Campus-Wide Airplay & Airprint with Aruba AirGroup · 2018-02-13 · AppleTV in the meeting room...
Transcript of Campus-Wide Airplay & Airprint with Aruba AirGroup · 2018-02-13 · AppleTV in the meeting room...
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Campus-Wide Airplay & Airprint with Aruba AirGroup
Aruba Networks
January 31, 2013
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
2
Introductions
Andy Logan
• Director, Education Services
Bala Krishnamurthy
• Sr. Tech Marketing Engineer
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 3
The need for AirGroup: Bonjour
Zero
Configuration
Networking mDNS-> announcement
& discovery
Support on all OSs
App Support AirPlay, AirPrint, AirDrop,
AirParrot, iChat, iTunes,
Safari, iPhoto, Skype and
more.
Bonjour
Screen mirror from an
iPhone, iPad, MacBook
to an Apple TV
Print from an iPhone or
iPad with a Bonjour
enabled printer
Most
Popular
Apps
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
4
Challenges with Bonjour
2. Limited WiFi
performance • Multicast will use lowest 802.11
data rates over the air
• Multicast floods affects network
performance
3. Lacks Security • Services, such as AirPlay, do not
require authorization by default
1. Protocol Designed
for home • Inability to work across subnets
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
5
Before AirGroup: Bonjour in the enterprise
L2/L3
Aruba Mobility
Controller
SSID 2
(VLAN 10)
SSID 1
(VLAN 20)
Does not work across VLANs
Increased channel utilization
with multicast traffic
No filtering of services
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
6
Why Aruba AirGroup?
Enables users to discover Bonjour services across IP subnet boundaries.
Makes use of zero configuration networking (Bonjour) without affecting Wi-Fi performance.
Integrated firewall provides secure access to personal and enterprise owned devices.
Aruba AirGroup brings in personal WLAN experience to enterprise environment.
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
7
AirGroup on the Mobility Controller
Terminates mDNS queries
Acts as a proxy for user requests
VLAN Bridging
Traffic optimization over the air
Allow/Block services
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
8
After AirGroup: Bonjour in the enterprise
L2/L3
Aruba Mobility
Controller
SSID 2
(VLAN 10)
SSID 1
(VLAN 20)
VLAN bridging
Lack of broadcasts over the air
Service filtering
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
9
Why is context required for AirGroup?
1. Everybody sees everything • Enabling Bonjour across VLANs has opened up the
Pandora's box
2. Lack of Security/Context • Why would my personal device be visible to others?
• How do I assign a device to be a common resource?
• Why do I get need to know about a printer that is across
the campus?
3. Lacks flexibility & ease • Gymnastics to enable Bonjour across VLANs
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
10
Value Add with CPPM
Registration portal for end users to register their personal devices (Apple TVs, Printers)
Registration portal for network administrators to register shared devices (conference room Apple TVs, Printers)
Define “personal AirGroup” by specifying a list of users to share devices with.
Define role and location attributes for shared devices.
ClearPass
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
11
Aruba AirGroup with CPPM
AppleTV in the
meeting room
Printer in
CFO’s office
AppleTV in
the classroom
Printer in the
copy room
CFO’s iPad
Laptop in close
proximity
Teacher
Macbook
iPhone in close
promixity
Personal AirGroup “CFO”
Local AirGroup “Apple TVs”
Shared AirGroup “Teachers”
Local AirGroup “Printers”
Aruba Access Network
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
AirGroup Architectures
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
13
AirGroup Deployment Models
Integrated deployment
model (recommended)
Overlay deployment model
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
14
What is an Integrated Deployment Model?
1. The same mobility controller that
terminates all APs and provides WLAN
access runs AirGroup functionality too.
2. Trunk the VLANs, where wired devices
like printers are connected, to the
AirGroup controller.
1. Can operate with or without Clear Pass
policy manager.
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
15
Integrated Aruba Mobility Controller + CPPM
1. Register the CP – PM and CP
– Guest on the Aruba mobility
controller
2. Install the AirGroup Services
on the CP appliances (Plugin, RADIUS dictionary, AirGroup services
template)
3. Enable personal device
registration by mDNS operators
4. Enable shared device
registration by mDNS admins
based on
1. Roles (list of Aruba user roles)
2. Users (list of users)
3. Location (ap-name, ap-group, ap-
mac-add)
Bob’s
“Personal”
Devices
Apple TV shared by “Teachers”
Library
Printer
NOTE: mDNS Operators = Users, mDNS admins = IT admins
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
16
What is a Overlay Deployment Model ? 1. AirGroup functionality is provided by a
standalone controller i.e. overlay to
WLAN controller.
2. Can operate with or without Clear
Pass policy manager (with caveats).
3. Features like role/location based
filtering are NOT supported in this
deployment model.
1. AirGroup controller should receive
mDNS traffic from all the VLANs
using a L2 GRE tunnel - where
AirGroup service has to be provided.
2. Trunk the VLANs, where wired
devices like printers are connected,
to the AirGroup controller – only if its
trusted.
1. VLAN wide broadcast filtering should
be changed to VAP based filtering.
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
17
Overlay Aruba Controller + CPPM
1. Register the CP – PM and CP
– Guest on the Aruba mobility
controller
2. Install the AirGroup Services
on the CP appliances (Plugin, RADIUS dictionary, AirGroup services
template)
3. Enable personal device
registration by mDNS operators
4. Enable shared device
registration by mDNS admins
based on
1. Users (list of users)
Bob’s
“Personal”
Devices
Apple TV shared by “Bob and Mark”
NOTE: mDNS Operators = Users, mDNS admins = IT admins
Bob Mark
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Operating AirGroup
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
19
User Device Registration Portal w ClearPass
User logs in using the AD
credentials
Device View from a user/admin
perspective
AP Mobility Controller ClearPass
(Guest & PM)
CPPM helps in providing a filtered mDNS response to users and reduce noise.
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
20
Personal Device Registration
What is the name of the Device?
What is the MAC of the Device?
Who else can use my “personal device”?
-username
Logged in as “Student 1”
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
21
Common/Location based Device Registration
Logged in as “Network Admin”
Who can use the device form – “location context”?
- AP name, AP-Group, FQLN
Which users can see the device– “shared with”?
- usernames
Which user group can see the device – “user role”?
- User role
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
22
AirGroup Advantages
Context Based Access
Only the necessary services are made visible to
mobile devices – per user, per role, per location.
Centralized Registration of Services
Simple registration of shared and local
services by IT. End users self-register
their own personal service.
Zero Touch Install
No gateways or multicast VLANs. No
additional SSIDs, VLANs, MAC filters. No
multicast routing configuration.
Back
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Questions?