Personal Segmentation Design
This guide outlines the key features and capabilities of HPE Aruba Networking’s personal segmentation services, which enable client traffic to function like a single home network within an enterprise campus network. The main services covered in this guide include:
- AirGroup
- Personal Device Visibility and Sharing (Personal AirGroup)
This document provides high-level overviews, key features, and real-world customer use cases to understand and implement these features effectively.
Table of contents
AirGroup
HPE Aruba Networking’s AirGroup service enables users to access services such as Apple® AirPrint, AirPlay, Google Cast streaming, Amazon Fire TV, and others seamlessly within an enterprise network. It bridges the gap between devices designed for home networks and enterprise environments by facilitating the discovery and utilization of multicast DNS (mDNS) and Simple Service Discovery Protocol (SSDP) services. From classrooms to boardrooms, AirGroup enhances the functionality of modern networks by simplifying device communication and service discovery.
AirGroup in AOS 10
In AOS 10, AirGroup uses a distributed model that divides functions among the Access Points (APs) and the AirGroup Service in Aruba Central. The cache containing AirGroup servers is distributed to every AP in the network, enabling AirGroup to handle an increasing number of devices efficiently while providing optimal performance and scalability.
This architecture ensures prompt query response times without delaying service advertisements. It intelligently filters unsupported service advertisements to maintain AirGroup service responsiveness. The key components that support mDNS/SSDP in AOS 10 are:
- AirGroup Service in Aruba Central
- AP mDNS Module in Every AP
Devices capable of mDNS/SSDP that periodically broadcast their capabilities on the network are referred to as AirGroup servers. Devices searching for these services are known as AirGroup users.
For more detailed information about AirGroup architecture in AOS 10, refer to the AirGroup section of AOS 10 techdocs.
Example Use Case
This section details the requirements and considerations for designing AirGroup for Orange Widget Logistics (OWL), a fictional corporation described on the Reference Customer page.
Business Use Case
The Learning and Development department at OWL decided to purchase and install two Apple TV® devices and a printer for their recently renovated training areas in Building 3. However, issues with device discovery and connectivity resulted in a trouble ticket. The IT department converted the ticket into a project request to address the issue by enabling and configuring AirGroup. The solution will be implemented initially on a small scale as a pilot and, if successful, it will be replicated across all OWL sites.
For this initial phase:
- One Apple TV® is placed in a conference room for wireless connection.
- Another Apple TV® and a wireless printer supporting AirPrint are placed in a large training room and connected by Ethernet.
| Server Type | SSID | Allowed Services | Server VLANs | Client VLANs | Allowed Roles | AP Visibility |
|---|---|---|---|---|---|---|
| Wireless AppleTV® | OWL-LnD | AirPlay | 100 | 101 | OWL-LND | One-hop Neighbor |
| Wireless Printer | OWL-Corp | AirPrint | 101 | 101 | OWL-EMPLOYEE, OWL-CONTRACTOR | Static |
| Wired AppleTV® | OWL-LnD | AirPlay | 100 | 101 | OWL-EMPLOYEE, OWL-CONTRACTOR | Static |
Objectives
After network efficiency and security, the most significant consideration is user satisfaction from both the business user community that relies on a stable network and the IT staff who uses the management tools. The following objectives outline key goals to enhance the user experience while simplifying IT operations:
For Users:
- Increase Productivity: Enable quick sharing of presentations, media streaming, and easy printing from mobile devices without the need for additional hardware.
- Enhance User Experience: Provide a seamless, home-like network experience in the enterprise environment.
- Boost Satisfaction with IT: Reduce disruptions and frustrations associated with inconsistent services.
For IT:
- Simplify Network Management: Manage devices and services designed for home networks within an enterprise environment.
- Enhance Security: Permit or deny specific predefined or custom services on the network.
- Improve Troubleshooting: Provide tools and visibility to resolve service discovery issues quickly.
Technical Use Case
OWL’s headquarters in Roseville, CA, consists of three buildings. Building 3 houses the Research & Development (R&D) and Training departments, as well as the distribution center. AirGroup will be enabled and configured to support two new Apple TV® devices and an AirPrint-capable printer.
