Managing AP Whitelists

Campus and Remote APs appear as valid APs in the campus and Remote AP whitelists when you manually enter their information into the whitelists via the controller’s CLI or WebUI, or after the controller sends the AP a certificate via automatic certificate provisioning and the AP connects to its controller via a secure tunnel. Any APs not approved or certified on the network are also included in the whitelists, but these APs appear in an unapproved state.

Use the whitelists to grant valid APs secure access to the network, or to revoke access from suspected rogue APs. When you revoke or remove an AP from the campus or remote AP whitelist on a controller that uses control plane security, that AP is not able to communicate with the controller again, except to obtain a new certificate.

 

If you manually add APs to the whitelists (rather than automatically adding the APs via the automatic certificate provisioning feature), make sure that the whitelists have been synchronized to all other controllers on the network before enabling control plane security.

Adding APs to the Campus and Remote AP Whitelists

You can add an AP to the campus AP or remote AP whitelists via the WebUI or command-line interface. To add an entry via the WebUI, use the following procedure.

1. Access the WebUI, and navigate to Configuration>Wireless>AP Installation.
2. Click the Whitelist tab.
3. Select the whitelist to which you want to add the AP. By default, the Whitelist tab displays status information for the Campus AP Whitelist. To add a remote AP to the Remote AP whitelist, click the blue Remote AP link at the top of the table before you proceed to step 4.

Figure 1  Control Plane Security Settings

Click to view a larger size.

4. Click the Entries button in the upper right corner of the whitelist status window.
5. Click New.
6. Define the following parameters for each AP you want to add to the whitelist.

Table 1: AP Whitelist Parameters

Parameter

Description

Campus AP whitelist configuration parameters

AP MAC Address

MAC address of a campus AP that should support secure communications to and from its controller.

Description

(Optional) Use this field to add a brief description of the campus AP.

Remote AP whitelist configuration parameters

AP MAC Address

MAC address of the remote AP, in colon-separated octets.

User Name

Name of the end user who provisions and uses the remote AP.

AP Group

Select the name of the AP group to which the remote AP is assigned.

AP Name

(Optional) Name of the remote AP. If you not specify a name, the AP uses its MAC address as a name.

Description

(Optional) A brief description to help you identify the AP

IP-Address

The static inner IP address to be assigned to the remote APs.

7. Click Add to add the information to the whitelist.
8. Click Apply to save your changes.

To add an AP to the Campus AP whitelist via the command-line interface, issue the command

whitelist-db cpsec add mac-address <macaddr> description <description>

To add an AP to the Remote AP whitelist via the command-line interface, issue the command

whitelist-db rap add mac-address <macaddr> ap-group <ap-group> [ap-name <ap-name>] [description <description>] [full-name <name>] remote-ip <inner-ip-adr>

Viewing Whitelist Status

The WebUI can display either a table of entries in the selected whitelist, or a general nstatus summary for that whitelist. The whitelist status pages show the current status each entry in the whitelist, and, for controllers in a master/local controller topology, information for whitelist synchronization between controllers. This information is updated automatically as the status of each entry changes.

By default, the Wireless > AP Installation > Whitelist tab displays status information for the campus AP Whitelist. To view status information for entries in the remote AP whitelist, click the blue Remote AP link on this tab.

The following table describes the status information types available on the Whitelist status page.

Table 2: Whitelist status information

Status Entry

Description

Control Plane Security

(Campus AP Whitelist status only)

The Campus AP whitelist status page shows if control plane security has been enabled or disabled on the controller. This status entry is also a link to the control plane security configuration tab.

Number of Entries

Total number of entries in the selected whitelist.

Approved Entries

Number of entries that have been approved by the controller.

Unapproved Entries

Number of entries that have not been approved by the controller

Certified Entries

AP has an approved certificate from the controller

Certified Hold Entries

An AP is put in this state when the controller thinks the AP has been certified with a factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored.

Revoked Entries

Number of AP entries that have been manually revoked.

Marked For Deletion Entries

Number of APs that have been marked for deletion, but that have not been removed from the whitelist.

The Remote AP whitelist entries page displays only the information manually configured by the network administrator. The entries in the campus AP whitelist include both user-defined settings and additional AP information that is updated as the status of the AP changes.

