Configuring AirGroup

AirGroup provides a unique enterprise-class capability that leverages zero configuration networking to enable AirGroup services from mobile devices efficiently. Zero configuration networking enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. The users can register their personal devices and define a group of users who can share the registered devices. Administrators can register and manage an organization's shared devices such as printers and grant global access to each device, or restrict access according to the username, role, or user location.

In large universities and enterprise networks, it is common for devices to connect to the network across VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. As a result, user devices on a specific VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. cannot discover a service that resides on another VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. As the addresses used by the protocol are link-scope multicast addresses, each query or advertisement can only be forwarded on its respective VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., but not across different VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Broadcast and multicast traffic are usually filtered out from a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network to preserve the airtime and battery life. This inhibits the performance of AirGroup services that rely on multicast traffic. AirGroup addresses this challenge with AirGroup technology.

The distributed AirGroup architecture allows each Instant AP to handle mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. and DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  queries and responses individually instead of overloading a network with these tasks. This results in a scalable AirGroup solution.

The AirGroup solution supports both wired and wireless devices. An AirGroup device can be registered by an administrator or a guest user.

1. The AirGroup administrator gives an end user the AirGroup operator role, which authorizes the user to register the client devices on the ClearPass Policy Manager platform.

2. Instant APs maintain information for all AirGroup services. Instant AP queries ClearPass Policy Manager to map each device’s access privileges to the available services and responds to the query made by a device based on contextual data such as user role, username, and location.

The following figure illustrates how AirGroup enables personal sharing of Apple devices:

Figure 1  AirGroup Enables Personal Device Sharing

 

AirGroup is not supported on 3GThird Generation of Wireless Mobile Telecommunications Technology. See W-CDMA. and PPPoEPoint-to-Point Protocol over Ethernet. PPPoE is a method of connecting to the Internet, typically used with DSL services, where the client connects to the DSL modem. uplinks.

For Apple TV mirroring to work, both Apple TV and users must be on either virtual controller-assigned VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or network-assigned VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Otherwise, Apple TV mirroring will not work.

Multicast DNS and Bonjour® Services

Bonjour is the trade name for the zero configuration implementation introduced by Apple. It is supported by most of the Apple product lines, including the Mac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, and AirPort Express. Apple AirPlay and AirPrint services are based on the Bonjour protocol and are essential services in campus Wi-Fi networks.

Bonjour can be installed on computers running Microsoft Windows® and is supported by the new network-capable printers. Bonjour is also included with popular software programs such as Apple iTunes, Safari, and iPhoto. Bonjour uses mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. to locate devices and the services offered by these devices.

As shown in the following figure, the Instant AP1 discovers AirPrint (P1) and Instant AP3 discovers Apple TV (TV1). Instant AP1 advertises information about its connected P1 device to the other Instant APs that is Instant AP2 and Instant AP3. Similarly, Instant AP3 advertises TV1 device to Instant AP1 and Instant AP2. This type of distributed architecture allows any Instant AP to respond to its connected devices locally. In this example, the iPad connected to Instant AP2 obtains direct response from the same Instant AP about the other Bonjour-enabled services in the network.

Figure 2   Bonjour Services and AirGroup Architecture

For a list of supported Bonjour services, see AirGroup Services.

Multicast DNS Server Cache Age Out Behavior

When a mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. wireless server disconnects abruptly from the Instant AP, the server entries and the server cache entries will be removed when the inactivity time reaches its threshold limit. The server and cache entries from other Instants in the swarm will subsequently be removed once they receive an update from the database sync messages.

Users can configure the AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. wireless mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. server cache to age out timer using the following command:

(Instant AP)(config)# wlan ssid-profile <inactivity-timeout>

 

This change is applicable only for wireless mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. servers and not for DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. servers or wired servers.

DLNA UPnP Support

In addition to the mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. protocol, Instant APs now support UPnPUniversal Plug and Play. UPnp is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi APs, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment., and DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. enabled devices. DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. is a network standard derived from UPnPUniversal Plug and Play. UPnp is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi APs, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment., which enables devices to discover the services available in a network. DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. also provides the ability to share data between the Windows or Android-based multimedia devices. All the features and policies applicable to mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. are extended to DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. to ensure full interoperability between compliant devices.

In a UPnPUniversal Plug and Play. UPnp is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi APs, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment.-based scenario, the following types of devices are available in a network:

Controlled devices (servers)

Control points (clients)

When a controlled device joins a network and acquires IP address, it multicasts a number of discovery messages for advertising itself, its embedded devices, and services. On the other hand, when a control point joins a network, it may multicast a search discovery message for finding interesting devices and services. The devices listening on the multicast address respond if they match the search criteria in the search message.

In a single Instant AP network, the Instant AP maintains a cache table containing the list of discovered services in the network. The Instant AP also enforces native policies such as disallowing roles and VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and the policies defined on ClearPass Policy Manager to determine the devices or services that are allowed and can be discovered in the network. Whenever a search request comes, the Instant AP looks up its cache table and filters the cached data, based on configured policies, then builds a search response, and unicasts it to the requesting device.

In an Instant AP cluster, the Instant APs maintain a list of associated UPnPUniversal Plug and Play. UPnp is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi APs, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. devices and allow the discovery of the associated devices.

