Requirement:How to upgrade the APs firmare when the FTP and TFTP protocol are blocked due to security reason on customer network?
Solution:The solution provided in this article applies only to the APs that are already active on the controller. It does not apply to the new APs that out of box or to the AP that are talking to the controller for the first time whose MAC address are not in the CPsec whitelist and authenticated.
If the new AP is not on the controller's whitelist, it will not join the controller until the new image and cert is provisioned onto the controller. If the AP has not been joined to the controller and doesn't have it's cert approved on the controller, the AP must communicate with the controller initially, using FTP/TFTP protocols.
Once an AP has joined up to the controller, and it's cert is in the CPsec(Control Plane Security) whitelist, All future upgrades to that same controller will be within the CPsec tunnel. So by enabling CPsec(Control Plane Security) we do not need FTP/TFTP protocol to be allowed on the network since it is using the CPsec tunnel for further communication.
Configuration:To enable CPsec:
(Aruba-Master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-Master) (config) #control-plane-security
(Aruba-Master) (Control Plane Security Profile) #cpsec-enable
To add an AP to the CPsec whitelist Manually:
(Aruba-Master) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Aruba-Master) (config) #whitelist-db cpsec add mac-address 11:11:11:11:11:11 ap-group test ap-name test-ap description testing-cpsec
To add an AP to the CPsec whitelist Automatically:
(Aruba-Master) #control-plane-security
(Aruba-Master) (Control Plane Security Profile) #auto-cert-prov
VerificationTo Verify if CPsec is enable:
(Aruba-Master) #show control-plane-security
Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A
To verify if the entry for the ap is in CPsec whitelist:
(Aruba-Master)#show whitelist-db cpsec
Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address AP-Group AP-Name Enable State Cert-Type Description Revoke Text Last Updated
----------- -------- ------- ------ ----- --------- ----------- ----------- ------------
11:11:11:11:11:11 test test-ap Enabled approved-ready-for-cert switch-cert testing-cpsec Tue Jun 28 21:57:32 2016