Why does AP come up on controller though it's ip address is not part of Auto-Cert-Allow addresses ?


Why does the AP come up on controller, though it's own ip address is not part of Auto-Cert-Allow addresses (CPSEC) ?



When we configure ip range in "Auto Cert Allowed Addresses", the controller will send certificates only to the APs in this IP range when auto certificate provisioning is enabled.  


Issue: when Customer tried to connect the AP from different range of IP address which is not allowed in  "Control plane security - auto-cert allowed addresses" ,  the ap is able to came up with no issues.

show control-plane-security  

Control Plane Security Profile
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All            Disabled
Auto Cert Allowed Addresses -


show ap active  

Active AP Table
Name               Group    IP Address  11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP   AP Type  Flags  Uptime        Outer IP
----               -----    ----------  -----------  -------------------  -----------  -------------------   -------  -----  ------        --------
6c:f3:7f:c2:f6:98  default  0            AP:HT:1/12/21.5      0            AP:HT:157+/22.5/22.5  135      A2a    1d:6h:9m:50s  N/A


Here AP (6c:f3:7f:c2:f6:98)  is able to Come up on Controller with an IP address  ""  which is not allowed in  auto-cert-allowed-addrs.



Here the actual cert validation happens against the MAC address of the AP in whitelist-db.  

If the AP was ever in the allowed address range, it would have been provisioned with the certificate and added to cpsec whitelist.  As long as the AP's MAC is present in the whitelist-db, it will be added to the controller even if it's ip is changed to different range later. This is the designed behavior.  So AP should be able to come up on the controller even if the ip address of AP  is getting changed to different range which is not part of "auto-cert allowed addresses". We need to manually remove this mac entry from whitelist to avoid this.

Important note:

Once the AP is disconnected from the controller/network, it's mac address entry is never deleted from the whitelist-db by ageout. This is because APs maybe added/removed to the network frequently and we do not want the admin to worry about it every time.  If an AP needs to be removed from the whitelist-db, it has to be done manually.

Version history
Revision #:
2 of 2
Last update:
‎02-23-2017 01:41 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: