This fantastic content below and more enjoyable content from FrançoisVergès can be found at this website.
At home, we love having the convenience of sharing our computer, phone or tablet screen with our TV screen. It works, it’s easy and it has become mainstream.
At work, it’s another story. It is not as simple to make it work as seamlessly and it also needs to be more controlled.
In this article, we will see how Aruba handles these auto-discovery protocols in the enterprise network using the AirGroup functionalities.
Presentation of AirGroup
AirGroup is a set a functionalities that are built into Aruba’s equipment that enables zero configuration services across an enterprise network. Bonjour, introduced by Apple, is the most commonly known example, and it is used to advertised services such as AirPlay or AirPrint.
AirGroup is now a mature technology and is supported on the typical controller architecture as well as on the instant APs.
In terms of services supported, AirGroup now supports the following protocols:
- mDNS or Multicast Domain Name Service
- DLNA or Digital Living Network Alliance
- UPnP or Universal Plug and Play
This means that they support a very large range of devices and applications such as AirPlay, AirPrint, DIAL (used by Chromecast devices), iTunes, Sharing and GoogleCast.
Three Enterprise Network Challenges
1. Multicast over Multiple Networks
The mDNS, DLNA and UPnP protocols work well when being used on the same network because they rely on multicast. However, these multicast messages don’t get carried over to other networks in a more complex environment. This is the main reason why they work better at home than at the office.
AirGroup allows the services to be advertised and used across multiple networks. The controller or the AP acts as a proxy to relay the multicast messages to other networks.
This allows to have devices connected to two different networks leveraging the technology.
2. 802.1X Authentication
Another challenge brought by enterprise network is advanced security. Most enterprise wireless networks rely on 802.1X authentication as it is the best way to secure access to the WLAN. However, some devices do not support this type of authentication. The administrator then has to create a different SSID using a different type of authentication (typically pre-shared key) to bring those devices onto the network. As a result, some wireless devices might be placed on different subnets and different security polices might be applied.
AirGroup allows the multicast services to be used across multiple SSIDs. So, you could have a laptop connected to an 802.1X SSID streaming media to a Google Chromecast connected to a PSK SSID.
More control and management have to be put in place in an enterprise network. Indeed, we do not want any user to stream any content on any AppleTV installed in the building. You can imagine some funny scenarios there!
AirGroup allows the administrator to control which role or which VLAN will have access to which services. AirGroup also allows to match devices to their closest services. That way, as a user, you only see the devices that are relevant to where you are and who you are.
Aruba ClearPass brings even more flexibility with some context awareness features:
- Devices can be categorized as “Shared” or “Personal”. For instance, an AppleTV in a classroom could be shared in between multiple teachers and students whereas an AppleTV in a dorm room will be only used by one particular user.
- AirGroup can be aware of the location of services based on which AP the device is connected to. For instance, this will allow a user to only discover the AppleTV located in the conference room in which he is hosting a meeting.
- AirGroup leverages this location awareness to do location-based discovery. So, as a device roams across the wireless network, it will discover available devices dynamically as it goes.
- Users can self-register their own devices. For instance, a student could register her own Google Chromecast to be used in her dorm room. This device will be registered as a personal device and only this particular student will be allowed to use it.
Here is an example of an architecture leveraging AirGroup in a complex environment:
Three Real Life Scenarios
1. Class Room
In a classroom, we could expect to see an AppleTV connected to TV or video projector. We could also expect to see a printer connected to the wireless network. This Apple TV and printer will advertise their services via multicast. The printer didn’t support 802.1X authentication so we had to connect it to a PSK SSID. Any other devices are connected to the main school SSID based on 802.1X authentication.
We only want the teacher to be allowed to stream content to the AppleTV, but we want to allow anyone (teachers and students) to use the printer.
On the Aruba controller, we can define two different roles: teacher and student. Using AirGroup, we can define that the printer services will be allowed for both roles whereas the AppleTV services only will be allowed for the teacher role.
2. Conference Room
The conference room is shared within different business units. It has a big TV screen with an AppleTV connected. Any employee should be able to stream the content of their tablet, phone or laptop to the AppleTV. However, it is time-sensitive. When a meeting is in progress, only the meeting organizer should be allowed to use the AppleTV located in the conference room.
Leveraging AirGroup and ClearPass policy manager, we can achieve this. The meeting organizer is granted access to the AppleTV service and the location-based awareness allows the user to the see AppleTV located in the conference room.
3. Dorm Room
Students bring their own devices, including AppleTVs, Chromecasts and gaming consoles, into their dorm rooms. They should be able to connect these devices to the Wi-Fi network and start using them as if they were home. However, we want to isolate one room from another so that each student only sees her or his own devices.
To achieve this scenario, a student can be allowed to self-register his device through a portal hosted on ClearPass. He will then be the only one able to use these devices. He can also share the access to these devices with other users as he pleases. For instance, if another student is coming into their room, he can decide to share access to their AppleTV with her.
In conclusion, AirGroup makes it easier to deploy all the convenient consumer services we all love in the enterprise space.
How do you leverage AirGroup in your environment? Any scenario you would like to share with us?
Follow Francois Verges on Twitter at @VergesFrancois.
This page titled Helping the Enterprise Network to Support Consumer Devices and Services with AirGroup and more fantastic content can be found at this website. It was originally published on 2018-10-09 04:47:00.