The following figure illustrates DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  UPnPUniversal Plug and Play. UPnp is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi APs, and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. Services and AirGroup Architecture.

Figure 3  DLNA UPnP Services and AirGroup Architecture

For a list of supported DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  services, see AirGroup Services.

AirGroup Features

AirGroup supports the following features:

Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint.

Ensures cross-VLAN visibility and availability of AirGroup devices and services.

Allows or blocks AirGroup services for all users.

Allows or blocks AirGroup services based on user roles.

Allows or blocks AirGroup services based on VLANs.

Matches devices to their closest services such as printers.

In a multiple cluster scenario, when a client roams from one cluster to another, allowing or blocking of a service based on the user role or the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. depends upon configuration settings of the new cluster. For example, a user role is not allowed to access a service on one cluster but is allowed to access the same service on another cluster. In this case, the client will receive the configuration of the new cluster in which they can access the service.

AirGroup also enables context awareness for services across the network:

AirGroup is aware of personal and shared devices. For example, an Apple TV in a dorm room can be associated with the student who owns it or an Apple TV in a meeting room or a printer in a supply room that is available to certain users, such as the marketing department.

AirGroup is aware of the location of services when ClearPass Policy Manager support is enabled. For example, depending on the proximity, a user would be presented with the closest printer instead of all the printers in the building.

When configured, AirGroup enables a client to perform a location-based discovery. For example, when a client roams from one Instant cluster to another, it can discover devices available in the new cluster to which the client is currently connected.

The following figure shows an example of a higher-education environment with shared, local, and personal services available to mobile devices.

Figure 4  AirGroup in a Higher-Education Environment

 

When AirGroup discovers a new device, it interacts with ClearPass Policy Manager to obtain the shared attributes such as shared location and role. However, the current versions of Instant APs do not support the enforcement of shared location policy.

AirGroup Services

AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. supports zero configuration services. The services are preconfigured and are available as part of the factory default configuration. The administrator can also enable or disable any or all services by using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following services are available for Instant AP clients:

AirPlay™—Apple® AirPlay allows wireless streaming of music, video, and slide shows from your iOS device to Apple TV® and other devices that support the AirPlay feature.

AirPrint™—Apple AirPrint allows you to print from an iPad®, iPhone®, or iPod® Touch directly to any AirPrint-compatible printers.

iTunes—The iTunes service is used by iTunes Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. sync and iTunes home-sharing applications across all Apple devices.

RemoteMgmt—The RemoteMgmt service allows remote login, remote management, and FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. utilities on Apple devices.

Sharing—The Sharing service allows applications such as disk sharing and file sharing among Apple devices.

ChromeCast—The ChromeCast service allows you to use a ChromeCast device to play audio or video content on a high-definition television by streaming content through Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. from the Internet or local network.

DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  Media—Applications such as Windows Media Player use this service to browse and play media content on a remote device.

DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  Print—This service is used by printers that support DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. .

 

In the Instant 6.4.0.2-4.1.0.0 release, it is recommended to have a maximum of upto 80 AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. servers in the network.

For more information on configuring AirGroup services, see In the Old WebUI.

AirGroup Components

AirGroup leverages key elements of the Aruba solution portfolio including operating system software for Instant, ClearPass Policy Manager, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the  Instant AP, ClearPass Policy Manager, and ClearPass Guest. The version requirements are described in the following table:

Table 1: Instant AP, ClearPass Policy Manager, and ClearPass Guest Requirements

Component

Minimum Version for mDNS Services

Minimum Version for DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. Services

Instant Access Point

Instant 6.2.0.0-3.2.0.0

Instant 6.4.0.2-4.1.0.0

ClearPass Policy Manager software

ClearPass Policy Manager 5.2

ClearPass Policy Manager 6.2

ClearPass Guest Services plugin

ClearPass Guest 6.2.0 ClearPass Guest 6.3.0

 

Starting from ClearPass Policy Managerversion 6.0, the ClearPass Guest and the AirGroup Services plug-in are integrated into a single platform.

AirGroup maintains seamless connectivity between clients and services across VLANs and SSIDs. The following table summarizes the filtering options supported by Instant:

Table 2: AirGroup Filtering Options

Features

 Instant Deployment Models

 

Integrated with ClearPass Guest

Integrated with ClearPass Policy Manager

Allow mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. and DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  traffic to propagate across subnetsSubnet is the logical division of an IP network. or VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Yes

Yes

Limit mDNSMulticast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. and DLNADigital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices.  traffic on the network

Yes

Yes

VLAN-based AirGroup service policy enforcement

Yes

Yes

User-role-based AirGroup service policy enforcement

Yes

Yes

Portal to self-register personal devices

No

Yes

Device-owner-based policy enforcement

No

Yes

Shared user-list-based policy enforcement

No

Yes

Shared role-list based-policy enforcement

No

Yes

ClearPass Policy Manager and ClearPass Guest Features

ClearPass Policy Manager and ClearPass Guest support the following features:

Registration portal for WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. users to register their personal devices.

Registration portal for WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. administrators to register shared devices.

Operator-defined personal AirGroup to specify a list of other users who can share devices with the operator.

Administrator-defined username, user role, and location attributes for shared devices.