What is the purpose of 2-hour expiry time in Whitelist DB?

MVP
MVP
Q:

What is the purpose of 2 hours expiry time in Whitelist DB?



A:

Starting with 8.x. a new knob has been added to control-plane-security whitelist which gives time to network admin to add the mac-addresses of the AP's when Auto-cert provisioning is disabled. 

The reason behind adding this timer is due to the fact that when CPSEC is being used without Auto-Cert, entries that are added into whitelist-db goes to "unapproved-no-cert" state if AP is not connected for 2 hours. If AP comes up before 2 hours, cert state does not change and things works fine.

 

(U-MM1) (Control Plane Security Profile) #timer
<timer> Timer value to invalidate idle cpsec whitelist-db entry. Please enter value in days:hours:mins:seconds format

(U-MM1) (Control Plane Security Profile) #timer 00:00:00:60

(U-MM1) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Disabled
Auto Cert Allow All Enabled
timer 00:00:00:60
Auto Cert Allowed Addresses N/A
Auto Cert Allowed IPv6 Addresses N/A

 

The 2-hour expiry time in Whitelist DB is applicable only for AP entries that are added with certificate type as "switch-cert"..which is meant for APs without a factory-cert, where the AP needs to contact the controller and download the cert (legacy APs). 

 

 

Version history
Revision #:
2 of 2
Last update:
‎09-03-2019 05:05 PM
Updated by:
 
Labels (1)
Contributors