Managing AP Whitelists

Campus or Remote APs appear as valid APs in the campus or Remote AP whitelists when you manually enter their information into the campus or Remote AP whitelists through the WebUI or CLI of a controller or after a controller sends a certificate to an AP as part of automatic certificate provisioning and the AP connects to the controller over a secure tunnel. APs that are not approved or certified on the network are included in the campus AP whitelists, but these APs appear in an unapproved state.

Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the campus or remote AP whitelists on a controller that uses control plane security, that AP is not able to communicate with the controller again, except to obtain a new certificate.

 

If you manually add APs to the AP whitelists (rather than automatically adding the APs as part of automatic certificate provisioning), make sure that the AP whitelists have been synchronized to all other controllers on the network before enabling control plane security.

Adding an AP to the Campus or Remote AP Whitelists

You can add an AP to the campus AP or remote AP whitelists over the WebUI or CLI.

In the WebUI

To add an AP to the campus AP or Remote AP whitelist:

1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Select the whitelist to which you want to add an AP. The Whitelist tab displays status information for the Campus AP Whitelist by default. To add a Remote AP to the Remote AP whitelist, click the Remote AP link before you proceed to step 4.

Figure 1  Control Plane Security Settings

Click to view a larger size.

4. Click Entries in the upper right corner of the whitelist status window.
5. Click New.
6. Define the following parameters for each AP you want to add to the AP whitelist.

Table 1: AP Whitelist Parameters

Parameter

Description

Campus AP whitelist configuration parameters

AP MAC Address

MAC address of campus AP that supports secure communications to and from its controller.

AP Group

Name of the AP group to which the campus AP is assigned. If you do not specify an AP group, the AP uses default as its AP group.

AP Name

Name of the campus AP. If you do not specify a name, the AP uses its MAC address as AP name.

Description

Brief description of the campus AP.

Remote AP whitelist configuration parameters

AP MAC Address

MAC address of the remote AP, in colon-separated octets.

User Name

Name of the end user who provisions and uses the remote AP.

AP Group

Name of the AP group to which the Remote AP is assigned.

AP Name

Name of the Remote AP. If you do not specify a name, the AP uses its MAC address as AP name.

Description

Brief description of the Remote AP.

IP-Address

The static inner IP address to be assigned to the Remote APs.

7. Click Add.

In the CLI

To add an AP to the campus AP whitelist:

(host) #whitelist-db cpsec add mac-address <name>

ap-group <ap_group>

ap-name <ap_name>

description <description>

To add an AP to the remote AP whitelist:

(host) #whitelist-db rap add mac-address <mac-address>

ap-group <ap-group>

ap-name <ap-name>

description <description>

full-name <name>

remote-ip <inner-ip-adr>

Viewing AP Whitelist Status

The WebUI displays either a status of the selected AP whitelist or a table of entries in the selected AP whitelist. The status page displays the current status of the AP whitelist and for controllers in a master/local controller topology, it displays the AP whitelist synchronization status between controllers. When the status of an entry in the AP whitelist changes, the AP whitelist status is updated automatically. The table of entries page displays the status of each AP on the AP whitelist.

The Configuration > Wireless > AP Installation > Whitelist tab displays the status of the campus AP whitelist by default. To view the status of remote AP whitelist, click the Remote AP link.

The following table describes the contents of the status page.

Table 2: Whitelist status information

Status Entry

Description

Campus AP whitelist status information

Control Plane Security

Shows if the control plane security is enabled or disabled on the controller. This status entry is also a link to the control plane security configuration tab.

Total entries

Number of entries in the campus AP whitelist.

Approved entries

Number of entries in the campus AP whitelist that have been approved by the controller.

Unapproved entries

Number of entries in the campus AP whitelist that have not been approved by the controller.

Certified entries

Number of entries in the campus AP whitelist that have an approved certificate from the controller.

Certified hold entries

Number of entries in the campus AP whitelist that have been certified with a factory certificate but request to be certified again. Such APs are not approved as secure until you manually change the status and verify that it is not compromised.

NOTE: If an AP is in the hold state because of connectivity problems, then the AP recovers and moves out of the hold state when connectivity is restored.

Revoked entries

Number of entries in the campus AP whitelist that has been manually revoked.

Marked for deletion entries

Number of entries in the campus AP whitelist that has been marked for deletion, but not removed from the Remote AP whitelist.

Remote AP whitelist configuration parameters

Total entries

Number of entries in the Remote AP whitelist.

Revoked entries

Number of entries in the Remote AP whitelist that has been manually revoked.

Marked for deletion entries

Number of entries in the Remote AP whitelist that has been marked for deletion, but not removed from the Remote AP whitelist.

The Remote AP whitelist entries page displays only the information you manually configure. The campus AP whitelist entries page displays both user-defined settings and additional information that is updated when the status of a campus AP changes.

