Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
Q:
What causes an AP to go into unapproved-no-cert state in whitelist-db?
In 8.x deployments. an AP will go into the unapproved-no-cert state in whitelist-db if the below conditions are met,
show control-plane-security Tue Jun 30 11:40:47.607 2020 Control Plane Security Profile ------------------------------ Parameter Value --------- ----- Control Plane Security Enabled Auto Cert Provisioning Disabled Auto Cert Allow All Enabled Expiry timer(dd:hh) 00:02 Auto Cert Allowed Addresses N/A Auto Cert Allowed IPv6 Addresses N/A
Aug 15 15:03:12 profmgr[5997]: USER:admin@10.1.1.1 NODE:"/md/lab" COMMAND:<whitelist-db cpsec add mac-address 9c:8c:d8:cf:c5:db description CNJ0K9Y09D ap-name AP-555 ap-group 11AX> – command executed successfully Aug 15 15:03:12 profmgr[5997]: USER:admin@192.168.0.197 NODE:"/md/lab" COMMAND:<whitelist-db cpsec modify mac-address 9c:8c:d8:cf:c5:db mode enable> – command executed successfully
When the above conditions are met, entries will go into "unapproved-no-cert' in a whitelist-db state if AP is not connected for 2 hours. If the AP talks back to the controller within 2 hours, AP will continue to operate however if the AP communicates with the controller after 2 hours, AP will go into 'unapproved-no-cert state' again.
From 8.3.x, a new timer knob has been implemented under control-plane security which would prevent the AP's going into "unapproved-no-cert' state by extending the timer to a given period of time.
show control-plane-security Tue Jun 30 11:41:11.181 2020 Control Plane Security Profile ------------------------------ Parameter Value --------- ----- Control Plane Security Enabled Auto Cert Provisioning Enabled Auto Cert Allow All Enabled Expiry timer(dd:hh) 00:02 Auto Cert Allowed Addresses N/A Auto Cert Allowed IPv6 Addresses N/A
After enabling the timer for 20 days, AP's mac-address needs to be added in whitelist-db. Once the mac-address are added, theses entries remain idle and wouldn't go into "unapproved-no-cert" state for a period of 20 days.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.