Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Choosing CPSec ?

This thread has been viewed 3 times

  • 1.  Choosing CPSec ?

    Posted Aug 15, 2013 02:15 AM

    Hi,

     

    We are planning to implement bridge mode forwarding on campus AP's (various models 65, 125 & 135) on our network with around 350 AP's and 3 x 6000 M3 controllers  [1 x master 2 x local] with ArubaOS 6.1.3.7

     

    This requires Control Plane Security enabling, was wondering are there any common known issues with CPSec or any caveats to know about ?

     

    I tried it out in lab with 2 x 3400 with 2 x AP 65, it took about 10 mins for the AP's to obtain certificates and when swapping AP's onto different network segments they didnt seems to appear back on the controller, even after purging the AP config. Finally I had to disable the CPSec and they showed up..

     

    Thanks


    #AP135
    #3400


  • 2.  RE: Choosing CPSec ?

    EMPLOYEE
    Posted Aug 15, 2013 05:29 AM

    The access points will take almost 10 minutes initially to get the certificate, yes.

     

    The access points not being able to find the controller after being placed on a different segment needs to be troubleshot as a controller discovery issue.

     

    If you introduced an AP with CPSEC into a network with a different master, it will have to go through the CPSEC initialization process again and that will take 10 minutes the first time that change happens.

     



  • 3.  RE: Choosing CPSec ?

    Posted Aug 15, 2013 08:33 AM

    Thanks cjoseph

     

    Cant see any controller discover issue, as I said when you turn off CPSec the AP's get discovered ok and when CPSec turned on they get certified and if you swap the AP's into different location the controller cant see even after waiting more than 10 mins. The AP's get IP address via DHCP and controller is discovered via DHCP option 43.

     

    Are you aware of any other features CPSec is useful for other than forward modes bridge & and split-tunnel ?

     

    Thanks



  • 4.  RE: Choosing CPSec ?

    EMPLOYEE
    Posted Aug 15, 2013 08:52 AM
    @Aruba-Fan wrote:

    Thanks cjoseph

     

    Cant see any controller discover issue, as I said when you turn off CPSec the AP's get discovered ok and when CPSec turned on they get certified and if you swap the AP's into different location the controller cant see even after waiting more than 10 mins. The AP's get IP address via DHCP and controller is discovered via DHCP option 43.

     

    Are you aware of any other features CPSec is useful for other than forward modes bridge & and split-tunnel ?

     

    Thanks

    Can you see the traffic coming from the access points into the new controller to explain your issue?

     

    CPSEC is used for a few other things, but bridging, decrypt-tunnel and multicast optimization are the most they are used for (CPSEC cannot be used for split-tunnel).

     

    Many organizations do not use CPSEC and they don't have any problems.

     



  • 5.  RE: Choosing CPSec ?

    Posted Aug 15, 2013 10:53 AM

    Thanks

     

    May be I will get hands on 125 or 135 and console into it and see whats happening, cannot do with 65's.

     

    You said "Many organizations do not use CPSec........" is that do or do not

     

    Thanks



  • 6.  RE: Choosing CPSec ?

    EMPLOYEE
    Posted Aug 15, 2013 10:56 AM

    There are organizations that do not need CPSEC because they do not do anything that requires it.  CPSEC is not mandatory.



  • 7.  RE: Choosing CPSec ?

    Posted Aug 15, 2013 11:03 AM

    We are trying to implement Bridge mode, hence would have to go for CPSec. We have been running withour CPSec till now and no issues, hope it remains the same with CPSec turned on.

     

    Thanks



  • 8.  RE: Choosing CPSec ?

    Posted Aug 16, 2013 03:51 PM

    We have cpsec running since we are using RAP5 as campus AP and performing bridging on the wired ports so cpsec was required to be enabled.

     

    Supposedly cpsec data can be shared among master-locals - so failover from local to master should not require certificate re-installation.  

    We run all stand-alone masters so I can't confirm - Master clustering does should alleviate this, but doesn't work in 6.1.x - should be fixed in 6.2.x - but I have not verified (running 6.1.3.7 as well)

     

    I think all 802.11n AP have a built-in cert and can be trusted on the controller and install the switch cert - reboot and come up on another controller - but the older AP's (AP70's for me and I suspect AP65's for you will act similar) do not have a built-in cert - so they install the cert of the first controller they come up on - but this cert will not be trusted by another controller - so if these AP's failover they do not recover automatically)

     

    you can look AP stuck in this state with the following command:

    # show whitelist-db cpsec | include hold,unapproved

     

    if you find any AP's in this state - delete them from the whitellist-db - the AP's will dump their current cert - reboot and install the cert of the next controller they talk to:

     

    whitelist-db cpsec del mac-address $mac

     

    I created a perl expect scritp to walk my controllers periodically and delete any stuck AP's -  thankfully I think I'm down to only a handful of AP70's left on the network