Enabling Support for Dynamic Notifications
To enable support for dynamic notification of AirGroup events when new devices are added, each AirGroup-enabled IAP must also be defined in ClearPass Guest.
|
1.
|
In the ClearPass Guest user interface, navigate to Administrator > Plugin Manager > Manage Plugins.
|
|
2.
|
Click the Configuration link for the AirGroup Services plugin in the list of plugins. TheAirGroup Services Configuration page opens.
|
|
3.
|
Click the Add a new IAP link to insert a new IAP in the list. Specify the following properties for each AirGroup-enabled IAP:
|
|
|
Port number – Note that this should be AirGroup cppm-server aaa rfc3576-server, the UDP port number of the AirGroup process on the IAP
|
|
|
Shared secret – This is the rfc-3576_udp_port shared secret used for AirGroup
|
|
4.
|
Click Save Configuration.
|
Ensure that the ClearPass Policy Manager Authentication Source (SQL database connection) points to the appropriate ClearPass Guest IP address:
|
1.
|
Log in to ClearPass Policy Manager and navigate to Configuration > Authentication > Sources.
|
|
2.
|
Click the AirGroup Amigopod DB row, then click the Primary tab.
|
|
3.
|
Verify that the values in the Server Name and Login Password fields match the IP address and password set in the ClearPass Guest configured to connect to the ClearPass Policy Manager database for AirGroup deployment. (See Configuring the ClearPass Guest Database .)
|
Creating AirGroup Administrators
AirGroup Administrators can use the ClearPass Guest system to define and manage the organization’s shared devices. Devices can be shared globally, or shared with restrictions based on the username, role name, or location of a user trying to access the device.
In ClearPass Guest, the AirGroup Administrator operator profile is used to define the AirGroup Administrator user role. This profile is automatically created when the AirGroup Services plugin is installed.
To create a local operator with the AirGroup Administrator profile:
|
1.
|
Navigate to Administrator > Operator Logins > Operators, then click the Create operator login link.
|
|
2.
|
Select AirGroup Administrator in the Operator Profile drop-down list.
|
|
3.
|
Complete the other fields as necessary, then click Create Operator Login to create the local operator.
|
Creating AirGroup Operators
AirGroup Operators are users of the ClearPass Guest system who can define and manage a limited number of personal devices. An operator’s devices are automatically shared with all other devices owned by the same operator. Devices may also be shared with specific users, based on a list of usernames provided to the system.
In ClearPass Guest, the AirGroup Operator operator profile is used to define the AirGroup Operator user role. This profile is automatically created when the AirGroup Services plugin is installed.
To create a local operator with this profile:
|
1.
|
Navigate to Administrator > Operator Logins > Operators, then click the Create operator login link.
|
|
2.
|
Select the AirGroup Operator item in the Operator Profile drop-down list.
|
|
3.
|
Complete the other fields as necessary, then click Create Operator Login to create the local operator.
|
By default, an operator can create up to five personal devices. To change this default:
|
1.
|
Navigate to Administrator > Operator Logins > Profiles, and then select the AirGroup Operator profile in the list.
|
|
2.
|
Click the Edit link. The Edit Operator Profile form opens.
|
|
3.
|
In the Account Limit field, specify an appropriate value. This is the maximum number of personal devices that an operator with this profile can create.
|
|
4.
|
Click the Save Changes button.
|
You can create a set of operator profiles and configure each profile with a different account limit. This makes it easy to assign operator profiles appropriately for small groups, larger groups, or events. To create each profile in the set, duplicate the built-in AirGroup Operator profile, and update the Account Limit field in the new profile.
Authenticating AirGroup Users Via LDAP
ClearPass Guest supports LDAP authentication for operators.
To provide the AirGroup management user interface to LDAP-authenticated users, use the Administrator > Operator Logins > Servers list view to define the LDAP server, and then define appropriate translation rules to categorize your LDAP users:
|
|
Network administrators (for example, IT staff) responsible for provisioning shared devices across the organization should be assigned the AirGroup Administrator operator profile.
|
|
|
Other users (for example, staff or students) who should only be allowed to provision personal devices should be assigned the AirGroup Operator operator profile.
|
Refer to the ClearPass Guest Deployment Guide for more details on the Servers and Translation Rules features.