Wireless Access

Hello,

We have a load of AP-65s and AP-105s which were deployed as username/password/IKEPSK RAPs -- we're really in a campus environment but it dates back to ArubaOS 3.x days (which was the version we first installed with) and wanting to be able to bridge VLANs out at the access point (which didn't become available on CAPs until ArubaOS 5.x).  We have a little over 1,000 of these and getting physical access to them is difficult - we also don't control the switches to which they're attached, so it needs to be done remotely.  Also, the range of addresses they're on means I can't whitelist them for auto-cert provisioning and I don't fancy opening things up everywhere.

I'd like to convert these to cert-based CAPs for consistency with our newer APs and also so we can rescind individual APs if they become stolen or lost.  Obviously, the AP-65s need a switch certificate whereas the AP-105s can use a factory certificate.

I can't find any official procedure in the manual or otherwise to do this conversion.  Given that there are so many to do, clearly I need a reliable process I can execute en masse (i.e. from the command line rather than the controller GUI [we don't have AirWave, if that would do it]).

What I've tried is the following (for example on an AP-105):

1.  Add the AP to the whitelist and set it to a factory cert:

# whitelist-db cpsec add mac-address 00:24:6c:c2:ed:55

# whitelist-db cpsec modify mac-address 00:24:6c:c2:ed:55 cert-type factory-cert

(on an AP-65, I wouldn't do the second step as the default of switch-cert is fine)

2.  Reprovision the AP to remove the RAP parameters and just re-confirm the controller address (some weren't provisioned with this set fully):

# configure terminal
(...) # provision-ap
(...) # read-bootinfo wired-mac 00:24:6c:c2:ed:55
(...) # master aruba-master.net.cam.ac.uk
(...) # no pap-user
(...) # no pap-passwd
(...) # no ikepsk
(...) # no remote-ap
(...) # reprovision wired-mac 00:24:6c:c2:ed:55

Both of these are something I can easily script to generate big config files

This mostly seems to work although in my tests, I occasionally (perhaps 1 in 10) see an AP get "stuck" and fail to come back up.  I'm not sure exactly what state it's in, but getting to the console, purging the boot variables, clearing the AP from the database and whitelist and booting it up as a fresh AP for auto-cert provisioning fixes it.

I don't know what causes this - if I'm doing something wrong (perhaps I have to wait until the cert whitelist syncs to the local controller before reprovisioning) or there's a fault with the AP - but I don't want this to happen on a wide scale!

Am I doing this right, or is there a better way?

Thanks.

Bob Franklin,

Unfortunately you would have to do this the way you are doing, because converting to a RAP to a cert-based CAP is not something that is done often.  That means, there is no workflow for it.  If you have difficulty with access points coming up, please open a support case so that they can check your steps.

Thanks - I wanted to check there wasn't a better way to do this, so at least I'm doing it the "official" way.

Actually, since I posted the question I've tried converting some more APs and have done about 300 now, using the above procedure and it's all worked OK, save two gotchas:

1.  The thing which seems to be most important is the whiltelist having synced across the controllers - if the AP comes up in CAP mode without the whiltelist entry correct things can get jammed in the "unapproved" state (which can happen with the AP-105s as you have to modify the existing entry, after creating it: the new entry gets created fine but the type change to factory- from switch-cert can take a few minutes).  Manually adjusting the state of the entry and waiting for the AP to restart seems to be OK, so far.

=> I solve this by loading the whiltelist entries and waiting 5-6 minutes for things to sync, before reprovisioning the APs.

2.  I did get a batch fail because they were behind a firewall in a department - this worked fine in RAP mode but didn't like the CAP mode control traffic and APs didn't come back up.  We predicted this problem and publish guidance, but that doesn't stop it being missed: http://www.ucs.cam.ac.uk/network/other/lapwing-networking#management-local

=> Once they'd been shifted to a network without the firewall, I just change the state from unapproved and they came up in 15 or so minutes.

Anyway - I think we're all good now and I'll gradually convert the rest.  Thanks for your help.

One other thing to add which I've noticed over the last few days that doesn't appear to be documented: when an AP is set to state "

approved-ready-for-cert", this seems to expire after a few hours and reverts to "

unapproved-factory-cert".  I'm not sure how long this takes but it's certainly less than a day.

This has caused a few issues with manually provisioning APs onto the system (including converting IAPs to CAPs) where I'm liaising with a remote member of staff: we have to make sure the two are done with a short while of each other.