You are here: Home > CLI Commands > Just_CLI_Topics > control-plane-security

control-plane-security

control-plane-security

auto-cert-allow-all

auto-cert-allowed-addrs <start> <end>

auto-cert-allowed-addrs <startv6> <endv6>

auto-cert-prov

cpsec-enable

no

timer

Description

Configure the control plane security profile by identifying APs to receive security certificates.

Syntax

Parameter

Description

auto-cert-allow-all

When you issue the control-plane-security auto-cert-allow-all command, the managed device sends a certificate to all associated APs when auto certificate provisioning is enabled. When disabled, the managed device sends certificates only to APs whose IP or IPv6 addresses are in the ranges specified by auto-cert-allowed-addrs.

auto-cert-allowed-addrs

<start> <end>

Use this command to define a specific range of AP IP addresses. The managed device sends certificates to the APs in this IP range when auto certificate provisioning is enabled. Identify a range by entering the starting IP address and the ending IP address in the range, separated by a single space. You can repeat this command as many times as necessary to define multiple IP ranges.

auto-cert-allowed-addrs

<startv6> <endv6>

Use this command to define a specific range of AP IPv6 addresses. The managed device sends certificates to the APs in this IPv6 range when auto certificate provisioning is enabled. Identify a range by entering the starting IPv6 address and the ending IPv6 address in the range, separated by a single space. You can repeat this command as many times as necessary to define multiple IP ranges.

auto-cert-prov

Issue this command to enable automatic certificate provisioning. When this feature is enabled, the managed device will attempt to send certificates to associated APs. To disable this feature, use the command no auto-cert-prov. Automatic certificate provisioning is disabled by default

cpsec-enable

Issue this command to enable control plane security. To disable this feature, use the command no cpsec-enable. Control plane security is enabled by default.

no

Negates any configured parameter.

timer <timer>

Timer value, in dd:hh (days:hours) format, that prevents APs from going into unapproved-no-cert state when the APs remain idle for two or more hours.

The minimum value of hours in dd:hh format is 2 hours.

Usage Guidelines

The managed devices enabled with control plane security only send certificates to APs that you have identified as valid APs on the network. If you are confident that all campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. currently on your network are valid APs, you can configure automatic certificate provisioning to send certificates from the managed device to each campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on., or to all campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. within a specific range of IP addresses. If you want closer control over each AP that gets certified, you can manually add individual campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. to the secure network by adding each AP's information to a campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist.

Example

The following command defines a range of IP addresses that should receive certificates from the managed device, and enables the control plane security feature:

(host) [md] (config) #control-plane-security

auto-cert-allowed-addrs 10.21.18.10 10.21.10.90

cpsec-enable

Related Commands

Command

Description

show control-plane-security

Displays the configured control plane security profile settings.

Command History

Release

Modification

ArubaOS 8.3.0.0

The timer parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/