OWL Roseville Campus
Building 3 Topology
Design Considerations
Certain considerations must be taken into account during the design phase of an AirGroup rollout so that mDNS and SSDP services function properly in the AirGroup-enabled AOS 10 network. From a configuration, monitoring, and troubleshooting perspective, the IT administrator should be aware of the following:
- AP Neighbor List: Generated by AirMatch; any nearby AP with a path loss of less than 150 dBm is considered a one-hop RF neighbor.
- Service Visibility: To access a wireless AirGroup server (e.g., Apple TV®), a client must be within the same one-hop RF neighborhood as the AP to which the server is connected.
- Overlay Mode: AirGroup in AOS 10 is currently supported only in Overlay mode.
- Wired Server Recognition: VLANs of wired servers must be trunked to the switch ports connected to the APs for the APs to recognize and learn the wired AirGroup servers.
- Global Server Policies: For wired AirGroup servers, global server policies must be configured in Aruba Central to define AP visibility and access control.
Example Floor Plan
The floor plan below illustrates the one-hop RF neighborhood for the wireless Apple TV® connected to AP1.
Note: The RF neighborhood depicted in this image is intended for illustrative purposes only and is not to scale. In a real-world environment, factors such as signal attenuation, interference, access point (AP) radio transmit power, and receive sensitivity can affect the actual size of the RF neighborhood, which may differ significantly from the illustration.
In the example above, AP1 is the access point to which the wireless Apple TV® is connected. The access points highlighted in orange represent part of the one-hop RF neighborhood of AP1. To be included in this neighborhood, the AirMatch-calculated path loss between AP1 and neighboring APs must be 150 dB or more. Additionally, clients should be associated with the SSID configured in AirGroup, while both server and users must have VLANs and user roles configured and assigned in AirGroup.
Wireless AirGroup Servers
In an AirGroup-enabled network, when a wireless AirGroup server such as a smart display associates to the WLAN, the AP to which it connects automatically places it in the AirGroup server list in Central. The server then becomes visible and accessible to AirGroup users within the one-hop RF neighborhood of the server’s AP, provided the AirGroup policies allow it. Visibility is determined by the proximity to the AP, and no additional configuration is needed unless the server must be visible beyond the AP’s one-hop range. In that case, global server policies can be configured to include additional APs.
Wired AirGroup Servers
Wired AirGroup servers require different approach from their wireless counterparts. Because they connect through Ethernet, automatic positioning based on AP locations does not occur. To share wired AirGroup servers with AirGroup users in AOS 10, global server policies must be configured to define the APs that can advertise each server. The following additional considerations apply to wired AirGroup servers:
- VLAN Trunking: The VLANs of wired servers must be trunked to the switch ports connected to the APs.
- AP Port Configuration: Ensure that AP switch ports allow wired server VLANs without modifying the default wired port profile.
- Global Server Policies: Policies must be configured at the Global level in Aruba Central.
- AP Visibility: Define the list of APs (up to 50 in the current release) that can advertise each wired server.
- Future Support: Wired AirGroup servers connected to gateways will be supported in a future release.
- Leader AP: To reduce duplicated updates from all the APs on the same VLAN, a leader AP is selected for each wired server, and only the AP leader will send Discover cache updates to the AirGroup service in Central. Any AP can act as the Leader AP for up to 10 wired AirGroup servers within the same VLAN.
AirGroup Conclusion
Implementing HPE Aruba Networking’s AirGroup service enhances the user experience by simplifying service discovery and device communication across enterprise networks. By following this design guide, network administrators can gain a clearer, more practical understanding of requirements to implement AirGroup effectively for this use case. They can adapt and build upon this knowledge to fit their own infrastructure, ensuring seamless connectivity, enhanced security, and efficient network management.
Personal Device Visibility and Sharing Overview
Another powerful feature of HPE Aruba Networking’s AirGroup service is Personal Device Visibility and Sharing. Managed through Aruba Central, this feature enables users to easily allow or restrict other users’ access to their personal wireless devices, such as printers, IoT devices, and smart TVs. It enhances collaboration while maintaining control over device accessibility within the network.