Table 3: Additional Campus AP Status Information

Parameter

Description

Cert Type

The type of certificate used by the campus AP.

switch-cert: The campus AP is using a certificate signed by the controller.
factory-cert: The campus AP is using a factory-installed certificate.

State

The state of a campus AP.

unapproved-no-cert: The campus AP has no certificate and is not approved.
unapproved-factory-cert: The campus AP has a pre-installed certificate which is not approved.
approved-ready-for-cert: The campus AP is approved as valid and is ready to receive a certificate.
certified-factory-cert: The campus AP already has a factory certificate. If a campus AP has a factory-cert type of certificate and is in certified-factory-cert state, then a new certificate is not reissued to the campus AP when you enable automatic certificate provisioning.
certified-switch-cert: The campus AP has an approved certificate from the controller.
certified-hold-factory-cert: The campus AP is certified with a factory certificate but requests to be certified again. Such APs are not approved as secure until you manually change the status and verify that it is not compromised.

NOTE: If an AP is in this state due to connectivity problems, then the AP recovers and leaves this hold state as soon as connectivity is restored.

certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified with a controller certificate but the AP requests to be certified again. Because this is not a normal condition, the AP is not approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.

NOTE: If an AP is in the hold state because of connectivity problems, then the AP recovers and moves out of the hold state when connectivity is restored.

Revoked

Shows if the secure status of the AP is revoked.

Revoked Text

Brief description for revoking the campus AP.

Last Update

Time and date of the last AP status update.

To view information about the campus and remote AP whitelists using the CLI, use the following commands:

(host) #show whitelist-db cpsec

ap-group <ap_group>

ap-name <ap_name>

cert-type {factory-cert|switch-cert}

mac-address <name>

page <num>

start <offset>

state {approved-ready-for-cert|

certified-factory-cert|

unapproved-factory-cert|

unapproved-no-cert}

(host) #show whitelist-db cpsec-status

(host) #show whitelist-db rap

apgroup <rap-group>

apname <rap-name>

fullname <rap-fullname>

long

mac-address <mac-address>

page <page-number>

start <offset>

(host) #show whitelist-db rap-status

Modifying an AP in the Campus AP Whitelist

Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the campus AP whitelist.

In the WebUI

To modify an AP in the campus AP whitelist:

1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Click the Entries>> button.
4. Select the checkbox of the AP that you want to modify, then click Modify.

If your campus AP whitelist is large and you cannot immediately locate the AP that you want to modify, select the Search link. The Whitelist Search tab displays the fields AP Group, Cert Type, AP MAC Address, AP Name, and State that allow you to search for an AP. Specify the values of the AP that you want to locate in these fields, then click Search. The campus AP whitelist displays a list of APs that match your search criteria. Select the checkbox of the AP that you want to modify, then click Modify.

5. Modify the settings of the selected AP. Some of the following parameters are available when adding an AP to the campus AP whitelist and are described in Table 1.
AP Group: The name of the AP group to which the campus AP is assigned.
AP Name: The name of the campus AP. If you not specify a name, the AP uses its MAC address as a name.
Cert-type: The type of certificate used by the AP.
n switch-cert: The campus AP is using a certificate signed by the controller.
n factory-cert: The campus AP is using a factory-installed certificate.
State: When you click the State drop-down list to modify this parameter, you may choose one of the following options:
n approved-ready-for-cert: The AP has been approved state and is ready to receive a certificate.
n certified-factory-cert: The AP is certified and has a factory-installed certificate.
Description: Brief description of the campus AP.
Revoked: Click the Revoked checkbox to revoke an invalid or rogue AP.
Revoke Text: When the Revoked checkbox is selected, enter a brief comment describing why the AP is being revoked.
6. Click Update to update the campus AP whitelist entry with its new settings.

In the CLI

To modify an AP in the campus AP whitelist:

(host) #whitelist-db cpsec modify mac-address <name>

ap-group <ap_group>

ap-name <ap_name>

cert-type {switch-cert|factory-cert}

description <description>

mode {disable|enable}

revoke-text <revoke-text>

state {approved-ready-for-cert|certified-factory-cert}

Revoking an AP from the Campus AP Whitelist

You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the campus AP whitelist without modifying any other parameter. When revoking an invalid or rogue AP, enter a brief description why the AP is being revoked. When you revoke an AP from the campus AP whitelist, the campus AP whitelist retains the information of the AP. To revoke an invalid or rogue AP and permanently remove it from the whitelist, delete that entry (as described in ).

In the WebUI

To revoke an AP from the campus AP whitelist:

1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Click the Entries>> button.
4. Select the checkbox of the AP that you want to revoke, then click Revoke.

