Configuring Control Plane Security

When you initially deploy the controller, you create your initial control plane security configuration using the initial setup wizard. These settings can be changed at any time using the WebUI or the command-line interfaces.

 

If you are configuring control plane security for the first time after upgrading from ArubaOS 5.0 or earlier, see Configuring Control Plane Security after Upgrading for details on enabling this feature using the WebUI or CLI.

In the WebUI

1. Navigate to Configuration > Network > Controller.
2. Select the Control Plane Security tab.
3. Configure the following control plane security parameters:

Table 1: Control Plane Security Parameters

Parameter

Description

Control Plane Security

Select enable or disable to turn the control plane security feature on or off. This feature is enabled by default.

Auto Cert Provisioning

When you enable the control plane security feature, you can select this checkbox to turn on automatic certificate provisioning. When you enable this feature, the controller attempts to send certificates to all associated campus APs. Auto certificate provisioning is disabled by default.

NOTE: If you do not want to enable automatic certificate provisioning the first time you enable control plane security on the controller, you must identify the valid APs on your network by adding those to the campus AP whitelist. For details, see Viewing the Master or Local Controller Whitelists.

After you have enabled automatic certificate provisioning, you must select either Auto Cert Allow all or Addresses Allowed for Auto Cert.

Addresses allowed for Auto Cert

The Addresses Allowed for Auto Cert section allows you to specify whether certificates are sent to all associated APs, or just APs within one or more specific IP address ranges. If your controller has a publicly accessible interface, you should identify your campus and Remote APs by IP address range. This prevents the controller from sending certificates to external or rogue campus APs that may attempt to access your controller through that interface.

Select All to allow all associated campus and remote APs to receive automatic certificate provisioning. This parameter is enabled by default.

Select Addresses Allowed for Auto Cert to send certificates to a group of campus or remote APs within a range of IP addresses. In the two fields below, enter the start and end IP addresses, then click Add. Repeat this procedure to add additional IP ranges to the list of allowed addresses. If you enable both control plane security and auto certificate provisioning, all APs in the address list receives automatic certificate provisioning.

Remove a range of IP addresses from the list of allowed addresses by selecting the IP address range from the list and clicking Delete.

Number of AP Whitelist Entries

This parameter is the total number of APs in the remote AP and campus AP Whitelists. This number is also a link to a combined whitelist that displays all campus and remote AP entries.

4. Click Apply.

The master controller generates its self-signed certificate and begins distributing certificates to campus APs and any local controllers on the network over a clear channel. After all APs have received a certificate and have connected to the network using a secure channel, access the Control Plane Security window and turn off auto certificate provisioning if that feature was enabled. This prevents the controller from issuing a certificate to any rogue APs that may appear on your network at a later time.

Figure 1  Control Plane Security Settings

Click to view a larger size.

In the CLI

Use the commands below to configure control plane security via the command line interface on a standalone or master controller. Descriptions of the individual parameters are listed in Table 1, above.

(host)(config) #control-plane-security

(host)(Control Plane Security Profile) #auto-cert-allow-all

(host)(Control Plane Security Profile) #auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>

(host)(Control Plane Security Profile) #auto-cert-prov

(host)(Control Plane Security Profile) #cpsec-enable

View the current control plane security settings using the following command:

(host) #show control-plane-security