Aruba Brandeis Webinar Q&A: Identity Based Access & Aruba AirGroup

Share Post

We have compiled this morning's Q&A chat window, with answers of course, and wanted to share with all. Thanks to all who joined the webinar. For a copy and the video recording of the presentation, please see Airheads Social knowledgebase article.

Still got more questions? Please post them here or to Campus WLAN, Mobility Access Switches, ArubaOS and ClearPass forums!

Q&A on Aruba Mobility Access Switches

Q: Can you please tell the difference between Aruba's S2500 and S3500 switches?

A: There is a table posted at Aruba website describing the differences. The S3500 is a modular switch - power, uplink/stacking, field replaceable fan trays. The S2500 has a fixed configuration - power, fans and uplinks, comes in a 12" form factor.

Q: Are you telling me that with Aruba, I don't have to have any VLANs?

A: VLANs can be anchored further back in the network and dynamically assigned. Firewall on the controller is used for policy enforcement and VLANs are simply used to control broadcast domains. You can have as many or as less VLANs as you like as long as you follow LAN design best practices for IP services like DHCP, DNS, etc.

Q: How many Aruba switches do we need to install?

A: Number of switches is dependent on the number of wired ports required in the network. You have the ability to configure a port to tunnel traffic to the firewall on the controller or allow it to do local L2 or L3 forwarding.

Q&A on Aruba AirGroup

Q: So ClearPass Guest (Amigopod) is required for AirGroup? Is AirGroup part of ClearPass?

A: AirGroup requires ClearPass for it to be most effective. Without ClearPass guest, L3 discovery, traffic optimization, role based access to services (eg. students can't access Apple TVs in classrooms but teachers can) and selective advertisement of services (eg. make AirPrint available across the network but not AirPlay) is still possible with Aruba Mobility Controllers. ClearPass Guest delivers store & easy definition of user-owned, group-owned, location-assigned, user-and-friends context and hence it is highly recommended.

Q: For now, We are only interested in making Apple TVs work in classrooms. Do I need the entire ClearPass solution to accomplish this?

A: You could address this with just the Aruba Mobility Controller. You could restrict access for certain devices to just teachers.

Q: I am looking for a solution that provides more than PSK security. Can Apple Bonjour (AirPlay & AirPrint) play across a multi-level security domain scenario? 

A: Services such as Apple TV, wireless printers mostly use PSK security correct. And the assumption is that mobile devices will get access to the network through a strong enterprise security environment. The value of an Aruba solution is that it's built on a stateful firewall that provides the flexibility required to implement this with an environment with multiple secuirty domains - securely connecting services using PSK and mobile devices using 802.1x / RADIUS.

Q: You mentioned the limitation of multicast on does this address that issue?

A: There will be no mDNS with AirGroup since Aruba Mobility Controller will act as the mDNS proxy. It will store the information about all services available in the network and based on policies defined within the controller firewall rules and ClearPass Guest service registration list, it will present availability to mobile devices based on user, role, location, in other words context. Reply to Bonjour discovery traffic will be sent as unicast by the Mobility Controller... which acts as the broker in the relationship between the mobile devices and mDNS services.

Q: "Mary's devices go into a Personal AirGroup" That seems like a loaded statement. How will those thousands of groups be created and managed? Using the local LDAP or AD?

A: The groups are created as each device is added by the owner (for personal Apple TVs, etc) or by an administrator (for local printers, etc). AirGroups are not created or maintained by admins. They are dynamically created and never require the admin to maintain. And LDAP or AD can be used to associate existing user groups with shared devices.

Q: Can the access be scheduled? So after hours, students can AirPlay in classrooms.

A: Yes - access can be scheduled based on location, time of day.

Q: Will an AppleTV that doesn't support EAP-PEAP or EAP-TLS still be able to connect to the same SSID?

A: Apple TVs today do not support 802.1x unfortunately. So if wireless, they have to stay under a PSK SSID… or wired Ethernet.

