Filter
Top Products
DellPowerConnectW-SeriesArubaOS6.2 | User Guide ControlPlane Security | 79
Chapter 5
Control Plane Security
ArubaOS supports secure IPsec communications between a controller and campus or remote APs using public-key
self-signed certificates created by each master controller. The controller certifies its APs by issuing them certificates.
If the master controller has any associated local Dell controllers, the master controller sends a certificate to each local
controller, which in turn sends certificates to their own associated APs. If a local controller is unable to contact the
master controller to obtain its own certificate, it is not be able to certify its APs, and those APs can not
communicate with their local controller until master-local communication has been reestablished. You create an
initial control plane security configuration when you first configure the controller using the initial setup wizard. The
ArubaOS initial setup wizard enables control plane security by default, so it is very important that the local controller
is able to communicate with its master controller when it is first provisioned.
Some AP model types have factory-installed digital certificates. These AP models use their factory-installed
certificates for IPsec, and do not need a certificate from the controller. Once a campus or remote AP is certified,
either through a factory-installed certificate or a certificate from the controller, the AP can failover between local
Dell controllers and still stay connected to the secure network, because each AP has the same master controller as a
common trust anchor.
Starting with ArubaOS 6.2, the controller maintains two separate AP whitelists; one for campus APs and one for
Remote APs. These whitelists contain records of all campus APs or remote APs connected to the network. You can
use a campus or AP whitelist at any time to add anew valid campus or remote AP to the secure network, or revoke
network access to any suspected rogue or unauthorized AP.
NOTE: The control plane security feature supports IPv4 campus and remote APs only Do not enable control plane security on a
controller that terminates IPv6 APs.
When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a
secure channel. If you are enabling control plane security for the first time on a large network, you may experience
several minutes of interrupted connectivity while each AP receives its certificate and establishes its secure
connection.
Topics in this chapter include:
l "Control Plane Security Overview" on page 80
l "Configuring Control Plane Security" on page 80
l "Managing Whitelists on Master and Local Controllers" on page 87
l "Working in Environments with Multiple Master Controllers" on page 90
l "Replacing a Controller on a Multi-Controller Network" on page 93
l "Configuring Control Plane Security after Upgrading" on page 97
l "Troubleshooting Control Plane Security" on page 97