Wireless Access

I could use some help on what the specific needs are in setting up Apple Remote Desktop v3.8 on Aruba.  Is AirGroups needed to make this hapen and if so what specifically is it using?  It seemed to be working temparily but now has stopped and I am unsure of what is needed to make the current version work..

 

Thanks!

How are you using Apple Remote desktop is the answer to that. There are specific ports that need to be allowed. Are you allowing them?http://www.how2s.org/index.php/Howto_get_Apple_Remote_Desktop_to_work_behind_a_router

I have these ports allowed for these lab computers... It is specifically when i try to share my screen to all the others.

mattjhughes,

 

If you are allowing those ports and you are still seeing that issue, what do you think could be the problem?

the screen sharing does not work with allow-all as the user-role.  Other aspects of the ARD are working fine,  I can share a screen with one individual computer, and I can remotely observe/control another users screen.  However when I try to share the instructor screen with more then one  computer,  it does not work.   I am looking over the ARD documentation and do not see much regardingmulticast, but wondered if it could be something that needsAirGroups to resolve.  Is there a good command to test if the client is attempting to usemulticast traffic? I saw 

show airgroup blocked-queries 

however it does not seem to show specific users, or I do not know how to associate them to the UUID. 

mattjhughes,

 

You should run the command "show datapath session table <ip address of client>"  a few times exactly when you are attempting the remote desktop to see what traffic is being passed, to see if anything is being blocked.

 

Here is some of the output from the command you mentioned.  I see the Y flag for some of the traffic, but was not sure if that was just UDP traffic.   I tried to do the screen share about 10 times and it worked (for thie first time) 1 of those 10 times however, nothing was changed, as far as I could tell.    As an aside I thought there was an easy way to change the role of a user using the CLI,  something like aaa user change role or something.  I wanted to create a custom role just for testing, and asign via the CLI.

 

 

(Aruba7240) (config) #show datapath session table 10.31.14.176 | include 10.31.17
10.31.17.16     10.31.14.176    17   3283  3283   0/0     0    0   1   tunnel 3268 14   4          376        FCA             
10.31.14.176    10.31.17.16     17   3283  3283   0/0     0    0   1   tunnel 3268 14   4          664        FA              
10.31.14.176    10.31.17.16     17   5900  5900   0/0     5    0   0   tunnel 2209 e    17         816        FC              
10.31.17.16     10.31.14.176    17   5900  5900   0/0     5    0   0   tunnel 2209 e    16         1152       F               
10.31.14.176    10.31.17.16     17   5900  49439  0/0     0    0   0   tunnel 3268 c    0          0          FYA             
10.31.17.16     10.31.14.176    17   49439 5900   0/0     0    0   0   tunnel 3268 c    8          384        FCA             

(Aruba7240) (config) #show datapath session table 10.31.14.176 | include 10.31.17
10.31.17.16     10.31.14.176    17   3283  3283   0/0     0    0   1   tunnel 3268 8    2          188        FCA             
10.31.14.176    10.31.17.16     17   3283  3283   0/0     0    0   0   tunnel 3268 8    2          188        FA              
10.31.14.176    10.31.17.16     17   5900  49439  0/0     0    0   7   tunnel 3268 7b   0          0          FY              
10.31.17.16     10.31.14.176    17   49439 5900   0/0     0    0   0   tunnel 3268 7b   46         2208       FC              

(Aruba7240) (config) #show datapath session table 10.31.17.16 | include 10.31.14.176
10.31.17.16     10.31.14.176    17   3283  3283   0/0     0    0   1   tunnel 3268 a    2          188        FCA             
10.31.14.176    10.31.17.16     17   3283  3283   0/0     0    0   0   tunnel 3268 a    2          188        FA              
10.31.14.176    10.31.17.16     17   5900  49439  0/0     0    0   11  tunnel 3268 ba   0          0          FY              
10.31.17.16     10.31.14.176    17   49439 5900   0/0     0    0   0   tunnel 3268 ba   67         3216       FC              

(Aruba7240) (config) #show datapath session table 10.31.17.16 | include 10.31.14.176
10.31.17.16     10.31.14.176    17   3283  3283   0/0     0    0   1   tunnel 3268 d    2          188        FCA             
10.31.14.176    10.31.17.16     17   3283  3283   0/0     0    0   1   tunnel 3268 d    2          188        FA              
10.31.14.176    10.31.17.16     17   5900  49439  0/0     0    0   11  tunnel 3268 bd   0          0          FY              
10.31.17.16     10.31.14.176    17   49439 5900   0/0     0    0   0   tunnel 3268 bd   68         3264       FC              

 

Port 5900 and port 3283 according to apple:  https://support.apple.com/en-us/HT202944

 

aaa user add <ip address> <role> will switch roles of a user.

 

Sorry I can not understand the output from the command that well,  are you thinking it is being blocked on 5900? or is that standard for UDP traffic on that port (the Y flag)   Also when I try to change the role using the comand. 

 

aaa user add 10.31.17.16 role Secure-Role

and then look in the user-table it still has the old role assigned..  

 

Any ideas on what should be my next steps? Thank you much for the help so far.  

 

I don't see it being blocked.  The Y flag is for UDP traffic or one-way TCP traffic.  Protocol 17 means that it is UDP traffic.  All the traffic looks like it is unicast, so no airgroup/mdns type discovery traffic there.  Please identify the other ip addresses in the output to determine what the computer is attempting to talk to...

---

@mattjhughes wrote:

Sorry I can not understand the output from the command that well,  are you thinking it is being blocked on 5900? or is that standard for UDP traffic on that port (the Y flag)   Also when I try to change the role using the comand. 

 

aaa user add 10.31.17.16 role Secure-Role

and then look in the user-table it still has the old role assigned..  

 

Any ideas on what should be my next steps? Thank you much for the help so far.  

 

---

also, the aaa user add command is case-sensitive for the role. The ip address and role need to be typed exactly; there is no error output to the command.

 

 

 

It seems like it will throw an "Unknown role" error if you do enter it incorrectly

 

 

(Aruba7240) #aaa user add 10.31.89.78 role Secure-FAKE
Unknown role

in the end I just changed the role for these machines in Clearpass when they authencated for the time being.    It still does not work with the following role, I turned off Deep Packet and Classification

 

user-role Secure-Role
 max-sessions 65535
 dpi disable
 web-cc disable
 access-list session global-sacl
 access-list session apprf-Secure-Role-sacl
 access-list session allowall
!

 

 

10.31.14.176    10.31.17.16     17   5900  55272  0/0     0    0   8   tunnel 3267 84   0          0          FY              
10.31.17.16     10.31.14.176    17   3283  3283   0/0     0    0   0   tunnel 3267 2    1          94         FC              
10.31.17.16     10.31.14.176    17   55272 5900   0/0     0    0   0   tunnel 3267 84   43         2064       FC              
10.31.14.176    10.31.17.16     6    60290 5900   0/0     5    0   0   tunnel 3267 163  373        19396                      
10.31.14.176    10.31.17.16     17   3283  3283   0/0     0    0   1   tunnel 3267 2    1          94         F               
10.31.17.16     10.31.14.176    6    5900  60290  0/0     5    0   0   tunnel 3267 163  379        116046     C  

I suppose it could be related to the program itself, but it works via the Wired network.