Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎02-08-2013

Choosing CPSec ?

Hi,

 

We are planning to implement bridge mode forwarding on campus AP's (various models 65, 125 & 135) on our network with around 350 AP's and 3 x 6000 M3 controllers  [1 x master 2 x local] with ArubaOS 6.1.3.7

 

This requires Control Plane Security enabling, was wondering are there any common known issues with CPSec or any caveats to know about ?

 

I tried it out in lab with 2 x 3400 with 2 x AP 65, it took about 10 mins for the AP's to obtain certificates and when swapping AP's onto different network segments they didnt seems to appear back on the controller, even after purging the AP config. Finally I had to disable the CPSec and they showed up..

 

Thanks

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Choosing CPSec ?

The access points will take almost 10 minutes initially to get the certificate, yes.

 

The access points not being able to find the controller after being placed on a different segment needs to be troubleshot as a controller discovery issue.

 

If you introduced an AP with CPSEC into a network with a different master, it will have to go through the CPSEC initialization process again and that will take 10 minutes the first time that change happens.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎02-08-2013

Re: Choosing CPSec ?

Thanks cjoseph

 

Cant see any controller discover issue, as I said when you turn off CPSec the AP's get discovered ok and when CPSec turned on they get certified and if you swap the AP's into different location the controller cant see even after waiting more than 10 mins. The AP's get IP address via DHCP and controller is discovered via DHCP option 43.

 

Are you aware of any other features CPSec is useful for other than forward modes bridge & and split-tunnel ?

 

Thanks

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Choosing CPSec ?


Aruba-Fan wrote:

Thanks cjoseph

 

Cant see any controller discover issue, as I said when you turn off CPSec the AP's get discovered ok and when CPSec turned on they get certified and if you swap the AP's into different location the controller cant see even after waiting more than 10 mins. The AP's get IP address via DHCP and controller is discovered via DHCP option 43.

 

Are you aware of any other features CPSec is useful for other than forward modes bridge & and split-tunnel ?

 

Thanks


Can you see the traffic coming from the access points into the new controller to explain your issue?

 

CPSEC is used for a few other things, but bridging, decrypt-tunnel and multicast optimization are the most they are used for (CPSEC cannot be used for split-tunnel).

 

Many organizations do not use CPSEC and they don't have any problems.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎02-08-2013

Re: Choosing CPSec ?

Thanks

 

May be I will get hands on 125 or 135 and console into it and see whats happening, cannot do with 65's.

 

You said "Many organizations do not use CPSec........" is that do or do not

 

Thanks

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Choosing CPSec ?

There are organizations that do not need CPSEC because they do not do anything that requires it.  CPSEC is not mandatory.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎02-08-2013

Re: Choosing CPSec ?

We are trying to implement Bridge mode, hence would have to go for CPSec. We have been running withour CPSec till now and no issues, hope it remains the same with CPSec turned on.

 

Thanks

Frequent Contributor I
Posts: 95
Registered: ‎04-09-2007

Re: Choosing CPSec ?

We have cpsec running since we are using RAP5 as campus AP and performing bridging on the wired ports so cpsec was required to be enabled.

 

Supposedly cpsec data can be shared among master-locals - so failover from local to master should not require certificate re-installation.  

We run all stand-alone masters so I can't confirm - Master clustering does should alleviate this, but doesn't work in 6.1.x - should be fixed in 6.2.x - but I have not verified (running 6.1.3.7 as well)

 

I think all 802.11n AP have a built-in cert and can be trusted on the controller and install the switch cert - reboot and come up on another controller - but the older AP's (AP70's for me and I suspect AP65's for you will act similar) do not have a built-in cert - so they install the cert of the first controller they come up on - but this cert will not be trusted by another controller - so if these AP's failover they do not recover automatically)

 

you can look AP stuck in this state with the following command:

# show whitelist-db cpsec | include hold,unapproved

 

if you find any AP's in this state - delete them from the whitellist-db - the AP's will dump their current cert - reboot and install the cert of the next controller they talk to:

 

whitelist-db cpsec del mac-address $mac

 

I created a perl expect scritp to walk my controllers periodically and delete any stuck AP's -  thankfully I think I'm down to only a handful of AP70's left on the network

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: