Hello,
We have a load of AP-65s and AP-105s which were deployed as username/password/IKEPSK RAPs -- we're really in a campus environment but it dates back to ArubaOS 3.x days (which was the version we first installed with) and wanting to be able to bridge VLANs out at the access point (which didn't become available on CAPs until ArubaOS 5.x). We have a little over 1,000 of these and getting physical access to them is difficult - we also don't control the switches to which they're attached, so it needs to be done remotely. Also, the range of addresses they're on means I can't whitelist them for auto-cert provisioning and I don't fancy opening things up everywhere.
I'd like to convert these to cert-based CAPs for consistency with our newer APs and also so we can rescind individual APs if they become stolen or lost. Obviously, the AP-65s need a switch certificate whereas the AP-105s can use a factory certificate.
I can't find any official procedure in the manual or otherwise to do this conversion. Given that there are so many to do, clearly I need a reliable process I can execute en masse (i.e. from the command line rather than the controller GUI [we don't have AirWave, if that would do it]).
What I've tried is the following (for example on an AP-105):
1. Add the AP to the whitelist and set it to a factory cert:
# whitelist-db cpsec add mac-address 00:24:6c:c2:ed:55
# whitelist-db cpsec modify mac-address 00:24:6c:c2:ed:55 cert-type factory-cert
(on an AP-65, I wouldn't do the second step as the default of switch-cert is fine)
2. Reprovision the AP to remove the RAP parameters and just re-confirm the controller address (some weren't provisioned with this set fully):
# configure terminal
(...) # provision-ap
(...) # read-bootinfo wired-mac 00:24:6c:c2:ed:55
(...) # master aruba-master.net.cam.ac.uk
(...) # no pap-user
(...) # no pap-passwd
(...) # no ikepsk
(...) # no remote-ap
(...) # reprovision wired-mac 00:24:6c:c2:ed:55
Both of these are something I can easily script to generate big config files
This mostly seems to work although in my tests, I occasionally (perhaps 1 in 10) see an AP get "stuck" and fail to come back up. I'm not sure exactly what state it's in, but getting to the console, purging the boot variables, clearing the AP from the database and whitelist and booting it up as a fresh AP for auto-cert provisioning fixes it.
I don't know what causes this - if I'm doing something wrong (perhaps I have to wait until the cert whitelist syncs to the local controller before reprovisioning) or there's a fault with the AP - but I don't want this to happen on a wide scale!
Am I doing this right, or is there a better way?
Thanks.