Wireless Access

Hi,

From user-guide

Between an AP and the controller:

1 FTP (TCP port 21).

2. TFTP (UDP port 69) 
3. NTP (UDP port 123).
4. SYSLOG (UDP port 514).
5. PAPI (UDP port 8211).
6. GRE (protocol 47).

what ports to be opened from controller subnet to the AP subnet?

If CPSEC is enabled, NAT-T port UDP 4500 has to be open on either direction, between AP and controller, right?

would all the above 6 traffic flows, gets inside the ipsec, when CPSEC is enabled? i can just allow the NAT-T port udp 4500 alone on the firewall bidirectional between AP and controller?

Regards,

** Read Giles Post - He fixed my answer - With the right answer and the current info **

The port list staying the same for RemoteAP or CampusAP:

Between Campus AP (GRE) and LMS Controller
1.
FTP (tcp/20 and tcp/21)
2.
TFTP (udp 69) – (for AP-52; for all other AP’s, if there is no local image on the AP, e.g. a brand new AP, the
AP will use TFTP to retrieve initial image)
3.
NTP (udp/123)
4.
SYSLOG (udp/514)
5.
PAPI (udp/8211)
6.
GRE (protocol 47)
Between Remote AP (IPSec) and Controller
1.
NAT-T (udp/4500)
2.
TFTP (UDP/69) - note: Not needed for normal operation. If the RAP looses the local image for whatever
reason, TFTP is used to download the latest image.

BTW:

Thanks Giles. :smileywink: ( A day that you dont learn something new - it's a wasted day)

Asa,

I know how this stuff works and you really confused me!

"When CPSEC enabled - each whitelisted or allowed AP get certiface from the controller itself."

This is not true, all 'new' AP's have a TPM module which stores a factory certificate, so it does not need to get a certificate from the controller, old AP's which don't support TPM modules can be downloaded from the controller.

The idea behind CPsec - Control Plane security is to protect the control plane so that we can support bridge mode PSK etc.

i.e. when we send a key to the AP we don't send it in clear text but inside IPSec to the AP.

So the only thing which is inside CPSec (which is IPSec or NAT-T - UDP 4500) is our propitiatory protocol PAPI (UDP port 8211).

I would leave the ports listed open if possible as any new AP coming up will have to use these before it can become a CPSec AP.

We have a stateful firewall and find that the list you have is correct for AP to Controller, and the stateful firewall allows responses.

From the controller to the AP you'll need 8211 open.

The GRE tunnel we pass in both direction stateless to reduce overhead.

--Matthew

Thank you all. I got the idea. 

Stateful firewall, does open the reverse traffic from controller to AP automatically, for the communication initiated from AP to the controller.

So the user guide is wrong, it has to add a new entry on the bullet point list with IPSEC (ESP -  ip 50)?

The user guide entry here:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Port_Info/Communication_Between__D.htm has the correct information.