Wireless Access

Hold any replies to this.  After a deeper dive timing of our software upgrade coupled with a completely unrelated dhcp event might be the cause of my issue.

So we recently upgraded to 8.7 in preparation for future AP's.  We were holding on 8.6 until the vast majority of 100 series were out of the environment.

Whitelisting of AP's was enabled by the 8.7 upgrade.  I am not sure I want it!  Have been unsuccessful so far in finding any instructions on how to disable or if it is even possible?  I foresee it being a possible serious headache if we do a large swapout of 200 series AP's sometime this year.

Thoughts, pointer on documentation to disable it, am I stuck with it?

------------------------------
Doug Selix
------------------------------

Let's clear up some terms here:

CPSEC (configuration> System> CPSEC) is control plane security, which is a secure connection between APs and the controller.  You absolutely want this. You want it enabled and "Enable Auto Cert Provisioning" to be enabled, so that you don't have to manually approve access points, for them to be able to function.
The whitelist (Configuration> Access Points> Whitelist) is where you can see what access points have registered with your system, and have successfully negotiated a secure connection with your system.  By default, the access points in the whitelist just have a mac address and the date and time it was approved.  It doesn't have a name or ap-group.  What you don't want to do, is modify the name or the AP-group of access points in the whitelist interface, because once you do that, you can ONLY modify the name and ap-group from the Whitelist interface and not from the more functional Campus APs interface (configuration> access points> campus APs).  If you modify an access point's name or ap-group in the whitelist and then attempt to do the same thing in the Campus APs interface, it will silently fail, making you confused as to why your rename or changing the ap-group did not work in the Campus APs interface.  Long story short, just don't modify the campus AP whitelist.

That is my opinion.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 14, 2022 08:44 AM
From: Doug Selix
Subject: MM/Controller whitelist

So we recently upgraded to 8.7 in preparation for future AP's.  We were holding on 8.6 until the vast majority of 100 series were out of the environment.

Whitelisting of AP's was enabled by the 8.7 upgrade.  I am not sure I want it!  Have been unsuccessful so far in finding any instructions on how to disable or if it is even possible?  I foresee it being a possible serious headache if we do a large swapout of 200 series AP's sometime this year.

Thoughts, pointer on documentation to disable it, am I stuck with it?

------------------------------
Doug Selix
------------------------------

Thanks for the info.  I will be sure to not provision in the whitelist tab.

CPSEC is on, I believe it was before the last software upgrade.

My "problem" with it is.  A new out of the box AP I had to enter the mac in the AP whitelist before it went online.  Now I only did one and I gave it a group and such which I will not do after reading your reply.

The problem I see down the road is if we are swapping 200 ap's entering all the Mac's in whitelist will be a huge pain.  before 8.7 code.  We plugged in, it auto provisioned to default group on the local controller.  Nothing to do but move it to the right AP group.  If I am going to have to enter mac addresses for every new AP, well yuk is all I will say on a family friendly forum!


------------------------------
Doug Selix
------------------------------

Original Message:
Sent: Jan 14, 2022 09:42 AM
From: Colin Joseph
Subject: MM/Controller whitelist

Let's clear up some terms here:

CPSEC (configuration> System> CPSEC) is control plane security, which is a secure connection between APs and the controller.  You absolutely want this. You want it enabled and "Enable Auto Cert Provisioning" to be enabled, so that you don't have to manually approve access points, for them to be able to function.

The whitelist (Configuration> Access Points> Whitelist) is where you can see what access points have registered with your system, and have successfully negotiated a secure connection with your system.  By default, the access points in the whitelist just have a mac address and the date and time it was approved.  It doesn't have a name or ap-group.  What you don't want to do, is modify the name or the AP-group of access points in the whitelist interface, because once you do that, you can ONLY modify the name and ap-group from the Whitelist interface and not from the more functional Campus APs interface (configuration> access points> campus APs).  If you modify an access point's name or ap-group in the whitelist and then attempt to do the same thing in the Campus APs interface, it will silently fail, making you confused as to why your rename or changing the ap-group did not work in the Campus APs interface.  Long story short, just don't modify the campus AP whitelist.

That is my opinion.





My opinion:

Don't do it.  Why?  It is a great way to pre-provision access points with names and ap-groups, BUT once you modify a whitelist entry for an AP, you can only manage the name and ap-group within the AP whitelist interface, which is not as functional as the

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 14, 2022 08:44 AM
From: Doug Selix
Subject: MM/Controller whitelist

So we recently upgraded to 8.7 in preparation for future AP's.  We were holding on 8.6 until the vast majority of 100 series were out of the environment.

Whitelisting of AP's was enabled by the 8.7 upgrade.  I am not sure I want it!  Have been unsuccessful so far in finding any instructions on how to disable or if it is even possible?  I foresee it being a possible serious headache if we do a large swapout of 200 series AP's sometime this year.

Thoughts, pointer on documentation to disable it, am I stuck with it?

------------------------------
Doug Selix
------------------------------

Please see my screenshot above.  You would only need "enable auto cert provisioning" enabled so that you won't have to enter individual mac addresses; it will automatically do it for any access point that connects.

