Controller Based WLANs

How to upgrade the APs firmware when the FTP and TFTP protocol are blocked due to security reason?

Aruba Employee
Requirement:

How to upgrade the APs firmare when the FTP and TFTP protocol are blocked due to security reason on customer network?



Solution:

The solution provided in this article applies only to the APs that are already active on the controller. It does not apply to the new APs that out of box or to the AP that are talking to the controller for the first time whose MAC address are not in the CPsec whitelist and authenticated.

If the new AP is not on the controller's whitelist, it will not join the controller until the new image and cert is provisioned onto the controller. If the AP has not been joined to the controller and doesn't have it's cert approved on the controller, the AP must communicate with the controller initially, using FTP/TFTP protocols. 

Once an AP has joined up to the controller, and it's cert is in the CPsec(Control Plane Security) whitelist, All future upgrades to that same controller will be within the CPsec tunnel. So by enabling CPsec(Control Plane Security) we do not need FTP/TFTP protocol to be allowed on the network since it is using the CPsec tunnel for further communication.  



Configuration:

To enable CPsec:

(Aruba-Master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba-Master) (config) #control-plane-security
(Aruba-Master) (Control Plane Security Profile) #cpsec-enable

 

To add an AP to the CPsec whitelist Manually:

(Aruba-Master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba-Master) (config) #whitelist-db cpsec add mac-address 11:11:11:11:11:11 ap-group test ap-name test-ap description testing-cpsec

 

To add an AP to the CPsec whitelist Automatically:

(Aruba-Master)  #control-plane-security
(Aruba-Master) (Control Plane Security Profile) #auto-cert-prov
 

 



Verification

To Verify if CPsec is enable:

 

(Aruba-Master) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A

 

To verify if the entry for the ap is in CPsec whitelist:

 

(Aruba-Master)#show whitelist-db cpsec


Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
11:11:11:11:11:11  test      test-ap  Enabled  approved-ready-for-cert  switch-cert    testing-cpsec                       Tue Jun 28 21:57:32 2016
 

Version history
Revision #:
2 of 2
Last update:
‎07-21-2016 02:18 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.