Managing AP Whitelists
Campus or Remote APs appear as valid APs in the Campus AP or Remote AP whitelists when you manually enter their information into the Campus AP or Remote AP whitelists using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. of a controller. Also, the Campus APs or Remote APs appear as valid APs after a controller sends a certificate to an AP as part of automatic certificate provisioning and the AP connects to the controller over a secure tunnel. APs that are not approved or certified on the network are included in the Campus AP whitelists, but these APs appear in an unapproved state.
Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the Campus AP or Remote AP whitelists on a controller that uses CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , that AP will not able to communicate with the controller again, unless the AP obtains a new certificate.
The following sections discuss the procedures to manage AP whitelists:
Adding an AP to the Campus or Remote AP Whitelists
You can add an AP to the Campus AP or Remote AP whitelists using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The following procedure describes the steps to add an AP to the Campus AP or Remote AP whitelist:
1. In the node hierarchy, navigate to the tab.
2. Click or tab.
3. Click .
4. Define the following parameters for each AP you want to add to the AP whitelist:
5. Click .
6. Click .
7. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command adds an AP to the Campus AP whitelist:
(host) [mynode] (config) #whitelist-db cpsec add mac-address <address>
ap-group <ap_group>
ap-name <ap_name>
description <description>
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command adds an AP to the Remote AP whitelist:
(host) [mynode] (config) #whitelist-db rap add mac-address <mac-address>
ap-group <ap-group>
ap-name <ap-name>
description <description>
full-name <name>
remote-ip <inner-ip-adr>
remote-ipv6 <ipv6 address>
Viewing AP Whitelist Entries
The WebUI displays the table of entries in the selected AP whitelist. The table of entries page displays a list of AP whitelist entries.
The tab displays the list of the Campus AP whitelists by default. To view the list of Remote AP whitelists, click .
The Remote AP whitelist entries page displays only the information you can manually configure. The Campus AP whitelist entries page displays both user-defined settings and additional information that are updated when the status of a Campus AP changes.
Parameter |
Description |
|
Displays the status of the AP whitelist entry. |
|
Brief description for revoking the campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. |
|
|
|
Time and date of the last AP status update. |
To view information about the Campus AP and Remote AP whitelists using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., issue the following commands:
(host) [mynode] #show whitelist-db cpsec
Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address AP-Group AP-Name Enable State Cert-Type Description Revoke Text Last Updated
----------- -------- ------- ------ ----- --------- ----------- ----------- ------------
6c:f3:7f:cc:42:25 Enabled certified-factory-cert factory-cert Thu Jul 7 03:42:21 2016
9c:1c:12:c0:7c:a6 default san225 Enabled certified-factory-cert factory-cert Wed Aug 3 10:34:13 2016
24:de:c6:ca:94:ba Enabled certified-factory-cert factory-cert Fri Apr 22 06:28:46 2016
94:b4:0f:c0:cc:42 Enabled certified-factory-cert factory-cert Fri Aug 5 06:54:43 2016
18:64:72:cf:e6:9c Enabled certified-factory-cert factory-cert Tue Aug 9 07:35:41 2016
ac:a3:1e:c0:e6:82 Enabled certified-factory-cert factory-cert Wed Aug 10 09:12:23 2016
ac:a3:1e:cd:36:84 Enabled certified-factory-cert factory-cert Fri Jun 17 05:50:02 2016
ac:a3:1e:c0:e6:9a Enabled certified-factory-cert factory-cert Thu May 26 06:31:13 2016
Total Entries: 8
(host) [mynode] #show whitelist-db cpsec-status
My Mac-Address 00:1a:1e:00:1a:b8
My IP-Address 10.15.28.16
Master IP-Address 10.15.28.16
Switch-Role Master
Whitelist-sync is disabled
Entries in Whitelist database
Total entries: 5
Approved entries: 0
Unapproved entries: 2
Certified entries: 2
Certified hold entries: 1
Revoked entries: 0
Marked for deletion entries: 0
Current Sequence Number: 147
(host) [mynode] #show whitelist-db rap
Entries in Whitelist database
Total entries: 0
Revoked entries: 0
Marked for deletion entries: 0
AP Entries: 4
Modifying an AP in the Campus AP Whitelist
Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the Campus AP whitelist using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The following procedure describes the steps to modify an AP in the Campus AP whitelist:
1. In the the node hierarchy, navigate to tab.
2. Click tab.
3. Select the check box of the AP that you want to modify.
4. Modify the settings of the selected AP. Some of the following parameters are available when adding an AP to the Campus AP whitelist.
Campus AP. If you not specify a name, the AP uses its MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as a name.
: The name of theCampus AP is assigned.
: The name of the AP group to which theCampus AP.
: Brief description of the: Select or .
: Enter a value for this string.
5. Click to update the Campus AP whitelist entry with its new settings.
6. Click .
7. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands modify an AP in the Campus AP whitelist:
(host) #whitelist-db cpsec modify mac-address <name>
ap-group <ap_group>
ap-name <ap_name>
cert-type {switch-cert|factory-cert}
description <description>
mode {disable|enable}
revoke-text <revoke-text>
state {approved-ready-for-cert|certified-factory-cert}
Revoking an AP from the Campus AP Whitelist
You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the Campus AP whitelist without modifying any other parameter. When revoking an invalid or rogue AP, enter a brief description why the AP is being revoked. When you revoke an AP from the Campus AP whitelist, the Campus AP whitelist retains the information of the AP. To revoke an invalid or rogue AP and permanently remove it from the whitelist, delete that entry.
You can revoke an AP from the Campus AP whitelist using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The following procedure describes the steps to revoke an AP from the Campus AP whitelist:
1. In the the node hierarchy, navigate to tab.
2. Click tab.
3. Click on the check box next to the AP you want to revoke and click . The window is displayed.
4. Enter a brief description of why the AP is being revoked in the field.
5. Click .
6. Click .
7. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command revokes an AP via the Campus AP whitelist:
(host) [mynode] (config) #whitelist-db cpsec revoke mac-address <name> revoke-text <comment>
Deleting an AP from the Campus AP Whitelist
Before deleting an AP from the Campus AP whitelist, verify that auto certificate provisioning is either enabled or disabled only for IP addresses that do not include the AP being deleted. If you enable automatic certificate provisioning for an AP that is still connected to the network, you cannot delete it from the Campus AP whitelist; the controller immediately re-certifies the AP and re-creates its whitelist entry.
You can delete an AP from the Campus AP whitelist using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The following procedure describes the steps to delete an AP from the Campus AP whitelist:
1. In the the node hierarchy, navigate to tab.
2. Click tab.
3. Select the check box of the AP that you want to delete, then click .
4. Click .
5. Click .
6. In the window, select the check box and click .
The following animation displays how to delete an AP from the Campus AP whitelist in the WebUI:
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command deletes an AP from the Campus AP whitelist:
(host) [mynode] (config) #whitelist-db cpsec del mac-address <name>
Purging a Campus AP Whitelist
Before adding a new managed device to a network using CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , purge the campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist on the new managed device. To purge a Campus AP whitelist, issue the following command:
(host) [mynode] (config) #whitelist-db cpsec purge
Offloading a Controller Whitelist to ClearPass Policy Manager
This feature allows to externally maintain AP whitelist in a ClearPass Policy Manager server. The controller, if configured to use an external server, can send a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. access request to a ClearPass Policy Manager server. The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as a username and password to construct the access request packet. The ClearPass Policy Manager server validates the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. message and returns the relevant parameters for the authorized APs.
The following supported parameters are associated with the following Vendor Specific Attributes (VSAs). The ClearPass Policy Manager server sends them in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. access accept packet for authorized APs:
ap-group: Aruba-AP-Group
ap-name: Aruba-Location-ID
ap-remote-ip: Aruba-AP-IP-Address
The following defaults are used when any of the supported parameters are not provided by the ClearPass Policy Manager server in the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. access accept response:
ap-group: The default ap-group is assigned to the AP.
ap-name: The MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as the AP name.
There is no change in the Remote AP role assignment. The Remote AP is assigned the role that is configured in the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. default-rap profile.
ArubaOS now provides support for ClearPass Policy Manager to whitelist Remote APs in a cluster environment. You can configure ClearPass Policy Manager as an external server that authenticates Remote APs using the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of Remote APs. The Remote APs are authenticated by maintaining whitelist entries in ClearPass Policy Manager, and the cluster inner IP addresses are assigned on the Mobility Master. Hence, the inner IP address assignment is centralized and forwarded to the associated managed devices in the cluster.
The following procedure describes the steps to assign a ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote AP:
a. In the node hierarchy, navigate to the tab.
b. Click in the table.
c. In the window, enter the server group name in the field.
d. Click .
e. Select the server group created.
f. Click in the table.
g. To assign an existing server as the ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server,
Select
option.Choose a server from the list.
Click
.Select
option.Enter/ Select appropriate values in the following fields:
Click
.Select the new server created in the
table.Under
, enter a value in the field and re-enter the value in the field.Click
.i. Click .
j. In the window, select the checkbox and click .
2. In the node hierarchy, navigate to the > > tab.
3. In the list, select
4. Select the ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the drop-down list.
5. Click .
6. Click .
7. In the window, select the check box and click .
To assign a ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote AP that was initially an Instant AP:
1. Ensure that a ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server is configured on the controller.
2. In the node hierarchy, navigate to the > > tab.
3. In the list, select
4. Select the ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the drop-down list.
5. Click .
6. Click .
7. In the window, select the check box and click .
The following commands add a ClearPass Policy Manager server to a Remote AP:
Configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server with ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server as host address. In this example is the ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server name and is the server group name.
(host) [md] (config) #aaa authentication-server radius cppm-rad
(host) [md] (RADIUS Server "test") # host 1.1.1.1
Run the following commands to add this server to a server group:
(host) [md] (config) #aaa server-group cppm-sg
(host) (Server Group "cppm-sg") #auth-server cppm-rad
Run the following commands to add this server group to the
vpn profile:(host) [md] (config) #aaa authentication vpn default-rap
(host)(VPN Authentication Profile "default-rap") #server-group cppm-sg
Run the following command to configure the Remote AP inner IP pool on the Mobility Master for cluster deployment :
(host) [mynode] (config) #lc-rap-pool rap-cluster 3.1.1.3 3.1.1.10
Important Points to Remember
The
command currently supports only IPv4 address in a cluster environment.In the cluster environment, the managed device does not use the IP address received from ClearPass Policy Manager, and tries to obtain the cluster inner IP address from Remote AP inner IP pool for cluster deployment ) configured on the Mobility Master. If the managed device fails to obtain the inner IP address, the Remote AP does not establish IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with the managed device. The whitelist entries are automatically generated after successful authentication and IP assignment from the Remote AP inner IP pool.
When the Remote AP goes down on all cluster members, both the managed device and Mobility Master delete the Remote AP whitelist entries that are generated automatically.