Filter
Top Products
Configuring Control Plane Security after Upgrading
When you initially deploy a controller running ArubaOS 6.0 or later, create your initial control plane security
configuration using the initial setup wizard. However, if you are upgrading to ArubaOS 6.0 or if you are upgrading
from ArubaOS 5.0
but did not yet have control plane security enabled before the upgrade
, then you can use the
strategies described in Table 23 to enable and configure control plane security feature.
NOTE: If you upgrade a controller running ArubaOS 5.0.x to ArubaOS 6.0 or later, then the controller’s control plane security settings
do not change after the upgrade. If control plane security was already enabled, then it remains enabled after the upgrade. If it was
not enabled previously, but you wish to use the feature after upgrading, then it must be manually enabled.
Automatically send Certificates to Campus APs Manually Certify Campus APs
1. Access the control plane security window and enable both
the control plane security feature and the auto certificate
provisioning option. Next, specify whether you want all
associated campus APs to automatically receive a certificate,
or if you want to certify only those APs within a defined range
of IP addresses.
1. Identify the campus APs that should receive certificates
by entering the campus APs’ MAC addresses in the campus
AP whitelist.
2. Once all APs have received their certificates, disable auto
certificate provisioning to prevent certificates from being
issued to any rogue APs that may appear on your network at a
later time.
2. If your network includes both master and local Dell
controllers, wait a few minutes, then verify that the campus
AP whitelist has been propagated to all other Dell
controllers on the network. Access the WebUI of the master
controller, navigate to Configuration>Controller>Control
Plane Security, then verify that the Current Sequence
Number field has the same value as theSequence Number
entry for each local controller in the local switch whitelist.
(For details, see "Verifying Whitelist Synchronization" on
page 98.)
3. If a valid AP did not receive a certificate during the initial
certificate distribution, you can manually certify the AP by
adding that AP’s MAC address to the campus AP whitelist.
You can also use this whitelist to revoke certificates from APs
that should not be allowed access to the secure network.
3. Enable the control plane security feature.
Table 23:
Control Plane Security Upgrade Strategies
NOTE: If you upgraded your controller from ArubaOS 5.0 or earlier and you want to use this feature for the first time, you must either
add all valid APs to the campus AP whitelist or enable automatic certificate provisioning
before you enable the feature
. If you do not
enable automatic certificate provisioning, only the APs currently approved in the campus AP whitelist are allowed to communicate
with the controller over a secure channel. Any APs that do not receive a certificate are not be able to communicate with the
controller except to request a certificate.
Troubleshooting Control Plane Security
Identifying Certificate Problems
If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in
either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the status
of that AP before it can be certified.
l certified-hold-factory-cert: An AP is put in this state when the controller thinks the AP has been certified with a
factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not
DellPowerConnectW-SeriesArubaOS6.2 | User Guide ControlPlane Security | 97