Personal Device Visibility and Sharing in AOS 10
In AOS 10, AirGroup introduces a streamlined sharing process to enhance the client experience by simplifying wireless device discovery and access without complex setups or additional software. Personal devices are shared exclusively with wireless clients and authenticated through the UPN (User Principal Name) format. In the current phase, only MPSK AES SSID device owners can share their devices, and the Aruba CloudAuth server serves as the supported authentication server for the MPSK SSID. Sharing a wireless personal device is possible with either MPSK AES or 802.1X authenticated clients, using the “Manage my devices” portal link hosted by Cloud Guest at the MPSK Wi-Fi password portal. For additional details, visit the AOS 10 Personal Device Visbility and Sharing user guide.
Key components of this feature are:
- Personal AirGroup Servers: Wireless devices associated with a specific username (email address) are classified as personal devices by default.
- Public AirGroup Servers: Devices without an associated username or those designated as public are classified as public devices, accessible to a broader user base.
Users have the flexibility to change the classification of their devices from personal to public, making them accessible to a wider audience within the RF neighborhood.
Example Use Case
Orange Widget Logistics (OWL) plans to test AirGroup’s Personal Device Visibility and Sharing feature in their Learning and Development (LnD) area. The goal is to provide localized access to AirGroup-enabled devices in conference rooms and hoteling offices where employees and external partner trainees can gather and present. This will allow users to book office spaces during their training week, with the ability to stream content, print documents, or share access with other attendees within their assigned conference room or hotel office.
Business Objectives
For IT:
- Enhance Security: Ensure that personal devices are accessible only to authorized users.
- Simplify Management: Provide an easy-to-use interface for users to manage device sharing without IT intervention.
- Improve Visibility: Monitor device-sharing activities and access control through Aruba Central.
For Users:
- Increase Productivity: Allow attendees to access shared devices such as printers and displays in their designated office spaces.
- Enhance Collaboration: Enable users to share devices with colleagues or partners securely.
- Improve User Experience: Offer a seamless, home-like environment where personal devices can be managed effortlessly.
Technical Objectives
The hoteling offices are on the second floor of Building 3 at OWL’s campus headquarters. The implementation involves enabling Personal Device Visibility and Sharing for devices within these offices to provide a tailored experience for external trainees.
Example Floor Plan
The following floor plan illustrates four rooms, each containing AirGroup servers with different access and visibility requirements.
Roseville Campus Building 3, Floor 2 Pilot Rooms for Personal AirGroup Pilot
During this pilot phase, success criteria involve enabling the meeting host or designated presenter in the green conference room to make the Apple TV and printer accessible only to designated green room attendees. This setup allows for smooth content sharing, collaboration, and privacy within each room. After the reservation period ends, device visibility can revert to the owner easily. The hosts or presenters of the yellow and red rooms have the same capabilities. In addition, the printer in the gray room is configured for general use and accessible to meeting attendees of all three rooms based on user roles defined in the AirGroup policy.
The following table lists the details of each room and AirGroup server type.