Q: Does AirGroup work well with Juniper4500 Core, Juniper4200 edge?

A: Yes, AirGroup will work as an overlay to a third-party wired network. No limitations for edge, distribution or core.

Q: Regarding the Apple TVs, each person will have to have an Apple TV?

A: You can have Apple TVs that are shared or staff/students can use their own private Apple TVs and grant access to their friends or not.

Q: I know you focusing with an Apple product, what about other technologies like Droid, Windows, Linux, etc?

A: This is relevant for any device that supports mDNS. This is not only Apple products but Apple has been the most aggressive in adopting this technology with Bonjour.

Q: Students will have a pass as a guest only?

A: Yes, their resources will be registered as guest users. Similar to sponsor based registration of guest users using ClearPass Guest (ex-Amigopod).

Q: Are services such as ClearPass and AirGroup supported by 6.0.x or 6.1.x AOS versions only, or also in 5.0.x?

A: The specific code release hasn't been identified yet. Available for a limited number of customers to test today and second half of 2012 for GA. Unlikely that it will be available in a 5.0.x release.

Q: Do I need AirWave at all for ClearPass and all the Context-based discovery services?

A: No, however you do need ClearPass Guest for AirGroup to have location and user context.

Q: Are Clearpass and Airgroup part of, or related to Aruba Amigopod visitor management system?

A: Amigopod has been absorbed into the ClearPass product portfolio and is being renamed as ClearPass Guest. AirGroup has two components: ArubaOS operating system running on Aruba Mobility Controllers and (highly recommended for full functionality) ClearPass Guest (ex-Amigopod) solution.

Q: What information does a student have to provide for a wired device (eg. Apple TV) that she owns?

A: She would register this devices MAC address to who she wants to use this device - only Mary, Mary and her friends, etc (by user names) or an IT admin could identify this device as shared and allow access to groups already identified in AD for instance.

Q: If only MAC address is provided for a wired device, how does the Aruba infrastructure see/find the device on the network?

A: As long as the VLANs are available to the Aruba infrastructure, it will monitor and perform mDNS discovery to find out all the services available across the VLANs.

Q: Is this service location aware - can you automatically point to the closest printer for instance?

A: Yes, service is location aware. When the mDNS device is added, a location is assigned to that device. The mobile user then only sees the mDNS devices (printers projectors, etc) that are in close proximity to her mobile device.

Q: So ClearPass Guest provides the ACL and not the network?

A: ClearPass guest provides the policy definition - eg. "user X owns this Apple TV". ACLs are not part of the ClearPass Guest solution and are implemented within the Aruba infrastructure.

Q: The Apple TV will require an additional SSID, it does not support 802.1x

A: Yes - it will require an additional SSID that is PSK only. If PSK is not acceptable, wired connection has to be the backup option. For AirGroup, either of these are acceptable connectivity methods for plug-n-play services.

Q: Is this function only possible using the Aruba switches or will a controller be capable of doing edge management with a software/firmware upgrade?

A: AirGroup feature is available without Aruba Mobility Access Switches.

Q: Will AirGroup override traditional method of inter-device communications blocks within an SSID?

A: It will work alongside it, it will not override any existing rules.

Q: Can you blend Windows, Android & Mac devices in all of this?

A: Yes - anything that uses mDNS is supported.

Q: Can the AirGroup product be used in a Bradford NAC and Aruba environment?

A: Yes

Q: Did you go over how this solution deals with the requirement for Lower Data Rates to be enabled for multicast?

A: Since Mobility Controller is acting as the mDNS proxy, it will let the mobile devices know what services are available to them - multicast discovery hence will be limited to a minimum over the air. Only from mobile devices to the AP.

Q: Would the guest of a student also have access to the internet as well?

A: This would be defined by the network access policies, independent of this feature. Student's friends will not lose any access they had within the network before they were dynamically assigned to their friend's AirGroup.