Once you have that switch on, the behavior will be the same as before.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 14, 2022 10:38 AM
From: Doug Selix
Subject: MM/Controller whitelist

Thanks for the info.  I will be sure to not provision in the whitelist tab.

CPSEC is on, I believe it was before the last software upgrade.

My "problem" with it is.  A new out of the box AP I had to enter the mac in the AP whitelist before it went online.  Now I only did one and I gave it a group and such which I will not do after reading your reply.

The problem I see down the road is if we are swapping 200 ap's entering all the Mac's in whitelist will be a huge pain.  before 8.7 code.  We plugged in, it auto provisioned to default group on the local controller.  Nothing to do but move it to the right AP group.  If I am going to have to enter mac addresses for every new AP, well yuk is all I will say on a family friendly forum!


------------------------------
Doug Selix

Original Message:
Sent: Jan 14, 2022 09:42 AM
From: Colin Joseph
Subject: MM/Controller whitelist

Let's clear up some terms here:

CPSEC (configuration> System> CPSEC) is control plane security, which is a secure connection between APs and the controller.  You absolutely want this. You want it enabled and "Enable Auto Cert Provisioning" to be enabled, so that you don't have to manually approve access points, for them to be able to function.

The whitelist (Configuration> Access Points> Whitelist) is where you can see what access points have registered with your system, and have successfully negotiated a secure connection with your system.  By default, the access points in the whitelist just have a mac address and the date and time it was approved.  It doesn't have a name or ap-group.  What you don't want to do, is modify the name or the AP-group of access points in the whitelist interface, because once you do that, you can ONLY modify the name and ap-group from the Whitelist interface and not from the more functional Campus APs interface (configuration> access points> campus APs).  If you modify an access point's name or ap-group in the whitelist and then attempt to do the same thing in the Campus APs interface, it will silently fail, making you confused as to why your rename or changing the ap-group did not work in the Campus APs interface.  Long story short, just don't modify the campus AP whitelist.

That is my opinion.





My opinion:

Don't do it.  Why?  It is a great way to pre-provision access points with names and ap-groups, BUT once you modify a whitelist entry for an AP, you can only manage the name and ap-group within the AP whitelist interface, which is not as functional as the

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 14, 2022 08:44 AM
From: Doug Selix
Subject: MM/Controller whitelist

So we recently upgraded to 8.7 in preparation for future AP's.  We were holding on 8.6 until the vast majority of 100 series were out of the environment.

Whitelisting of AP's was enabled by the 8.7 upgrade.  I am not sure I want it!  Have been unsuccessful so far in finding any instructions on how to disable or if it is even possible?  I foresee it being a possible serious headache if we do a large swapout of 200 series AP's sometime this year.

Thoughts, pointer on documentation to disable it, am I stuck with it?

------------------------------
Doug Selix
------------------------------

If you do come across an AP that was modified via the whitelist interface, is there no way to "reset" that AP so its not locked into only being able to be edited via the whitelist interface? (In other words, is there a way to "reset" the AP so it can then be modified via Campus APs interface?)

You would delete it from the whitelist.  It would then go through the whole initial CPSEC enrollment process once again.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 14, 2022 04:29 PM
From: Cody Ensanian
Subject: MM/Controller whitelist

If you do come across an AP that was modified via the whitelist interface, is there no way to "reset" that AP so its not locked into only being able to be edited via the whitelist interface? (In other words, is there a way to "reset" the AP so it can then be modified via Campus APs interface?)

------------------------------
Cody Ensanian

Original Message:
Sent: Jan 14, 2022 09:42 AM
From: Colin Joseph
Subject: MM/Controller whitelist

Let's clear up some terms here:

CPSEC (configuration> System> CPSEC) is control plane security, which is a secure connection between APs and the controller.  You absolutely want this. You want it enabled and "Enable Auto Cert Provisioning" to be enabled, so that you don't have to manually approve access points, for them to be able to function.

The whitelist (Configuration> Access Points> Whitelist) is where you can see what access points have registered with your system, and have successfully negotiated a secure connection with your system.  By default, the access points in the whitelist just have a mac address and the date and time it was approved.  It doesn't have a name or ap-group.  What you don't want to do, is modify the name or the AP-group of access points in the whitelist interface, because once you do that, you can ONLY modify the name and ap-group from the Whitelist interface and not from the more functional Campus APs interface (configuration> access points> campus APs).  If you modify an access point's name or ap-group in the whitelist and then attempt to do the same thing in the Campus APs interface, it will silently fail, making you confused as to why your rename or changing the ap-group did not work in the Campus APs interface.  Long story short, just don't modify the campus AP whitelist.

That is my opinion.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 14, 2022 08:44 AM
From: Doug Selix
Subject: MM/Controller whitelist

So we recently upgraded to 8.7 in preparation for future AP's.  We were holding on 8.6 until the vast majority of 100 series were out of the environment.

Whitelisting of AP's was enabled by the 8.7 upgrade.  I am not sure I want it!  Have been unsuccessful so far in finding any instructions on how to disable or if it is even possible?  I foresee it being a possible serious headache if we do a large swapout of 200 series AP's sometime this year.

Thoughts, pointer on documentation to disable it, am I stuck with it?

------------------------------
Doug Selix
------------------------------