broadcasting to our appleTV's???

 

Thanks