Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

AP going into unapproved-no-cert state in 8.x deployments 

Jul 03, 2020 09:18 PM

Q:

What causes an AP to go into unapproved-no-cert state in whitelist-db?



A:

In 8.x deployments. an AP will go into the unapproved-no-cert state in whitelist-db if the below conditions are met, 

 

  • Control-plane security-enabled without Auto-Cert Provisioning turned on

 

​show control-plane-security

Tue Jun 30 11:40:47.607 2020

Control Plane Security Profile
------------------------------
Parameter                         Value
---------                         -----
Control Plane Security            Enabled
Auto Cert Provisioning            Disabled
Auto Cert Allow All               Enabled
Expiry timer(dd:hh)               00:02
Auto Cert Allowed Addresses       N/A
Auto Cert Allowed IPv6 Addresses  N/A

 

  • Whitelist-db is added manually

 

Aug 15 15:03:12 profmgr[5997]: USER:admin@10.1.1.1 NODE:"/md/lab" COMMAND:<whitelist-db cpsec add mac-address 9c:8c:d8:cf:c5:db description CNJ0K9Y09D ap-name AP-555 ap-group 11AX> – command executed successfully 
Aug 15 15:03:12 profmgr[5997]: USER:admin@192.168.0.197 NODE:"/md/lab" COMMAND:<whitelist-db cpsec modify mac-address 9c:8c:d8:cf:c5:db mode enable> – command executed successfully 

 

When the above conditions are met, entries will go into "unapproved-no-cert' in a whitelist-db state if AP is not connected for 2 hours. If the AP talks back to the controller within 2 hours, AP will continue to operate however if the AP communicates with the controller after 2 hours, AP will go into 'unapproved-no-cert state' again. 

From 8.3.x, a new timer knob has been implemented under control-plane security which would prevent the AP's going into "unapproved-no-cert' state by extending the timer to a given period of time. 

show control-plane-security

Tue Jun 30 11:41:11.181 2020

Control Plane Security Profile
------------------------------
Parameter                         Value
---------                         -----
Control Plane Security            Enabled
Auto Cert Provisioning            Enabled
Auto Cert Allow All               Enabled
Expiry timer(dd:hh)               00:02
Auto Cert Allowed Addresses       N/A
Auto Cert Allowed IPv6 Addresses  N/A

After enabling the timer for 20 days, AP's mac-address needs to be added in whitelist-db. Once the mac-address are added, theses entries remain idle and wouldn't go into "unapproved-no-cert" state for a period of 20 days. 

Statistics
0 Favorited
14 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.