Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

This thread has been viewed 27 times
  • 1.  provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 04:50 AM
    Hi,

    I'm trying to provision 2 x new APs 305 model but I receive the following error on the controller:

    Sep 14 15:42:36 nanny[3029]: <303022> <WARN> |AP f4:2e:7f:c5:f0:28@172.20.21.146 nanny| Reboot Reason: AP rebooted Tue Sep 14 10:41:20 CEST 2021; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED
    Sep 14 15:43:06 stm[3641]: <305049> <3641> <WARN> |stm| Unsecure AP "f4:2e:7f:c5:f0:28" (MAC f4:2e:7f:c5:f0:28, IP 172.20.21.146) has been denied access because Control Plane Security is enabled and the AP is not approved.
    Sep 14 15:43:51 stm[3641]: <305049> <3641> <WARN> |stm| Unsecure AP "f4:2e:7f:c5:f0:28" (MAC f4:2e:7f:c5:f0:28, IP 172.20.21.146) has been denied access because Control Plane Security is enabled and the AP is not approved.

    ------------------------------
    ioanf
    ------------------------------


  • 2.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 05:21 AM
    Do you have control plane security enabled?  If you do not have auto cert provisioning on, you will get that error.  By default it is off, so that random APs cannot just join your controller.

    Please see here:  https://www.arubanetworks.com/techdocs/ArubaOS_8.7.1_Web_Help/Content/arubaos-solutions/controlplane/cpsec.htm for how to enable auto cert provisioning.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 05:42 AM
    hi, it is enabled:



    ------------------------------
    ioanf
    ------------------------------



  • 4.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 05:52 AM
    Find out if the AP is in the cpsec whitelist and delete it, and try again.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 07:42 AM
    I did but it is the same. The weird part is that I can provision this AP to a different site/controller but only to the one where the AP should be, I can't.

    ------------------------------
    ioanf
    ------------------------------



  • 6.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 07:47 AM
    Are all controllers managed by the same MM?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 07:51 AM
    yes, they are all under the same MM.


    ------------------------------
    ioanf
    ------------------------------



  • 8.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 08:00 AM
    It almost seems like the whitelist is not synchronized between controllers.

    Execute:
    show whitelist-db cpsec-status

    on the MM and the MD with the problem.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 9.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 08:09 AM
    on the MM:


    on the MD with issues:


    on MD with no issues:


    ------------------------------
    ioanf
    ------------------------------



  • 10.  RE: provision new AP 305 -- denied access because Control Plane Security is enabled and the AP is not approved

    Posted Sep 14, 2021 08:16 AM
    I would open up a technical support case with Aruba to get to the bottom of this.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------