Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

What is the successive state of a legacy AP after it upgrades to ArubaOS 5.0 with CPsec on? 

Jul 05, 2014 07:05 AM

Product and Software: This article applies to all Aruba legacy APs (AP-6x and AP-70) and ArubaOS 5.0 or later.

CPsec is on by default in ArubaOS 5.0. So, after the legacy APs, such as, AP-70, AP-60/61/65, are upgraded to ArubaOS 5.0, for the first two hours the controllers add all the APs into the whitelist table with the "approved-ready-for-cert" state. The controllers synchronize the whitelist table with their neighbor controllers.

Then the AP goes through the following state changes and comes up with certificate-based IPsec tunnel established with its LMS controller:

1) The AP has upgraded to ArubaOS 5.0, rebooted and communicates with its LMS controller using clear channel PAPI 8211. The controller sends a CSR request to the AP, the AP generates a key pair and CSR, and the AP sends the CSR to the controller.

AP Database
Name Group AP Type IP Address Status Flags Switch IP
ap70 test 70 10.168.121.181 Generating CSR I 10.168.14.31


2) The AP receives the certificate from the controller and saves it in the appropriate place in the memory.

AP Database
Name Group AP Type IP Address Status Flags Switch IP
ap70 test 70 10.168.121.181 Installing cert I 10.168.14.31


3) After the AP gets the certificate, the AP reboots.

AP Database
Name Group AP Type IP Address Status Flags Switch IP
ap70 test 70 10.168.121.181 Rebooting I 10.168.14.31


4) The AP communicates with its LMS controller using Aruba-Secure-Port UDP 8209 and establishes a certificate-based IPsec tunnel for the control plane. The state of the AP in the whitelist table becomes "certified-controller-cert".

AP Database
Name Group AP Type IP Address Status Flags Switch IP
ap70 test 70 10.168.121.181 Up 1m:50s 10.168.14.31

#show whitelist-db cpsec
Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address Enable State Cert-Type Description Revoke Text Secondary Key Last Updated
----------- ------ ----- --------- ----------- ----------- ------------- ------------
00:0b:86:c4:f8:38 Enabled certified-controller-cert controller-cert Sat Jan 30 04:25:39

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.