5.x and above for Aruba OS
• IPsec secures control plane traffic between CAP and controller using public-key self-signed certificates created by each master controller.
• Non-Legacy AP’s have factory installed certificates for IPsec and do not need cert from controller.
• When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a secure channel.
control-plane-security
auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>
auto-cert-allow-all
auto-cert-prov
{no cpsec-enable}|cpsec-enable
Example:
(host)(config) # control-plane-security
auto-cert-prov
no auto-cert-allow-all
auto-cert-allowed-addrs 192.0.2.0 192.0.2.20
• Controllers using control plane security will only send certificates to AP’s that have been identified as valid APs on the network. For closer control over each AP that gets certified, you can manually add individual campus APs to the Campus AP Whitelist.
• Campus APs appear as valid APs in the campus AP whitelist when you manually enter their information into the whitelist
• Any APs not approved or certified on the network will also be included in the campus AP whitelist, but these APs will appear in an unapproved state.
Commands used to checked Whitelist DB and CPSEC status