Security

Just started looking at  configuring Airgroups.

Am running  ArubaOS 6.4.3.4 and  CPPM 6.5.4.

Have a master/local controller configuration with 1 ap connected to pone of the local controllers advertising SSID alexs-airgroup.

I've an apple TV and an iPhone connected to this SSID. I can use CoA to terminate the iPhone session connected to the SSIS so I know clearpass can CoA the mobility controllers o.k.

I've registered both devices  in clearpass guest. FWIW The apple TV uses EAP-TLS to connect to the network, the iPhone uses EAP-PEWAP. On the local mobility controller

(aruba1) #show airgroup users mdns

AirGroup Users
--------------
MAC                IP              Type  Host Name            VLAN  Role                      Group  Username           AP-Name
---                --              ----  ---------            ----  ----                      -----  --------           -------
9c:f3:87:40:3b:75  144.32.249.254  mDNS  Alexs-iPhone-6-Plus  4093  managed_wireless_devices         as1558@york.ac.uk  alexs-ap225

(aruba1) #show airgroup servers mdns

AirGroup Servers
----------------
MAC                IP              Type  Host Name       Service  VLAN  Wired/Wireless  Role                      Group  Username                         AP-Name
---                --              ----  ---------       -------  ----  --------------  ----                      -----  --------                         -------
58:55:ca:09:71:38  144.32.249.230  mDNS  alexs-apple-tv  airplay  4093  wireless        managed_wireless_devices         checkinout-appletv-1@york.ac.uk  alexs-ap225

On the iPhone I can see/select  the apple tv as a destination, but any attempt to stream audio/video fails

I've got the Airgroup/airplay service enabled.

In the alexs-airgroup VAP for the AP I'm using  I've unchecked "Drop broadcast and unknown multicast" and also "convert broadcast Arp requests into unicast"

Anything else you can suggest to get this working?

Rgds

Alex

Are there any firewall policies in the user roles of your devices?

Hi,

What firewall policies are in the role the devices are assisgned to?

Cheers

James

Role assigned to both apple tv and iphone is "managed_wireless_device" which has an "allow all "

A

Is there a NAT boundary between the two devices?

What does the datapath table show while you attempt to stream?

Sorted!

found some early airgroup posts from 2012 about airgroup not working and the user fixed it by unchecking "Advanced Services>Stateful Firewall>Global Settings"

Deny Inter User Traffic

Deny Inter User Bridging

After this airplay magically sprang into life and I'm now streaming video from iPhone to an Apple TV. However, at the moment I'm running this on a dev controller/AP far away from our production service. We've got 15K+ wireless users on our "eduroam" SSID and currently we block multicast and don't allow general client<-> client traffic.

If I have to disable the above to get  airplay to work, doesn't this screw up our general blocking inter client traffic? We enbled the above initially because at one point 80% of our wireless traffic was multicast/broadcast from clients

Any way of getting airplay etc working on an SSID and still blocking the above two general firewall options?

Rgds

Alex

The firewall settings you mentioned are global.  You should deny inter-user traffic at the virtual-ap level: http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/VirtualAPs/Virtual_AP_Profiles.htm?Highlight=Deny inter user traffic