Security

Looking through the docs I can log into a controller and for an airgroup service do an "autoassociate apgroup"

 

What if I wanted to do this from clearspass? Would that be the same as setting  airgroup_shared_location = "AP-Group=......" ?

 

Basially if a device logs onto an SSID just want them to see airgroup servers on the same ap-group.

 

A

Yes, you just select the AP group or AP name during device registration.

so what about when its an end user and we are trying to minimise the amount of stuff they have to type? You wouldn't want an end user to have to pick an ap group, you;d want to set it automagically.

A

Auto RF neighborhood (Controller) and device registration (ClearPass) are mutually exclusive today.

o.k. so then i want to use the clearpass guest airgroup_shared_location value ( which I've currently got disabled in my form). Two questions:-

1). 

But setting that would tie devices to wherever you 1st configured them. I know that this is probably the right thing to do, but what if these devices were portable and you moved them from one AP group to another? I'd sort of expect to be able to have clearpass send appropraite shared location stuff based upon where a device is.

2). If I was to use airgroup_shared_location, is there an automagic way of setting it to the ap group that the ap the device is connected to is in?

 

Guess what you want to do is set the initial value of airgroup_shared_location to be the ap group you are currently connected to

 

Can you do that?

A

No. That's now how the feature is designed.

Ah! 

So guess I'm back to autoassociate on the mobility controller then

 

Most end users want to access their own services anywhere on campus. That is the way the feature was designed.

And just discovered that the way we create AP Groups makes it impractical to evem think of this :-(