ArubaOS 8.6.0.0 Help Center
You are here: Home > Control Plane Security > Control Plane Security

Control Plane Security

ArubaOS supports secure IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. communications between a managed device and campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. using public-key self-signed certificates created by each Mobility Master. The managed device certifies its APs by issuing them certificates.

If the Mobility Master has any associated managed device, the Mobility Master sends a certificate to each managed device, which in turn sends certificates to their own associated APs. If a managed device is unable to contact the Mobility Master to obtain it's own certificate, it will not be able to certify the APs, and those APs can not communicate with their managed device until Mobility Master-managed device communication has been re-established. You create an initial CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. configuration when you first configure the managed device using the initial setup wizard. The ArubaOS initial setup wizard enables CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. by default, so it is very important that the managed device be able to communicate with the Mobility Master when it is first provisioned.

Some AP model types have factory-installed digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.. These AP models use their factory-installed certificates for IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session., and do not need a certificate from the managed device. Once a campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. is certified, either through a factory-installed certificate or a certificate from the managed device, the AP can failover between managed devices and still stay connected to the secure network, because each AP has the same Mobility Master as a common trust anchor.

The managed device maintains two separate AP whitelists; one for campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. and one for remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.. These whitelists contain records of all campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. connected to the network. You can use a campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. whitelist at any time to add a new valid campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. or remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. to the secure network, or revoke network access to any suspected rogue or unauthorized APs.

When the managed device sends a certificate to the AP, that AP must reboot before it can connect to the managed device over a secure channel. If you are enabling CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. for the first time on a large network, you may experience several minutes of interrupted connectivity while each AP receives its certificate and establishes its secure connection.

Topics in this section include:

Control Plane Security Overview

Configuring Control Plane Security

Managing AP Whitelists

Whitelist DB Optimization

Configuring Networks with a Backup Mobility Master

Replacing a Controller on a Multi-Controller Network

Troubleshooting Control Plane Security

/*]]>*/