Wireless Access

Reply
JoL
Occasional Contributor I

AP stuck in approved-ready-for-cert

Hello,

 

A customer tried installing a new AP and it gets stuck in "approved-ready-for-cert" for some reason. Auto Cert is enabled for all networks

 

#show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A

 

I tried removing it from the whitelist but it just comes back in the same state.

 

I tried manually setting state certified-factory-cert but ut ended up in certified-hold-factory-cert

 

They tried a different switchport and a different AP on the same switchport aswell but it didn't help.

 

There is a FW between the AP and controller but we have verified that there are no blocks.

 

show tpm cert-info shows a generated factory certificate that expires in 2032. 

 

The log is spitting out this error:

Jul 12 09:55:03  stm[3951]: <305049> <WARN> |stm|  Unsecure AP xxxxxxxxxx has been denied access because Control Plane Security is enabled and the AP is not approved.

 

Anyone got an idea what might be wrong? 

 

/Johan

New Contributor

Re: AP stuck in approved-ready-for-cert


@JoL wrote:

 

 

They tried a different switchport and a different AP on the same switchport aswell but it didn't help.

 

 


Can you elaborate on this point?

Was the test AP able to get certified-factory-cert in the Whitelist?

Regular Contributor I

Re: AP stuck in approved-ready-for-cert

Hi Johan,

 

A few questions.

 

Which software version?

Which controllers type?

Which AP model?

What is the connection between the controller and the new AP? High latency?

 

Here is a link about CPSEC: https://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Control_Plane/Whitelists_on_Campus_and_Remote_APs.htm%3FTocPath%3DControl%2520Plane%2520Security%7C_____3

 

From the link :

certified-hold-factory-cert: The campus AP is certified with a factory certificate but requests to be certified again. Such APs are not approved as secure until you manually change the status and verify that it is not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and leaves this hold state as soon as connectivity is restored.

 

So check at least for connectivity issues between the controller and the AP.

 

 

 

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
JoL
Occasional Contributor I

Re: AP stuck in approved-ready-for-cert

@BBrylski

They other AP that was tested got the same issue.

JoL
Occasional Contributor I

Re: AP stuck in approved-ready-for-cert

@

 

Which software version?

6.4.4.16

Which controllers type?

7210

Which AP model?

225

What is the connection between the controller and the new AP? High latency?

around 1.4ms from the controller to the AP. There are about 150 APs at the same location and 10 with the same AP-group. 4-5 APs on the same subnet.

 

I tried manually setting the state certified-factory-cert but it reverts back to certified-hold-factory-cert after a minute or so.

 

/Johan

JoL
Occasional Contributor I

Re: AP stuck in approved-ready-for-cert

Found the problem!

 

The FW team only checked the FW openings from the AP to the controller.. and it  turned out a recent change in the FW closed UDP 8211 from the controller to the AP.

 

So APs that were already up and certified worked but a new AP that needed to be certified failed.

 

Thanks for your help.

 

/Johan

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: