Q: Why does the AP come up on controller, though it's own ip address is not part of Auto-Cert-Allow addresses (CPSEC) ?
A:
When we configure ip range in "Auto Cert Allowed Addresses", the controller will send certificates only to the APs in this IP range when auto certificate provisioning is enabled.
Scenario:
========
Issue: when Customer tried to connect the AP from different range of IP address which is not allowed in "Control plane security - auto-cert allowed addresses" , the ap is able to came up with no issues.
show control-plane-security
Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Disabled
Auto Cert Allowed Addresses 10.10.10.1 - 10.10.10.255
show ap active
Active AP Table
---------------
Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP
---- ----- ---------- ----------- ------------------- ----------- ------------------- ------- ----- ------ --------
6c:f3:7f:c2:f6:98 default 20.20.20.6 0 AP:HT:1/12/21.5 0 AP:HT:157+/22.5/22.5 135 A2a 1d:6h:9m:50s N/A
Here AP (6c:f3:7f:c2:f6:98) is able to Come up on Controller with an IP address "20.20.20.6" which is not allowed in auto-cert-allowed-addrs.
Reason:
=======
Here the actual cert validation happens against the MAC address of the AP in whitelist-db.
If the AP was ever in the allowed address range, it would have been provisioned with the certificate and added to cpsec whitelist. As long as the AP's MAC is present in the whitelist-db, it will be added to the controller even if it's ip is changed to different range later. This is the designed behavior. So AP should be able to come up on the controller even if the ip address of AP is getting changed to different range which is not part of "auto-cert allowed addresses". We need to manually remove this mac entry from whitelist to avoid this.
Important note:
=============
Once the AP is disconnected from the controller/network, it's mac address entry is never deleted from the whitelist-db by ageout. This is because APs maybe added/removed to the network frequently and we do not want the admin to worry about it every time. If an AP needs to be removed from the whitelist-db, it has to be done manually.