How do I address the issue where APs have a “Denied” flag on the controller?

Aruba Employee
Aruba Employee

Question:  How do I address the issue where APs have a “Denied” flag on the controller?


Product and Software: This article applies to all Aruba APs and ArubaOS 5.0 and later.

In a new deployment, the AP might have a "Denied" flag on the controller. This happens if we have CPsec enabled on the controller.
To check for flags, issue the "show AP database" command:





When an AP tries to come up on the controller when CPsec is enabled, the AP tries to establish an IPsec tunnel to the controller to start the communication. The controller validates the certificate in the AP against the internal whitelist. So unless you add the AP in the campus whitelist, it will show up as "Denied".



You can get rid of this problem in three ways.


  • Disable the Control-plane security.


Using the WebUI




Using the CLI




  • Enable "Auto Cert Provisioning" with CPsec enabled under the CPsec configuration tab.


  • With CPsec enabled and "Auto Cert Provisioning" disabled, add the APs in the campus whitelist and select the appropriate option to change the state of the AP.

To check the campus whitelist, issue this command:


If you have APs that have factory certificates (AP-105, AP-12x, AP-13x), select them from the campus whitelist and update them.





If you have legacy AP like AP-61, which do not have factory certificates, select "approved-ready-for-cert".




After this update, the AP generates the CSR and tries to communicate with the controller.




This can take a while. After generating the CSR successfully, the AP comes up on the controller.




Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 11:23 PM
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: