04-19-2017 11:04 AM
I have been reading and doing a CPSec lab and have some doubts. I would like to clarify them one by one. Could you help me?
I have read these two statements in official Aruba documents:
a) APs that are not configured to use control plane security send clear, unencrypted information to the controller. Secure control plane communication between controllers and campus APs using IPSec use certificate-based design for secure communication.
b) Typically, control traffic use PAPI protocol (UDP 8211).
Does this mean that if CPSec is not enabled the control traffic between APs and controllers is sent using PAPI protocol but neither encrypted nor using any tunnel at all (GRE/IPSec)?
04-19-2017 11:07 AM
If CPSEC is not enabled, then control traffic between AP and controller is sent over PAPI on UDP 8211 but not inside IPSEC tunnel. With CPSEC enabled, AP and controller forms IPSEC tunnel and PAPI is sent inside the tunnel
04-19-2017 12:23 PM
Thanks for your fast reply. Also I have read these:
APs with certificates will only connect to controller using IPSec, MAC address of the AP is used for authentication.
In a single controller deployment, each AP may be provisioned with a digital certificate to authenticate it to the controller.
Then it is not clear, what will the AP use for authenticating to the controller, its MAC address or its certificate?
04-19-2017 12:47 PM
04-19-2017 01:18 PM
04-19-2017 03:03 PM - edited 04-19-2017 03:06 PM
And one more question. I have done a CPSec lab:
1 - I had a controller with one AP associated to it and CPSec disabled. The AP was in up state.
2 - Then I enabled CPSec without Auto Cert Provisioning and got this:
3 - Then I enabled Auto Cert Provisioning and got this:
the AP was in down state. After a few minutes I got this:
and the AP was in up state.
For point 2, under Cert Type tab we can see "factory-cert", which I guess it is a Factory Certificate. When Auto Cert Provisioning is on, the controller sends certificates to all associated APs, however in point 3, under Cert Type tab, we can still see "factory-cert".
Then, if the controller sends certificates to APs, why the AP still has the same Factory Certificate and not the other one sended by the controller?
04-19-2017 04:03 PM
The controller does not send any certificates to an AP. The AP has a factory certificate built in that is used to complete the tunnel. As you can see the "cert type" is always factory cert.
I want to say that the process that the AP uses to connect to and protect the traffic is very trivial and does not change the way the AP operates, except that the traffic and the commands to/from the AP are encrypted. If CPSEC is not used, WLAN-encrypted traffic is still encrypted end to end...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-20-2017 07:29 AM
I don't understand very well. For the first part, you say the controller doesn't send any certificate to AP. I have read the Auto Cert Provisioning option does, in the controller user guide says the following about Auto Cert Provisioning:
When you enable the control plane security feature, you can select this checkbox to turn on automatic certificate provisioning. When you enable this feature, the controller attempts to send certificates to all associated campus APs. Auto certificate provisioning is disabled by default.
About the second part, you say if CPSec is disabled, WLAN-encrypted traffic is still encrypted end to end. I think you mean encrypted user traffic, because keya_n in message 2 of this post says control traffic is not encrypted unless CPSec is enabled. Also other Aruba guides say:
APs that are not configured to use control plane security send clear, unencrypted information to the controller.
04-20-2017 02:16 PM
I think when you say the controller does not send any certificates to an AP that you may refer this happens only when the AP has a factory certificate. I found this in the controller user guide:
Some AP model types have factory-installed digital certificates. These AP models use their factory-installed certificates for IPsec, and do not need a certificate from the controller.
certified-factory-cert: The campus AP already has a factory
certificate. If a campus AP has a factory-cert type of certificate and is
in certified-factory-cert state, then a new certificate is not reissued
to the campus AP when you enable automatic certificate provisioning.
What I don't know is why when I enabled CPSec without Auto Cert Provisioning in point 2, the AP state was "unapproved-factory-cert" and I had to enable Auto Cert Provisioning to get "certified-factory-cert".
Why was the AP in state "unapproved-factory-cert"? If the AP has an Aruba factory certificate it should be approved by an Aruba controller, shouldn't it?