Off-Loading Controller RAP Whitelist to CPPM


Off-Loading Controller RAP Whitelist to CPPM



This feature allows a global white list to be maintained on ClearPass Policy Manager (CPPM) instead of on an individual controller. When a Remote Access Point (RAP) or an Instant Access Point (IAP) attempts to authenticate, the controller constructs a radius access request message for CPPM to validate. On a successful authentication, CPPM sends back a radius accept message along with the appropriate Aruba Vendor Specific Attributes (VSA).


This solution will configure the CPPM server to retrieve the white list entries from Aruba Activate server automatically. The entry will update every 60 minutes or user could update the entries manually. Aruba Activate allows users to setup the Access Point (AP) group and AP Name for each AP in the database.


The solution is design to provide the following,

  • Provide a Zero-Touch Provisioning Service where the process of "provisioning" device can be off-loaded to a Help Desk Team.
  • Information including AP name, AP group and controller is defined in Activate.
  • Provides a scalable solution where additional controllers can be deployed and the white list is off-loaded to CPPM.
  • Provide a solution that works with IAP-VPN and legacy Remote AP (RAP).

Thus, providing a centralized white list database allows additional controllers to be installed without having to replicate or synchronize a “white list” between controllers. This feature is supported on AOS 6.3.1 or later.


Platform Tested

Aruba Mobility Controller 7210 running AOS build 43121.

Aruba Clear Pass Policy Manager 6.3.4 build 64924.



Access Point and PEF.



[1] Aruba 6.3 User Guide

Version history
Revision #:
2 of 2
Last update:
‎09-12-2014 02:20 PM
Updated by:
Labels (4)
Search Airheads
Showing results for 
Search instead for 
Did you mean: