Security

Might seem a silly question but

On my dev mobility controller cluster I've created an AirGroup domain along with other Airgroup settings and AirGroups works just fine.

On our production controllers I *think* I've set up everything apart from an Airgroup domain.

Clearpass is ending back the same info on my dev network as it does on the production network. Config/Airgroup/Services  is set up the same as is ...Airgroup/settings apart from the AG domain.

All the appropriate vlans have an IP address assigned and my ACL ruleset is the same on both systems.

firewall rules are the same on both setups

AFAIK the only thing that's different is the fact tha the AirGroup domain isn't enabled on the production service. We're running ArubaOS  6.5.4.10  on the production system and 6.5.4.12 on the dev one/

At this point in time, can't see why 1 system works and the other doesn't.

I'd heard that another institution hadn;t enabled an AirGroup domain on their wifi network and airGroups was working hence why its not enabled at the moment

Rgds

Alex

And the answer is yes you do!

As soon as I enabled an airgroup domain on a mobility controller that my chromecast device was conneted to, a  show airgroup cppm entries command  showed the chromecast device with my userid as the device-owner and in the shared-user-list.

... problem is that my iphone and an android phone conected to a different SSID (eduroam) should also have been visible ... and they're not.

one step forward ... slight shuffle back.

A

Agree on the Airgroup domain being needed.

With the iPhone and Android phones, what services should they be advertising? What services have you enabled via Airgroup on the controller? Or are you trying to find the Chromecast from the iPhone/Android device? I'm not clear on what's not working with the current setup.

Basically, 

on an android or iOS device I want to discover the chromecast device. On my dev pair of mobility controllers. I can fire up the Netflix app on my iphone and cast to either an Apple TV or the chromecast device.

On the production setup, before the airgroup domains were created my ios/android devices couldn;t see anything. 

With the domains created , my android phone can see the chromecast device and cast to it. My iPhone can't

To see whats going on I've been using the cli commands "show airgroup policy-entries" , "show airgroup cppm entries" and "show airgroup servers"

However although I  can see the chromecast in the show airgroup serves list, can't see my iphone in the show airgroup cppm entries even though clearpass is sending the same  Access-Accept packet contents for both the android device and the iphone .... and not sure where to look at the moment. 

image attached shows services selected. In addition, airgroup googlecast service set up as 

airgroupservice "googlecast"
id "_googlecast._tcp"
id "_ca5e8412._sub._googlecast._tcp"
id "_atc._tcp"
id "urn:mdx-netflix-com:service:target:0"
id "urn:mdx-netflix-com:service:target:1"
id "_sub._googlecast._tcp"
id "_googlezone._tcp"
id "urn:mdx-netflix-com:service:target:3"
id "urn:dial-multiscreen-org:service:dial:1"

Another question is to do with the [ Airgroup Authorization Service]

Our building has its own mobility controller and clearpass cluster. The rest of the campus has  their oun controllers and clearpass cluster.

1st thing in the morning when i come in, my iPhone authenticates to eduroam in our building and  after the dot1x auth I can see clearpass responding with an Airgroup Auth  Response. I can then log onto our controller and do a "show airgroup cppm e" and see the mac address of my iphone appearing in the "clearpass guest devicve registration information" page.

If I then walk to another building and connect to eduroam there I can see an airgroup auth response on that cluster. However, when I walk back to my own building, although I do a dot1x auth to get onto eduroam what I don't see is clearpass processing an Airgroup Authorization Request. and the "sh airgroup cppm" doesn't have my mac address in the list , in fact the only way I can get it there is to force a CoA terminate in Access Tracker for the Airgroup Auth Request after which i see a dot1x auth being processed folowed by the "Airgroup Authorization Request"

Guess the question is, is that right ? shouldn't I see the Airgroup Auth Response as well ? Guess don;t know enough about under what conditions the Airgroup Auth happens. 

So the android device does work, it's only the iOS/iPhone that does not?

Does the iPhone see any other AirPlay compatible devices on it's list, or is the Chromecast the only thing missing?

On my dev controller clusterI have multiple airgroup devices. However this is the 1st time I'm trying to set up airgroup on our production service.

On the  dev controller, as soon as an airgroup client connects to our wifi, a sh airgroup cppm e  shows the mac address of the device. along with the device-owner and the shared-user-list ith correct values

On the production controller this doesn't happen. I'm connected to the same wifi network ( different vlan in the vlan pool) but the client device doesn;t immediately appear in the output of this command.

so question now is what is the sequence of events for a device connecting to the wifi network that results in an entry appearing in the "ClearPass Guest Device Registration Information" list ?

Rgds

A

So, just dioiscovered the Clearpas Guest Airgroup Diagnostics command.

It would appear that (AFAIK) all the known airgroup devices are associated with a different controller.

So with the Airgroup Diag web page I can manually associate my android phone and chromecast device to a different controller and when I connect to an AP serviced by the controller, I can see the chromecast device.

Methinks there's something not quite right with the airgroup domains we've got set up....  and not sure why devices haven't an expiry time

So in in doubt switch it off and on again ..... 

Found lots of airgroup devices bound to another controller. Cleared them out and now I seem to be able to cast. However 

in clearpass Airgroup Diagnostics 

If I ask for info about a device it tells me its not bound to the controller. If I go to the CLI on that controller and have a look, its there... see attached  images