Wireless Access

Hi Experts,

Good Day!

I am currently preparing for my ACMA exam and would like to clear some confusion that i have, I know PAPI uses 8211, however i am not able to find the exact port number used for secure PAPI.

Also when would one use normal PAPI and Secure PAPI?

Hello,

I believe that Papi and Secure Papi use the same port, as you mentioned 8211. (Unsure on the port)

"PAPI Enhanced Security configuration provides protection to Aruba devices, AirWave, and ALE against malicious users sending fake messages that result in security challenges"

This is done by using a key to authenticate any messages sent. If the key doesn't match then it will be dropped/ignored. Please see the below link I found.

https://www.arubanetworks.com/techdocs/ArubaOS_84_Web_Help/content/arubaframestyles/papi%20enhanced%20security/config_papi_enhanc_secur_feat.htm

In my personal opinion - Using Secure Papi is only necessary when the appropriate network restrictions are not in place and users can access certain VLANs were "approved" Aruba devices sit, I.E a user being able to access the AP VLAN. If users can access the AP VLAN then i would suggest tightening the security so they cant, and if you are unable to then enabling Papi enhanced security.

Thanks

Secure PAPI uses udp/8209, generally speaking the administrator of the system doesn't have to concern themselves with allowing or permitting these packets as they are taken care of in the control and sys-control ACLs.

Secure PAPI will kick in when an AP is operating in CPSec mode or RAP and is generally kept within the IPSec tunnels to/from AP.