What is the purpose of 2-hour expiry time in Whitelist DB?
What is the purpose of 2 hours expiry time in Whitelist DB?
Starting with 8.x. a new knob has been added to control-plane-security whitelist which gives time to network admin to add the mac-addresses of the AP's when Auto-cert provisioning is disabled.
The reason behind adding this timer is due to the fact that when CPSEC is being used without Auto-Cert, entries that are added into whitelist-db goes to "unapproved-no-cert" state if AP is not connected for 2 hours. If AP comes up before 2 hours, cert state does not change and things works fine.
(U-MM1) (Control Plane Security Profile) #timer <timer> Timer value to invalidate idle cpsec whitelist-db entry. Please enter value in days:hours:mins:seconds format (U-MM1) (Control Plane Security Profile) #timer 00:00:00:60 (U-MM1) #show control-plane-security Control Plane Security Profile ------------------------------ Parameter Value --------- ----- Control Plane Security Enabled Auto Cert Provisioning Disabled Auto Cert Allow All Enabled timer 00:00:00:60 Auto Cert Allowed Addresses N/A Auto Cert Allowed IPv6 Addresses N/A
The 2-hour expiry time in Whitelist DB is applicable only for AP entries that are added with certificate type as "switch-cert"..which is meant for APs without a factory-cert, where the AP needs to contact the controller and download the cert (legacy APs).