Question :
Why am I unable to change the AP-group of the RAP by changing the local-userdb-ap / whitelist-db?
How is it possible that the RAP can come up on the controller without local-userdb-ap / whitelist-db entry?
Why I shouldn't disable "Check certificate common name against AAA server" under the aaa authentication vpn "default-rap" profile?
Environment Information : This article applies to TPM based Aruba controllers ( 6xx, 3x00, 6000 and 72xx series) and APs running the code versions and 6.1 and above.
Symptoms :
1. RAP no longer changes to the new group when the local-userdb-ap / whitelist-db entry is modified.
2. RAP comes up on the controller even when the mac address is not present in local-userdb-ap / whitelist-db.
Cause :
When a cert based Aruba RAP comes up on the controller it identifies itself by presenting the embedded certificate to the controller. That certificate's CN name contains the value of AP's wired mac address.
Controller validates it with its own local-userdb-ap / whitelist-db.
We can add a RAP's entry on the controller using the following commands:
a. local-userdb-ap add (pre 6.3)
b. whitelist-db rap add (6.3 onwards)
There is a value "Check certificate common name against AAA server" in aaa authentication vpn "default-rap" from Aruba OS 6.1 onwards. This value is enabled by default.
#show aaa authentication vpn "default-rap"
VPN Authentication Profile "default-rap" (Predefined )
-----------------------------------------------------------------------------------------------------
Parameter Value
--------- -----
Server Group default
Max Authentication failures 0
Check certificate common name against AAA server Enabled
If it is disabled, then the controller will no longer check the CN name' validity against its own local-db / whitelist-db and the RAP will come up in default AP group.
Aruba OS 6.1 and 6.2
#show aaa authentication vpn "default-rap"
VPN Authentication Profile "default-rap" (Predefined (changed))
-----------------------------------------------------------------------------------------------------
Parameter Value
--------- -----
Server Group default
Max Authentication failures 0
Check certificate common name against AAA server Disabled
Aruba OS 6.3 onwards
#show aaa authentication vpn default-rap
VPN Authentication Profile "default-rap" (Predefined (changed))
-----------------------------------------------------------------------------------------------
Parameter Value
--------- -----
Server Group default
Max Authentication failures 0
Check certificate common name against AAA server Disabled
Export VPN IP address as a route Enabled
User idle timeout N/A
Once this value is disabled, we can change the AP-group of the RAP by reprovisioning it without having to make any changes in the local-userdb-ap / whitelist-db.
Note: Disabling this can cause security issues. Without this , any RAP can come up on your controller without checking then local-userdb-ap / whitelist-db.
Resolution : Enable the cert-cn-lookup in aaa authentication vpn "default-rap"
(Aruba3200) (config) #aaa authentication vpn "default-rap"
(Aruba3200) (VPN Authentication Profile "default-rap") #cert-cn-lookup