Wireless Access

Hello, Airheads.

 

I had imported a list of APs via CSV, which worked great, but the approval status is "No" for all of them.   I can select each one individually to approve, but this will take forever with hundreds of APs.  First big problem is that if I select more than one AP, the "Approve" button greys out, for some reason.  What's worse is that even though I have the drop-down set to show 500 APs at time, it only shows the first 50, so after approving a single AP, the interface goes to the first page full of already-approved APs, so I'm forced to click that drop-down again, go to the next 50, in order to find the next "No" to approve.

 

CLI doesn't look simple either for this, in terms of a bulk approve.  

 

Am I missing a concept?   FYI, CPSec is on, with auto-cert, running 8.4.0.6.

Although I don't like this as a requirement, I did find a CLI command set that I could do in bulk reasonably.  If I did not already have a spreadsheet with the MAC addresses, this would have beem more difficult.  Here's the secret sauce for Excel...

=CONCAT("whitelist-db cpsec modify mac-address ",E2," state approved-ready-for-cert")

...where E2 is where the MAC address is, in 5-colon format.

 

Still, a GUI "select all" and Approve option would be far better.

HOWEVER!  The the APs don't stay approved if the AP has not been installed.  I looked a few hours later and most of my "Approved" Yes column entries had reverted to No.   This even after I updated to 8.5.0.6.

 

The goal, here, is to be able to swap in my new APs without having to log in to approve them as I go.    

Make sure you approved the APs at the “managed network” folder level otherwise it will revert back to No



Thank you

Victor Fabian

Pardon typos sent from Mobile

Thanks Victor and Marcel.

 

So I did this: (ArubaMM-1) [md] #whitelist-db cpsec add mac-address a8:bd:27:c0:10:78 ap-group HS , which I reckon is the managed network level, and still, the approval falls off.

(ArubaMM-1) [mynode] #show whitelist-db cpsec

a8:bd:27:c0:10:78 HS Enabled unapproved-no-cert switch-cert Wed Feb 5 09:37:11 2020

 

And then I have these, too...  unapproved-factory-cert, yet the AP is functioning with clients.

f4:2e:7f:c7:d7:20 DO DO-d720 Enabled unapproved-factory-cert factory-cert Wed Feb 5 09:29:11 2020

 

Gary

Hi Gary,

 

I do a small test in my HomeLAB environment, see attachment the video. In follow the procedure that was my first post on this thread

 

1.  I make two new AP group, just for testing purpose.

2. Check CPSEC is on with auto prov. certificates

3.  I clear two AP-105 to factory defaults and turn them off.

4. Add the whitelist to the /MD folder

5. Boot the AP up

6. Each AP came up in the corresponding AP-Group

7. AP reboot couple off times for certifcate provisioning and firmware upgrades, you see a part of this proces on the end of the video.

 

Works perfect in my test. 

 

I will recommend add one of you new AP to the withlist, connect that AP and see if its working for you. Not just add the whitelist and look for "unaproved". I believe the AP should be approved when you connect it because CPSEC auto prov. is enabled. 

 

Hope this helps  

 

 

Thanks for all the effort, Marcel, this was helpful.  I was starting to realize this in my current live environment as well.   So I think what we're saying here is that the "unapproved" (or GUI approved "no") state is not relevant in this scenario.  I would just suggest to Aruba that the verbiage and Yes->No transition over time is concerning (or I would not have come asking about this).  It seems to me that the approval state should either never appear as Yes just because we did the cpsec add, or it should be Yes permanently, by virtue of the fact that it was manually added, depending on the intended meaning of "approved".  -Gary

Hi Gary,

 

Please note that 8.4.x.x is end-of-support dec 2019.

 

You allready put on CPSEC with auto-deploy certificates, so that is good.

(Disable auto-deploy after your deployment is recommended).

 

I use a script like this:

whitelist-db cpsec add mac-address ##:##:##:##:##:## ap-group APG-01 AP-name AP-02
whitelist-db cpsec add mac-address ##:##:##:##:##:## ap-group APG-01 AP-name AP-02

After connect an AP new from the box it will get a certificate enrolled and automatic places in the right AP-Group thats defined in the script.

 

I work with an Excel sheet and copy past that to Onenote++. If you need a tool to translate a mac-address to a mac-address with delimiter (:) then you can also convert it easy with Onenote++, see attachment the Regular Expression i use for it.

 

Test it, and let known your findings!