Controller Based WLANs

How is the AP whitelist table synchronized in ArubaOS 5.0?

Product and Software: This article applies to Aruba controllers running ArubaOS 5.0 or later.

Whitelist Overview

  • The whitelist is used to grant valid APs to secure access to the network and deny access from invalid APs or rogue APs.
  • During the first two hours of the upgrade to ArubaOS 5.0, all APs MAC addresses are automatically added into the whitelist table with "approved-ready-for-cert".
  • APs can be manually added or automatically added by enabling "auto-cert-prov" into the whitelist table.
  • APs can be deleted from the whitelist.
  • APs can be revoked. The mode is turned to "disable" in the whitelist.
  • The whole whitelist table can be purged completely. This purge is usually done when a controller is added into a network or removed from a network.
  • Configurable AP states
  • Non-configurable AP states
  • Each whitelist entry uses delta of "controller current time - controller up time" as the virtual timestamp:
    virtual timestamp=t_c - t_i
  • Each entry maintains a column 'modifier' that stores the name of the controller who last modified the entry.
  • When an entry is modified in one controller:
  • unapproved-no-cert (for legacy APs)
  • unapproved-factory-cert (for AP105, AP125)
  • approved-ready-for-cert
  • certified-controller-cert (for legacy APs)
  • certified-factory-cert (for AP105, AP125)
  • certified-hold-controller-cert (for legacy APs)
  • certified-hold-factory-cert (for AP105, AP125)

o its time delta is bigger and the virtual timestamp is newer.

o it will win over the older entry.

o older entries are replaced by newer ones.

o the controller's system sequence number is incremented by "1":
#show whitelist-db cpsec-seq
Table Name Current Seq Number
cpsec_whitelist 40

  • All controllers add, change, and delete whitelist entries independently.


Campus AP Whitelist Synchronization

  • The whitelist is synchronized at every predefined interval (2 minutes) between neighboring controllers (master and locals, cluster root and cluster members). This interval is not configurable.

#show whitelist-db cpsec
MAC-Address Enable State Cert-Type Description Revoke Text Secondary Key Last Updated
00:24:6c:c0:20:58 Enabled certified-factory-cert factory-cert Wed Jan 20 09:42:37 2010
00:0b:86:c4:f8:38 Enabled certified-controller-cert controller-cert Wed Jan 20 09:43:18 2010
00:1a:1e:c1:26:aa Enabled certified-factory-cert factory-cert Wed Jan 20 10:39:18 2010
00:0b:86:cc:03:22 Enabled certified-controller-cert controller-cert Wed Jan 20 10:41:18 2010

  • Only new whitelist changes get synced, not the whole table.
  • A local controller maintains its master information.

Local1#show whitelist-db cpsec-master-ctlr-list
Active MAC-Address IP-Address Sequence Number Remote Sequence Number NULL Update Count Local Purge Remote Purge Remote Last-Seq
1 00:0b:86:03:53:20 10.168.14.233 12 1 2 0 0 1

  • A master controller maintains a list of local controllers and a master list if it is a part of master cluster.

M3#show whitelist-db cpsec-local-ctlr-list
Active MAC-Address IP-Address Sequence Number Remote Sequence Number NULL Update Count Local Purge Remote Purge Remote Last-Seq
0 00:0b:86:61:3a:e0 10.168.125.241 1 12 0 0 0 12
0 00:0b:86:61:15:50 10.168.125.161 1 6 0 0 0 6

  • The local list contains entries of all other controllers the master has ever seen, and the entries cannot be deleted automatically.
  • Delete local controller entries that are permanently disconnected, otherwise controller resources are wasted.
Version History
Revision #:
1 of 1
Last update:
‎07-05-2014 03:09 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.