What is control plane security? How does one configure/verify it?

Aruba Employee
Aruba Employee

5.x and above for Aruba OS


 IPsec secures control plane traffic between CAP and controller using public-key self-signed certificates created by each master controller.

 Non-Legacy AP’s have factory installed certificates for IPsec and do not need cert from controller.

 When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a secure channel.





  auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>
  {no cpsec-enable}|cpsec-enable

(host)(config) # control-plane-security
no auto-cert-allow-all



 Controllers using control plane security will only send certificates to AP’s that have been identified as valid APs on the network. For closer control over each AP that gets certified, you can manually add individual campus APs to the Campus AP Whitelist.




 Campus APs appear as valid APs in the campus AP whitelist when you manually enter their information into the whitelist




 Any APs not approved or certified on the network will also be included in the campus AP whitelist, but these APs will appear in an unapproved state.




Commands used to checked Whitelist DB and CPSEC status

rtaImage (1).png





Version history
Revision #:
1 of 1
Last update:
‎06-26-2014 02:50 PM
Updated by:
Labels (1)

The AOS 6.x Master controller has a built-in factory certificate. Does the AOS8 Mobility master also have a factory certificate built in? Is it necessary to import a certificate issued by an internal CA in the case of opening CPSEC in AOS8?