When is CPsec required/mandatory?
09-25-2017 04:47 PM - edited 09-26-2017 04:11 PM
By default, CPsec is enabled. It's quite common that this feature is turned off. However, if there is any SSID using bridge mode or decrypt tunnel mode, then it must be enabled.
This is a controller wide feature so it cannot be enabled for some AP while disabled for other AP.
Re: When is CPsec required?
09-26-2017 08:05 AM
I would personally vote to never turn off CPSec, unless you really understand the risks that you open up and you only use a secured network between the APs and controllers.
For some long-term Aruba engineers, it has become standard procedure to turn off CPSec as one of the first things they do when they touch a controller. This probably originates from the early days of CPSec when it had issues, or they learned from someone who had early experience with CPSec.
As with many security features, there will be a day that you need to turn them on again and that is a disruptive and risky step in a live network. I personally have not found a deployment where CPSec had to be switched off. You'd better try a bit harder to make it work with security enabled, which is really not hard in the case of CPSec.
If you don't have time to fully understand CPSec, turn on the feature auto cert provisioning instead of disabling the whole feature:
Or from the CLI:
control-plane-security auto-cert-allow-all auto-cert-prov !
With that feature on, the behavior is very similar: all APs will connect to the controller, but the connection will be secured and authenticated with the AP's TPM certificate. It is true that the AP will go through another reboot so a little more patience may be needed before your first AP shows up.
When all AP's are deployed, it may make sense to disable the Auto Cert provisioning again, and manually whitelist APs when added to the network. By that time, read into the feature ;-)
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Re: When is CPsec required/mandatory?
09-27-2017 04:59 AM