| Room | Device | Server Type | SSID | Allowed Services | Server VLANs | Client VLANs | AP Visibility |
|---|---|---|---|---|---|---|---|
| Green | Wireless AppleTV® | Personal Server | OWL-LnD | AirPlay | 100 | 101 | One-hop Neighbor |
| Green | Wireless Printer | Personal Server | OWL-LnD | AirPrint | 100 | 101 | One-hop Neighbor |
| Yellow | Wireless AppleTV® | Personal Server | OWL-LnD | AirPlay | 100 | 101 | One-hop Neighbor |
| Red | Wireless AppleTV® | Personal Server | OWL-LnD | AirPlay | 100 | 101 | One-hop Neighbor |
| Gray | Wireless Printer | Public Server | OWL-LnD | AirPrint | 100 | 101 | One-hop Neighbor |
The table below highlights the key differences among VLAN IDs, user accounts, AirGroup server types, access control, and various other attributes related to the assigned room owner and meeting participant. user roles, SSI
| Parameter | Room Owner (Presenter) | Meeting Attendees (Guests/Participants) |
|---|---|---|
| VLAN | VLAN 100 (assigned to specific meeting rooms for device isolation) | VLAN 101 (shared VLAN specific to meeting room access) |
| User Role | LND-STAFF | LND-STUDENT |
| SSID | OWL-Corp or OWL-LnD | OWL-LnD |
| Authentication Method | WPA2-Enterprise (UPN-based login) or MPSK | Pre-created UPN-based MPSK |
| User Account Type | UPN-based (e.g., greenroom@company.com) | UPN-based (pre-created, e.g., greenguest1@company.com) |
| AirGroup Server Type | Personal AirGroup device for Apple TV (and printer if applicable) controlled by room owner | Can access shared Personal AirGroup devices in the meeting room when granted access by the room owner as well as Public AirGroup printer in gray room |
| Device Visibility | Full control over device visibility within the meeting room | Can see shared meeting room devices (e.g., green room Apple TV) once access is granted by room owner |
| Access Control | Manages access for meeting attendees | Access is granted by the room owner during the meeting session |
| Device Management | Full control via the Manage My Devices portal to add/remove attendee access | Limited access as configured by room owner |
| Private AirGroup Server | Apple TV and other personal devices are controlled by room owner | Can access shared Personal AirGroup devices in the meeting room when granted access by the room owner |
| Public AirGroup Server | Gray room AirPrint printer or other shared devices (if configured as public) | Visible to attendees authenticated to OWL-LnD SSID |
| Access Logging | Logs managed through Aruba Central | Access logs for auditing are available from Aruba Central |
| Temporary Access | Can grant temporary access to attendees for the duration of the meeting | Access is temporary and specific to the meeting duration |
| Revocation of Access | Can revoke access immediately through Manage My Devices after the meeting | Access is revoked by the room owner |
Key Considerations
Several considerations must be addressed during the design phase of implementing AirGroup Personal Device Visibility and Sharing:
- Authentication Format: Personal devices can be shared only with wireless clients, authenticated using the User Principal Name (UPN) format (e.g., email addresses).
- Minimum ArubaOS Version: The feature requires ArubaOS version 10.6 or later.
- Device Ownership and SSID Requirements:
- An AirGroup server owner (e.g., greenroom@company.com) can share the device with a maximum of eight client accounts.
- Only owners of devices using an MPSK AES SSID can share their devices through the Aruba CloudAuth server.
- The SSID must be configured to use MPSK with CloudAuth as the authentication server.
- Identity Repository Consistency:
- Wireless clients’ user entries must exist in the identity repository used by CloudAuth.
- If clients are authenticated via another RADIUS server (e.g., HPE Aruba Networking ClearPass), their user entries also must be present in the CloudAuth identity repository to enable device sharing.
- AP Visibility:
- Device visibility is typically limited to the one-hop RF neighborhood of the AP to which the device is connected.
- Special considerations may be needed if broader visibility is required.
Personal and Public AirGroup Servers
- Personal AirGroup Servers:
- Devices associated with a username are classified as personal by default.
- They are accessible only to the device owner, unless shared with others.
- Public AirGroup Servers:
- Devices without an associated username or those whose usernames are added to the public server list are classified as public.
- Public devices are accessible to all users within the allowed roles and VLANs.
- Changing a Personal AirGroup device to Public makes the device accessible to the broader RF neighborhood.
- Personal AirGroup Servers:
Additional Considerations
- Device Visibility Range:
- Wired servers cannot be Personal AirGroup servers.
- The visibility of personal devices is typically limited to the one-hop RF neighborhood.
- For situations that require broader access, global server policies can be configured to include additional APs.
- Security Implications:
- Ensure that only authorized users can share and access devices to maintain network security.
- Regularly audit the list of shared devices and user permissions.
Personal Device and Visibility Sharing Conclusion
Personal Device Visibility and Sharing enhances user experience by allowing individuals to manage access to their personal devices securely. It empowers users while maintaining network security and simplifies the process of device sharing within an enterprise environment. Following the design considerations and configuration steps outlined, organizations like OWL can deploy this feature effectively to meet their specific needs.