campus-wide airplay & airprint with aruba airgroup · 2018-02-13 · appletv in the meeting...

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved


Campus-Wide Airplay & Airprint with Aruba AirGroup

Aruba Networks

January 31, 2013


2

Introductions

Andy Logan

• Director, Education Services

Bala Krishnamurthy

• Sr. Tech Marketing Engineer

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 3

The need for AirGroup: Bonjour

Zero

Configuration

Networking mDNS-> announcement

& discovery

Support on all OSs

App Support AirPlay, AirPrint, AirDrop,

AirParrot, iChat, iTunes,

Safari, iPhoto, Skype and

more.

Bonjour

Screen mirror from an

iPhone, iPad, MacBook

to an Apple TV

Print from an iPhone or

iPad with a Bonjour

enabled printer

Most

Popular

Apps


4

Challenges with Bonjour

2. Limited WiFi

performance • Multicast will use lowest 802.11

data rates over the air

• Multicast floods affects network

performance

3. Lacks Security • Services, such as AirPlay, do not

require authorization by default

1. Protocol Designed

for home • Inability to work across subnets


5

Before AirGroup: Bonjour in the enterprise

L2/L3

Aruba Mobility

Controller

SSID 2

(VLAN 10)

SSID 1

(VLAN 20)

Does not work across VLANs

Increased channel utilization

with multicast traffic

No filtering of services


6

Why Aruba AirGroup?

Enables users to discover Bonjour services across IP subnet boundaries.

Makes use of zero configuration networking (Bonjour) without affecting Wi-Fi performance.

Integrated firewall provides secure access to personal and enterprise owned devices.

Aruba AirGroup brings in personal WLAN experience to enterprise environment.


7

AirGroup on the Mobility Controller

Terminates mDNS queries

Acts as a proxy for user requests

VLAN Bridging

Traffic optimization over the air

Allow/Block services


8

After AirGroup: Bonjour in the enterprise

L2/L3

Aruba Mobility

Controller

SSID 2

(VLAN 10)

SSID 1

(VLAN 20)

VLAN bridging

Lack of broadcasts over the air

Service filtering


9

Why is context required for AirGroup?

1. Everybody sees everything • Enabling Bonjour across VLANs has opened up the

Pandora's box

2. Lack of Security/Context • Why would my personal device be visible to others?

• How do I assign a device to be a common resource?

• Why do I get need to know about a printer that is across

the campus?

3. Lacks flexibility & ease • Gymnastics to enable Bonjour across VLANs


10

Value Add with CPPM

Registration portal for end users to register their personal devices (Apple TVs, Printers)

Registration portal for network administrators to register shared devices (conference room Apple TVs, Printers)

Define “personal AirGroup” by specifying a list of users to share devices with.

Define role and location attributes for shared devices.

ClearPass


11

Aruba AirGroup with CPPM

AppleTV in the

meeting room

Printer in

CFO’s office

AppleTV in

the classroom

Printer in the

copy room

CFO’s iPad

Laptop in close

proximity

Teacher

Macbook

iPhone in close

promixity

Personal AirGroup “CFO”

Local AirGroup “Apple TVs”

Shared AirGroup “Teachers”

Local AirGroup “Printers”

Aruba Access Network



AirGroup Architectures


13

AirGroup Deployment Models

Integrated deployment

model (recommended)

Overlay deployment model


14

What is an Integrated Deployment Model?

1. The same mobility controller that

terminates all APs and provides WLAN

access runs AirGroup functionality too.

2. Trunk the VLANs, where wired devices

like printers are connected, to the

AirGroup controller.

1. Can operate with or without Clear Pass

policy manager.


15

Integrated Aruba Mobility Controller + CPPM

1. Register the CP – PM and CP

– Guest on the Aruba mobility

controller

2. Install the AirGroup Services

on the CP appliances (Plugin, RADIUS dictionary, AirGroup services

template)

3. Enable personal device

registration by mDNS operators

4. Enable shared device

registration by mDNS admins

based on

1. Roles (list of Aruba user roles)

2. Users (list of users)

3. Location (ap-name, ap-group, ap-

mac-add)

Bob’s

“Personal”

Devices

Apple TV shared by “Teachers”

Library

Printer

NOTE: mDNS Operators = Users, mDNS admins = IT admins


16

What is a Overlay Deployment Model ? 1. AirGroup functionality is provided by a

standalone controller i.e. overlay to

WLAN controller.

2. Can operate with or without Clear

Pass policy manager (with caveats).

3. Features like role/location based

filtering are NOT supported in this

deployment model.

1. AirGroup controller should receive

mDNS traffic from all the VLANs

using a L2 GRE tunnel - where

AirGroup service has to be provided.

2. Trunk the VLANs, where wired

devices like printers are connected,

to the AirGroup controller – only if its

trusted.

1. VLAN wide broadcast filtering should

be changed to VAP based filtering.


17

Overlay Aruba Controller + CPPM

1. Register the CP – PM and CP

– Guest on the Aruba mobility

controller

2. Install the AirGroup Services

on the CP appliances (Plugin, RADIUS dictionary, AirGroup services

template)

3. Enable personal device

registration by mDNS operators

4. Enable shared device

registration by mDNS admins

based on

1. Users (list of users)

Bob’s

“Personal”

Devices

Apple TV shared by “Bob and Mark”

NOTE: mDNS Operators = Users, mDNS admins = IT admins

Bob Mark



Operating AirGroup


19

User Device Registration Portal w ClearPass

User logs in using the AD

credentials

Device View from a user/admin

perspective

AP Mobility Controller ClearPass

(Guest & PM)

CPPM helps in providing a filtered mDNS response to users and reduce noise.


20

Personal Device Registration

What is the name of the Device?

What is the MAC of the Device?

Who else can use my “personal device”?

-username

Logged in as “Student 1”


21

Common/Location based Device Registration

Logged in as “Network Admin”

Who can use the device form – “location context”?

- AP name, AP-Group, FQLN

Which users can see the device– “shared with”?

- usernames

Which user group can see the device – “user role”?

- User role


22

AirGroup Advantages

Context Based Access

Only the necessary services are made visible to

mobile devices – per user, per role, per location.

Centralized Registration of Services

Simple registration of shared and local

services by IT. End users self-register

their own personal service.

Zero Touch Install

No gateways or multicast VLANs. No

additional SSIDs, VLANs, MAC filters. No

multicast routing configuration.

Back



Questions?

campus-wide airplay & airprint with aruba airgroup · 2018-02-13 · appletv in the meeting...

Documents