Wireless Access

Hello,

A customer tried installing a new AP and it gets stuck in "approved-ready-for-cert" for some reason. Auto Cert is enabled for all networks

#show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A

I tried removing it from the whitelist but it just comes back in the same state.

I tried manually setting state certified-factory-cert but ut ended up in certified-hold-factory-cert

They tried a different switchport and a different AP on the same switchport aswell but it didn't help.

There is a FW between the AP and controller but we have verified that there are no blocks.

show tpm cert-info shows a generated factory certificate that expires in 2032. 

The log is spitting out this error:

Jul 12 09:55:03  stm[3951]: <305049> <WARN> |stm|  Unsecure AP xxxxxxxxxx has been denied access because Control Plane Security is enabled and the AP is not approved.

Anyone got an idea what might be wrong? 

/Johan

---

@JoL wrote:

 

 

They tried a different switchport and a different AP on the same switchport aswell but it didn't help.

 

 

---

Can you elaborate on this point?

Was the test AP able to get certified-factory-cert in the Whitelist?

@BBrylski

They other AP that was tested got the same issue.

Hi Johan,

A few questions.

Which software version?

Which controllers type?

Which AP model?

What is the connection between the controller and the new AP? High latency?

Here is a link about CPSEC: https://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Control_Plane/Whitelists_on_Campus_and_Remote_APs.htm%3FTocPath%3DControl%2520Plane%2520Security%7C_____3

From the link :

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and leaves this hold state as soon as connectivity is restored.

So check at least for connectivity issues between the controller and the AP.

@mrzero

Which software version?

6.4.4.16

Which controllers type?

7210

Which AP model?

225

What is the connection between the controller and the new AP? High latency?

around 1.4ms from the controller to the AP. There are about 150 APs at the same location and 10 with the same AP-group. 4-5 APs on the same subnet.

I tried manually setting the state certified-factory-cert but it reverts back to certified-hold-factory-cert after a minute or so.

/Johan

Found the problem!

The FW team only checked the FW openings from the AP to the controller.. and it  turned out a recent change in the FW closed UDP 8211 from the controller to the AP.

So APs that were already up and certified worked but a new AP that needed to be certified failed.

Thanks for your help.

/Johan