Table 3: Additional Campus AP Status Information

Parameter

Description

Cert Type

The type of certificate used by the AP.

switch-cert: The AP is using a certificate signed by the controller.
factory-cert: the AP is using a factory-installed certificate.

State

The Campus AP Whitelist reports one of the following states for each campus AP:

unapproved-no-cert: AP has no certificate and is not approved.
unapproved-factory-cert: AP has a preinstalled certificate that was not approved.
approved-ready-for-cert: The AP has been approved as a valid campus AP and is ready to receive a certificate.
certified-factory-cert: The AP is already has a factory certificate. If an AP has the factory-cert certificate type and is in the certified-factory-cert state, then that campus AP is not re-issued a new certificate if automatic certificate provisioning is enabled.
certified-switch-cert: AP has an approved certificate from the controller.
certified-hold-factory-cert: An AP is put in this state when the controller thinks the AP has been certified with a factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and leaves this hold state as soon as connectivity is restored.

certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified with a controller certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored.

Revoked

Shows if the AP’s secure status has been revoked.

Revoked Text

An optional, brief statement describing why the AP was revoked.

Last Update

Time and date of the last AP status update.

To view information about the remote and campus AP whitelists using the command-line interface, use the commands described in Table 4.

Table 4: View the Campus AP Whitelist via the CLI

Command

Description

show whitelist-db cpsec

[mac-address <macaddr>]

Shows detailed information for each AP in the whitelist, including the AP’s MAC address, approved state, certificate type and description. Include the optional mac-address <macaddr> parameters to view data for a single entry.

show whitelist-db cpsec-status

The command gives aggregate information for the numbers of APs in each of the following categories:

Total entries
Approved entries
Unapproved entries
Certified entries
Certified hold entries
Revoked entries
Marked for deletion entries

Modifying an AP in the Campus AP Whitelist

Use the following procedure to modify a campus AP entry’s certificate type, state, description and revoked status via the WebUI.

1. Access the master controller WebUI, and navigate to Configuration>AP Installation.
2. Click the Campus AP Whitelist tab.
3. Select the checkbox by the entry for the AP you want to edit, then click Modify.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to edit, select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab d>isplays several fields that allow you to search for an AP with a specified MAC address, certificate type or state. Specify the values that match the AP you are trying to locate, then click the Search button. The whitelist d>isplays a list of APs that match your search criteria. Select the AP from this list, then click Modify.

4. Update the AP’s whitelist entry with the new settings. Some of the configurable parameters were available when you first defined the entry, and are described in Table 1 above. When you modify an existing whitelist entry, you can also configure the following additional parameters that were not configurable when you first created the entry.
Cert-type: The type of certificate used by the AP.
n switch-cert: The campus AP is using a certificate signed by the controller.
n factory-cert: the campus AP is using a factory-installed certificate.
State: When you click the State drop-down list to modify this parameter, you may choose one of the following options:
n approved-ready-for-cert: AP has been approved state and is ready to receive a certificate.
n certified-factory-cert: AP is certified and has a factory-installed certificate.
Revoke: Click the Revoke checkbox to revoke an AP’s secure status. When you select this checkbox, you can enter a brief comment explaining why the AP is being revoked.
5. Click Update to update the campus AP whitelist entry with its new settings.

To modify an entry in the campus AP whitelist via the command-line interface, issue the following commands:

whitelist-db cpsec modify mac-address

cert-type switch-cert|factory-cert

description <description>

mode disable|enable

revoke-text <revoke-text>

state approved-ready-for-cert|certified-factory-cert

Revoking an AP via the Campus AP Whitelist

You can revoke an invalid or rogue AP either by opening the modify menu and modifying the AP’s revoke status (as described in the section above), or by selecting the AP in the campus whitelist and revoking it’s secure status directly, without modifying any other parameters or entering a description of why that AP was revoked. When you revoke an AP’s secure status in the campus AP whitelist, the whitelist retains the AP’s status information. To revoke an invalid or rogue AP and permanently remove the AP from the whitelist, you must delete that entry.

To revoke an AP via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.
2. Click the Campus AP Whitelist tab.
3. To revoke one or more secure campus APs, select the checkbox by the entry for each AP whose secure status should be revoked, then click Revoke.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to revoke, select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab displays several fields that allow you to search for an AP with a specified MAC address, certificate type or state. Specify the values that match the AP you are trying to locate, then click the Search button. The whitelist displays a list of APs that match your search criteria. Select the AP from this list, then click Revoke.

