Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Airgroup question on Mobility controller ArubaOS 8

This thread has been viewed 3 times

  • 1.  Airgroup question on Mobility controller ArubaOS 8

    Posted Jun 13, 2018 10:35 AM

    All,

     

    I manage the Aruba iAP wireless for a small K-12 school campus.  Currently I have it setup with three sets of VC and VLAN.  One for each school (lower school, middle school, and upper school.)  This allows me to do a few things like: break up broadcast domains, limit each VC to a managable amount of APs, and each school has it's own VC so I can setup different policy based on the school needs.

    Another benefit of having the schools on separate VLAN and VC is when using Airgroup. Only Airprint and Airplay devices for the respective school are visible.  For example, only upper school Airprint printers are available if you are in the upper school buildings.  If you are in the middle school, only middle school Apple TV are available, etc.

    For this summer we are upgrading to a pair of redundant 7205 Mobility controllers for the whole campus.  I'm working with professional services to assist in the installation.  In our initial meeting they mentioned removing the different sets of VLANs would be recommended to improve roaming between the schools.  I understand that and I also understand I'll get better control using AP groups using the new controllers.

    But I'm unclear and my question is with Airgroup.  Is it possible to limit Airplay/Airprint to an AP group?  Especially for the lower school kids.  If they are learning how to Airprint, we need limit the number of printers they view.  It's crucial they can only see printers available in the lower school, and not the entire organization.

    Thanks.

    Note:  Our SSIDs are WPA2 personal.



  • 2.  RE: Airgroup question on Mobility controller ArubaOS 8

    Posted Jun 13, 2018 01:07 PM

    Also, the Airprint printers are mostly HP and they are all WIRED with IP addresses.



  • 3.  RE: Airgroup question on Mobility controller ArubaOS 8

    Posted Jun 13, 2018 01:19 PM

    I think I just answered my own question.  If the printers are wired, the wireless controller won't have any control over wired devices.  Unless there is some mechanism to register devices in the controller or possibly use Clearpass.



  • 4.  RE: Airgroup question on Mobility controller ArubaOS 8

    EMPLOYEE
    Posted Jun 13, 2018 02:04 PM
    @OESTech wrote:

    I think I just answered my own question.  If the printers are wired, the wireless controller won't have any control over wired devices.  Unless there is some mechanism to register devices in the controller or possibly use Clearpass.

    You are on the right track. ClearPass provides the most flexibility. The controller provides some coarse grouping functionality.

     

    This may help: https://www.arubanetworks.com/techdocs/ArubaOS_82_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Configuring_AirGroup_Profile.htm#Creating3



  • 5.  RE: Airgroup question on Mobility controller ArubaOS 8

    EMPLOYEE
    Posted Jun 13, 2018 02:08 PM
    Hi

    On ArubaOS8 airgroup can be setup in different ways. Central or decentral. Without knowing the whole new setup I can image that the wired vlan (with the atv or printers) is different per school. This VLAN can be tagged on the uplink of the AP's for that school and the AP will only 'airgroup' those devices in that vlan. Also further control is possible with ClearPass.

    I hope this helps


  • 6.  RE: Airgroup question on Mobility controller ArubaOS 8

    Posted Jun 13, 2018 05:41 PM

    So after talking to our professional services and doing some research, it looks like we'll stick with keeping the schools on separate VLAN.

     

    - From what I can tell the Clearpass solution requires use of onboarding or the Guest module.  Our SSIDs are mostly WPA2 personal and don't even use Clearpass.

     

    -Since the Airprint printers are wired, there is no solution in the wireless controlller.

     

    So our network will look something like this:

    Lower school building

    Employee SSID = VLAN 10

    Student SSID = VLAN 20

     

    Middle school building

    Employee SSID = VLAN 30

    Student SSID = VLAN 40

     

    Something like that to keep the broadcast domains separate.  Maybe roaming between building won't be ideal, but it keeps everything else simple.



  • 7.  RE: Airgroup question on Mobility controller ArubaOS 8

    EMPLOYEE
    Posted Jun 13, 2018 09:50 PM

    With that being said, you can still do some things in AOS without ClearPass.  You can use autoassociate to associate a wired printer with an access point or group of access points.  That would allow you to say that users can only see that wired printer when a user is associated to that access point or neighboring access points:  https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/airgroup.htm?Highlight=autoassociate

    https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/airgroupprofile.htm?Highlight=autoassociate