Question-How to block devices from using Aruba certificate and use customized certificate for authentication
Environment- This article is applicable for controllers running 6.1.x and above
Answer- Initially "crypto isakmp block-aruba-ca enable" command blocks usage of all aruba issued RAP certificates. This was added to support custom certs on RAPs.
As per request from 22.214.171.124 FIPS release, extended this functionality to block validation of aruba issued certificates presented by every client ex: CPSEC CAP, RAP, master-local, VIA etc. The crypto isakmp block-aruba-ca command now applies to all IPsec connections regardless of the connection type. Previously the command applied only to RAP connections. Note that when using this command, features such as CPsec that depend on factory-installed device certificates no longer function. To use master/local communication when this command is enabled,you must use custom certificates.
(Master) #show crypto isakmp block-aruba-ca
Block ARUBA certified clients
(Master) (config) #crypto isakmp block-aruba-ca ?
disable Accept the ARUBA certified client certificates.
enable Reject the ARUBA certified client certificate. Use custom certificates
This command configures the controller to accept or reject Aruba certified clients.
enable Accept Aruba certified client certificates.
disable Reject Aruba certified client certificates and use custom certificates instead.