To revoke an AP via the command-line interface, issue the command:

whitelist-db cpsec revoke mac-address <macaddr> revoke-text <"revoke text">

Deleting an AP Entry from the Campus AP Whitelist

Before you delete an AP entry from the campus whitelist, verify that auto certificate provisioning is either no longer enabled, or only enabled for IP addresses that do not include the AP being removed. If automatic certificate provisioning is enabled for an AP that it is still connected to the network, you cannot permanently delete it from the campus AP whitelist; the controller immediately re-certifies the AP and re-creates its whitelist entry.

To delete an AP entry via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.
2. Click the Campus AP Whitelist tab.
3. Select the checkbox by entry for each AP you want to remove, then click delete.

If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to delete, select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab displays several fields that allow you to search for an AP with a specified MAC address, certificate type or state. Specify the values that match the AP you are trying to locate, then click the Search button. The whitelist displays a list of APs that match your search criteria. Select the AP from this list, then click delete.

To delete an AP entry via the CLI, issue the command:

whitelist-db cpsec del mac-address <macaddr>

Purging the Campus AP Whitelist

Before you add a new local controller to a network using control plane security, you must purge the campus AP whitelist on the new controller. Any entries in a new controller’s campus AP whitelist is merged into the whitelist for all other master and local controllers as soon as the new controller is added to the hierarchy. If any old or invalid AP entries are added to the campus AP whitelist, all controllers in the hierarchy begins trusting those APs, creating a potential security risk. For additional information on adding a new local controller using control plane security to your network, see Replacing a Local Controller

To purge a controller’s campus AP whitelist via the WebUI:

1. Access the master controller WebUI, and navigate to Configuration > AP Installation.
2. Click the Campus AP Whitelist tab.
3. Click Purge.

To purge a campus AP whitelist via the command-line interface, issue the command:

whitelist-db cpsec purge

OffLoading a Controller RAP Whitelist to ClearPass Policy Manager

This feature allows whitelist entries for remote APs (RAPs) to be maintained externally in a ClearPass Policy Manager (CPPM) server. The controller, if configured to use an external server, can send a RADIUS access request to a CPPM server. The RAP MAC address is used as a username and password to construct the access request packet and the CPPM validates the RADIUS message and returns the relevant parameters for the authorized RAPs.

The following three supported parameters are associated with the following VSAs. They are sent by the CPPM server in the RADIUS access accept packet for authorized RAPs:

ap-group: Aruba-AP-Group
ap-name: Aruba-Location-ID
remote-ip: Aruba-AP-IP-Address

The following defaults are used when any of the supported parameters are not provided by the CPPM server in the RADIUS access accept response:

ap-group: the default ap-group is assigned to the RAP
ap-name: the RAP MAC address is used as the AP name
remote-ip: the controller selects the remote IP address from its available pool of addresses

There is no change in the RAP role assignment. The RAP is assigned the role that is configured in the VPN default-rap profile.

In the WebUI

To assign a CPPM server to a RAP:

1. Configure a CPPM server using the controller WebUI:
a. Navigate to the Configuration > Security > Authentication > Servers page.
b. Select Radius Server to display the CPPM Server List.
c. To configure a CPPM server, enter the name for the server and click Add.
d. Select the name to configure server parameters. Select the Mode check box to activate the authentication server.
e. Click Apply.
2. Create a server group that contains the CPPM server.
3. Navigate to Configuration > All Profile Managment > Wireless LAN > VPN Authentication > default-rap > Server Group.
4. Select the CPPM server from the Server Group drop-down menu.
5. Click Apply.

To assign a CPPM server to a RAP that was initially an IAP:

1. Make sure that a CPPM server is configured on the controller.
2. Navigate to Configuration > All Profile Managment > Wireless LAN > VPN Authentication > default-iap > Server Group.
3. Select the CPPM server from the Server Group drop-down menu.
4. Click Apply.

In the CLI

Configure a radius server with CPPM server as host address. In this example cppm-rad is the CPPM server name and cppm-sg is the server group name.

(host) (config) #aaa authentication-server radius cppm-rad

Add this server to a server group:

(host) (config) #aaa server-group cppm-sg

auth-server cppm-rad

Add this server group in default-rap vpn profile:

(host) (config) #aaa authentication vpn default-rap

server-group cppm-sg