Controller Based WLANs

Why am I unable to change the AP-group of the RAP by changing it in local-userdb-ap / whitelist-db?

by on ‎07-11-2014 09:14 AM

Question :

Why am I unable to change the AP-group of the RAP by changing the local-userdb-ap / whitelist-db?


How is it possible that the RAP can come up on the controller without local-userdb-ap / whitelist-db entry?


Why I shouldn't disable "Check certificate common name against AAA server" under the aaa authentication vpn "default-rap" profile?

 

Environment Information : This article applies to TPM based Aruba controllers ( 6xx, 3x00, 6000 and 72xx series) and APs running the code versions and 6.1 and above.

 

Symptoms :

1. RAP no longer changes to the new group when the local-userdb-ap / whitelist-db entry is modified.
2. RAP comes up on the controller even when the mac address is not present in local-userdb-ap / whitelist-db.

 

Cause :

When a cert based Aruba RAP comes up on the controller it identifies itself by presenting the embedded certificate to the controller. That certificate's CN name contains the value of AP's wired mac address.
Controller validates it with its own local-userdb-ap / whitelist-db.

We can add a RAP's entry on the controller using the following commands:

a. local-userdb-ap add                                                                  (pre 6.3)
b. whitelist-db rap add                                                                   (6.3 onwards)


There is a value "Check certificate common name against AAA server" in aaa authentication  vpn "default-rap" from Aruba OS 6.1 onwards. This value is enabled by default.

#show aaa authentication  vpn "default-rap"
VPN Authentication Profile "default-rap" (Predefined )
-----------------------------------------------------------------------------------------------------
Parameter                                                                                              Value
---------                                                                                                   -----
Server Group                                                                                       default
Max Authentication failures                                                                     0
Check certificate common name against AAA server             Enabled



If it is disabled, then the controller will no longer check the CN name' validity against its own local-db / whitelist-db and the RAP will come up in default AP group.


Aruba OS 6.1 and 6.2

#show aaa authentication  vpn "default-rap"
VPN Authentication Profile "default-rap" (Predefined (changed))
-----------------------------------------------------------------------------------------------------
Parameter                                                                                              Value
---------                                                                                                   -----
Server Group                                                                                       default
Max Authentication failures                                                                     0
Check certificate common name against AAA server          Disabled


Aruba OS 6.3 onwards

#show aaa authentication vpn default-rap
VPN Authentication Profile "default-rap" (Predefined (changed))
-----------------------------------------------------------------------------------------------
Parameter                                                                                                Value
---------                                                                                                     -----
Server Group                                                                                          default
Max Authentication failures                                                                         0
Check certificate common name against AAA server               Disabled
Export VPN IP address as a route                                                          Enabled
User idle timeout                                                                                       N/A

Once this value is disabled, we can change the AP-group of the RAP by reprovisioning it without having to make any changes in the local-userdb-ap / whitelist-db.



Note: Disabling this can cause security issues. Without this , any RAP can come up on your controller without checking then local-userdb-ap / whitelist-db.

 

Resolution : Enable the cert-cn-lookup in aaa authentication vpn "default-rap"

(Aruba3200) (config) #aaa authentication vpn "default-rap"
(Aruba3200) (VPN Authentication Profile "default-rap") #cert-cn-lookup

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.