If your campus AP whitelist is large and you cannot immediately locate the AP that you want to revoke, select the Search link. The Whitelist Search tab displays the fields AP Group, Cert Type, AP MAC Address, AP Name, and State that allow you to search for an AP. Specify the values of the AP that you want to locate in these fields, then click Search. The campus AP whitelist displays a list of APs that match your search criteria. Select the checkbox of the AP that you want to revoke, then click Revoke.

5. Enter a brief description why the AP is being revoked, then click Update.

In the CLI

To revoke an AP via the campus AP whitelist:

(host) #whitelist-db cpsec revoke mac-address <name> revoke-text <revoke-text>

Deleting an AP from the Campus AP Whitelist

Before deleting an AP from the campus AP whitelist, verify that auto certificate provisioning is either not enabled or enabled only for IP addresses that do not include the AP being deleted. If you enable automatic certificate provisioning for an AP that is still connected to the network, you cannot delete it from the campus AP whitelist; the controller immediately re-certifies the AP and recreates its whitelist entry.

In the WebUI

To delete an AP from the campus AP whitelist:

1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Click the Entries>> button.
4. Select the checkbox of the AP you want to delete, then click delete.

If your campus AP whitelist is large and you cannot immediately locate the AP that you want to delete, select the Search link. The Whitelist Search tab displays the fields AP Group, Cert Type, AP MAC Address, AP Name, and State that allow you to search for an AP. Specify the values of the AP that you want to locate in these fields, then click Search. The campus AP whitelist displays a list of APs that match your search criteria. Select the checkbox of the AP that you want to delete, then click Delete.

In the CLI

To delete an AP from the campus AP whitelist:

(host) #whitelist-db cpsec del mac-address <name>

Purging a Campus AP Whitelist

Before adding a new local controller to a network using control plane security, purge the campus AP whitelist on the new controller. After adding the new controller to the hierarchy, the entries in the campus AP whitelist of the new controller merge into the whitelist for all other master and local controllers. If you add any old or invalid AP entries to the campus AP whitelist, all controllers in the hierarchy will trust those APs, creating a potential security risk. For additional information on adding a new local controller using control plane security to your network, see Replacing a Local Controller

In the WebUI

To purge a campus AP whitelist:

1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Click the Entries>> button.
4. Click Purge.

In the CLI

To purge a campus AP whitelist:

(host) #whitelist-db cpsec purge

Offloading a Controller Whitelist to ClearPass Policy Manager

This feature allows to externally maintain AP whitelist in a ClearPass Policy Manager (CPPM) server. The controller, if configured to use an external server, can send a RADIUS access request to a CPPM server. The MAC address of the AP is used as a username and password to construct the access request packet. The CPPM server validates the RADIUS message and returns the relevant parameters for the authorized APs.

The following supported parameters are associated with the following VSAs. The CPPM server sends them in the RADIUS access accept packet for authorized APs:

ap-group: Aruba-AP-Group
ap-name: Aruba-Location-ID
ap-remote-ip: Aruba-AP-IP-Address

The following defaults are used when any of the supported parameters are not provided by the CPPM server in the RADIUS access accept response:

ap-group: The default ap-group is assigned to the AP.
ap-name: The MAC address of the AP is used as the AP name.

There is no change in the RAP role assignment. The RAP is assigned the role that is configured in the VPN default-rap profile.

In the WebUI

To assign a CPPM server to a RAP:

1. Configure a CPPM server using the controller WebUI:
a. Navigate to Configuration > Security > Authentication > Servers.
b. Select Radius Server to display the CPPM Server List.
c. To configure a CPPM server, enter the name for the server and click Add.
d. Select the name to configure server parameters. Select the Mode check box to activate the authentication server.
e. Click Apply.
2. Create a server group that contains the CPPM server.
3. Navigate to Configuration > All Profile Management > Wireless LAN > VPN Authentication > default-rap > Server Group.
4. Select the CPPM server from the Server Group drop-down list.
5. Click Apply.

To assign a CPPM server to a RAP that was initially an Instant AP:

1. Make sure that a CPPM server is configured on the controller.
2. Navigate to Configuration > All Profile Management > Wireless LAN > VPN Authentication > default-iap > Server Group.
3. Select the CPPM server from the Server Group drop-down list.
4. Click Apply.

In the CLI

To add a CPPM server to a RAP:

Configure a radius server with CPPM server as host address. In this example cppm-rad is the CPPM server name and cppm-sg is the server group name.

(host)(config) #aaa authentication-server radius cppm-rad

Add this server to a server group:

(host)(config) #aaa server-group cppm-sg

(host) (Server Group "cppm-sg") #auth-server cppm-rad

Add this server group to the default-rap vpn profile:

(host)(config) #aaa authentication vpn default-rap

(host)(VPN Authentication Profile "default-rap") #server-group cppm-sg