Security

We're noticing that when we add a new Apple TV to the network, it will immediately show on the wireless controllers with "show airgroup servers". We then use that data to add it as a new device to Clearpass Guest, scoped to the building it's in. It's set to active "now". However, it won't show up on the wireless controllers for roughly 24 hours, as seen with "show airgroup cppm entries". Our query interval is 1 hour, but I can't figure out where that 24 hour setting is coming from. 

When an Apple TV is registered in Clearpass guest (with Airgroup enabled), a CoA is issued to the controller to update the airgroup CPPM entries on the controller. This should be immediate. A packet capture on Airgroup CoA port should help confirm if this is being sent out or not.

Thanks Tim and Matt. Looks like I need to run some packet captures so see what's being sent and when. We have roughly 75 Apple TVs now, and all I'm sure of is that none of them have ever shown up immediately in the "CPPM entries" table, but all of them show up somewhere between 22 and 24 hours later. 

CPPM - 6.3.6.67943 on CP-VA-5K

Wireless Master -- 6.3.1.13 on OAW-4550-US

Wireless Slave --   6.3.1.12 on OAW-4750-US

Okay.  Do you have "AirGroup CPPM enforce registration" Enabled?  That would mean a device would not be seen until is is entered in Airgroup on CPPM.  Or, have you made all servers available to everyone in the controller?  You might want to turn off CPPM enforce registration to see if all AppleTVs are present immediately to rule out an issue with CPPM configuration, etc.

Hi Colin,   enforcement is enabled. We did turn it off the other day, and Apple TVs immediately showed up. We turned enforcement back on, and the Apple TVs disappeared again. I checked a few more times throughout the day with "show airgroup cppm entries" and the new A TV hadn't showed up yet. Then, after 24 hours, it finally showed up. 

CPPM - 6.3.6.67943 is fairly old, can you try upgrading to 6.5.x (6.5.3 is the latest)

We do plan on updating next week to the new code.

I just noticed today that the CPPM entry does get pushed to the master controller almost immediately. I must've missed that before -- I don't usually look at the master since no APs terminate on it. 

It's the replication to the local controllers that is taking 24 hours. Everything else we do, such as updating configs on the master through the gui, will replicate immediately. It's just the CPPM database that takes so long.

Is the AirGroup request in ClearPass coming from the master or local controller?

Sorry, how do I determine that? All of our APs are terminated on the local, not the master, but in clearpass Guest, both the Master and Local are added as AirGroup Controllers in the administration page. 

Take a look at the AirGroup Authorization Requests in Access Tracker in ClearPass to see the source controller.

Access Device IP/Port:  10.189.255.32:0         (Master)

Radius:IETF:NAS-IP-Address 10.189.255.32    (Master)

As I pick through different requests, this line alternates back and forth between the Master and the two locals:

Connection:Src-IP-Address 10.189.255.67        (local)
Connection:Src-IP-Address 10.189.255.66        (local)
Connection:Src-IP-Address 10.189.255.32        (Master)