Groups in the MSP Mode
MSP groups are UI groups mapped to the default UI groups in the tenant account. If a tenant account is associated to a specific group in the MSP mode, the configuration changes to the devices associated with this tenant account are pushed only to the group in the tenant account view. However, MSP administrators can create more groups for a specific tenant by drilling down to a tenant account.
Template, Microbranch, WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. gateways, VPNC, AOS-CX, Monitoring only, and gateways with ArubaOS 10 architecture groups are not supported in the MSP mode. Creating, editing, and cloning of these groups is not allowed at MSP Managed Service Provider. The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Aruba Central app.. However, these groups can be created and managed at each tenant account individually.
This section describes the following topics:
- MSP Group Illustration
- Tenant Default Group Overrides
- MSP Group Persona
- Creating an MSP Group Persona with ArubaOS 8 Architecture
- Cloning an MSP UI Group
- Deleting an MSP UI Group
MSP Group Illustration
As shown in the following figure, tenant A and tenant B are mapped to MSP group 1. The default group configuration for these tenants is inherited from MSP group 1 configuration. Tenant A has two additional user-defined groups that are independent of MSP group 1 configuration. Tenant B has one additional user-defined group that is independent of MSP group 1 configuration.
Tenant C is mapped to MSP group 2 configuration. Its default group configuration is inherited from MSP group 2. It also has one additional user-defined group that is independent of MSP group 2 configuration.
Tenant D has only one default group and its configuration is inherited from MSP group 3. Tenant E is not mapped to any MSP group. Its default group configuration is independent of any MSP group configuration. It can have additional user-defined groups as well, if required.
Figure 1 MSP Groups
Tenant Default Group Overrides
If a tenant is mapped to an MSP group, the configuration of its default group is inherited from the MSP group it is mapped to. Once mapped, except for any newly created WLAN SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and WLAN PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. , other configurations are overridden.
As shown in the following figure, the mentioned configuration options are allowed on a tenant default group that is mapped to an MSP group:
- Creating a new WLAN SSID.
- Overriding the WLAN PSK for a WLAN inherited from an MSP group.
Figure 2 Default Group Overrides
Considerations for Editing a Tenant Default Group
- If a tenant default group does not have any devices assigned to it, then any MSP group can be mapped to that tenant default group.
- If a tenant default group has any devices assigned to it, mapping to a new MSP group is allowed only if the MSP group architecture and persona match with that of the tenant default group. If the MSP group and tenant default group persona do not match then the percolation is not allowed.
As a workaround, you can move all the devices from the tenant default group to a non-default group and then try mapping the MSP group.
- If a tenant default group has only access points assigned to it and is not shown in monitoring, mapping to a new MSP group is still allowed even if the MSP group and tenant default group persona and architecture do not match.
- If a tenant default group does not support a device type, adding such a type of factory default devices to the tenant default group is not supported. These devices will be moved to the unprovisioned group when they come up in Aruba Central.
- When a standard enterprise account is converted to an MSP account in Aruba Central 2.5.4 release, the MSP default group contains the gateway properties even if the MSP account is not an allowlisted account for gateways.
- When a standard enterprise account is converted to an MSP account in Aruba Central 2.5.4 release, such MSP default group will have an AOS-CX Switch persona along with AOS-S Switch. The AOS-CX persona is not supported in the MSP mode. Hence, mapping of this MSP default group to a tenant is not allowed.
