ArubaOS 8.6.0.0 Help Center
You are here: Home > Control Plane Security > Managing AP Whitelists

Managing AP Whitelists

Campus or Remote APs appear as valid APs in the Campus AP or Remote AP whitelists when you manually enter their information into the Campus AP or Remote AP whitelists using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. of a controller. Also, the Campus APs or Remote APs appear as valid APs after a controller sends a certificate to an AP as part of automatic certificate provisioning and the AP connects to the controller over a secure tunnel. APs that are not approved or certified on the network are included in the Campus AP whitelists, but these APs appear in an unapproved state.

Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the Campus AP or Remote AP whitelists on a controller that uses CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , that AP will not able to communicate with the controller again, unless the AP obtains a new certificate.

The following sections discuss the procedures to manage AP whitelists:

Adding an AP to the Campus or Remote AP Whitelists

You can add an AP to the Campus AP or Remote AP whitelists using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The following procedure describes the steps to add an AP to the Campus AP or Remote AP whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.

2. Click Campus AP Whitelist or Remote AP Whitelist tab.

3. Click +.

4. Define the following parameters for each AP you want to add to the AP whitelist:

Table 1: AP Whitelist Parameters

Parameter

Description

Campus AP whitelist configuration parameters

MAC address

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. that supports secure communications to and from its controller.

AP name

Name of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. If you do not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as AP name.

AP group

Name of the AP group to which the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. is assigned. If you do not specify an AP group, the AP uses default as its AP group.

Description

Brief description of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Remote AP whitelist configuration parameters

MAC address

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., in colon-separated octets.

AP name

Name of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.. If you do not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as AP name.

AP group

Name of the AP group to which the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. is assigned.

Description

Brief description of the Remote AP.

IPv4 address

IPv4 address of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link..

IPv6 address

IPv6 address of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link..

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command adds an AP to the Campus AP whitelist:

(host) [mynode] (config) #whitelist-db cpsec add mac-address <address>

ap-group <ap_group>

ap-name <ap_name>

description <description>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command adds an AP to the Remote AP whitelist:

(host) [mynode] (config) #whitelist-db rap add mac-address <mac-address>

ap-group <ap-group>

ap-name <ap-name>

description <description>

full-name <name>

remote-ip <inner-ip-adr>

remote-ipv6 <ipv6 address>

Viewing AP Whitelist Entries

The WebUI displays the table of entries in the selected AP whitelist. The table of entries page displays a list of AP whitelist entries.

The Configuration > Access Points > Whitelist tab displays the list of the Campus AP whitelists by default. To view the list of Remote AP whitelists, click Remote AP whitelist.

The Remote AP whitelist entries page displays only the information you can manually configure. The Campus AP whitelist entries page displays both user-defined settings and additional information that are updated when the status of a Campus AP changes.

Table 2: Campus AP Parameters

Parameter

Description

Status

Displays the status of the AP whitelist entry.

Revoke text

Brief description for revoking the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Approved

Approval status of the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on..

Updated

Time and date of the last AP status update.

To view information about the Campus AP and Remote AP whitelists using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., issue the following commands:

(host) [mynode] #show whitelist-db cpsec

Control-Plane Security Whitelist-entry Details

----------------------------------------------

MAC-Address AP-Group AP-Name Enable State Cert-Type Description Revoke Text Last Updated

----------- -------- ------- ------ ----- --------- ----------- ----------- ------------

6c:f3:7f:cc:42:25 Enabled certified-factory-cert factory-cert Thu Jul 7 03:42:21 2016

9c:1c:12:c0:7c:a6 default san225 Enabled certified-factory-cert factory-cert Wed Aug 3 10:34:13 2016

24:de:c6:ca:94:ba Enabled certified-factory-cert factory-cert Fri Apr 22 06:28:46 2016

94:b4:0f:c0:cc:42 Enabled certified-factory-cert factory-cert Fri Aug 5 06:54:43 2016

18:64:72:cf:e6:9c Enabled certified-factory-cert factory-cert Tue Aug 9 07:35:41 2016

ac:a3:1e:c0:e6:82 Enabled certified-factory-cert factory-cert Wed Aug 10 09:12:23 2016

ac:a3:1e:cd:36:84 Enabled certified-factory-cert factory-cert Fri Jun 17 05:50:02 2016

ac:a3:1e:c0:e6:9a Enabled certified-factory-cert factory-cert Thu May 26 06:31:13 2016

Total Entries: 8

 

(host) [mynode] #show whitelist-db cpsec-status

My Mac-Address 00:1a:1e:00:1a:b8

My IP-Address 10.15.28.16

Master IP-Address 10.15.28.16

Switch-Role Master

Whitelist-sync is disabled

Entries in Whitelist database

Total entries: 5

Approved entries: 0

Unapproved entries: 2

Certified entries: 2

Certified hold entries: 1

Revoked entries: 0

Marked for deletion entries: 0

Current Sequence Number: 147

 

(host) [mynode] #show whitelist-db rap

Entries in Whitelist database

Total entries: 0

Revoked entries: 0

Marked for deletion entries: 0

AP Entries: 4

Modifying an AP in the Campus AP Whitelist

Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the Campus AP whitelist using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following procedure describes the steps to modify an AP in the Campus AP whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.

2. Click Campus AP Whitelist tab.

3. Select the check box of the AP that you want to modify.

4. Modify the settings of the selected AP. Some of the following parameters are available when adding an AP to the Campus AP whitelist.

AP name: The name of the Campus AP. If you not specify a name, the AP uses its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as a name.

AP group: The name of the AP group to which the Campus AP is assigned.

Description: Brief description of the Campus AP.

Status: Select Revoked or Accepted.

Revoked string: Enter a value for this string.

5. Click Submit to update the Campus AP whitelist entry with its new settings.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands modify an AP in the Campus AP whitelist:

(host) #whitelist-db cpsec modify mac-address <name>

ap-group <ap_group>

ap-name <ap_name>

cert-type {switch-cert|factory-cert}

description <description>

mode {disable|enable}

revoke-text <revoke-text>

state {approved-ready-for-cert|certified-factory-cert}

Revoking an AP from the Campus AP Whitelist

You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the Campus AP whitelist without modifying any other parameter. When revoking an invalid or rogue AP, enter a brief description why the AP is being revoked. When you revoke an AP from the Campus AP whitelist, the Campus AP whitelist retains the information of the AP. To revoke an invalid or rogue AP and permanently remove it from the whitelist, delete that entry.

You can revoke an AP from the Campus AP whitelist using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following procedure describes the steps to revoke an AP from the Campus AP whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.

2. Click Campus AP Whitelist tab.

3. Click on the check box next to the AP you want to revoke and click Revoke. The Revoke window is displayed.

4. Enter a brief description of why the AP is being revoked in the Revoke text field.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command revokes an AP via the Campus AP whitelist:

(host) [mynode] (config) #whitelist-db cpsec revoke mac-address <name> revoke-text <comment>

Deleting an AP from the Campus AP Whitelist

Before deleting an AP from the Campus AP whitelist, verify that auto certificate provisioning is either enabled or disabled only for IP addresses that do not include the AP being deleted. If you enable automatic certificate provisioning for an AP that is still connected to the network, you cannot delete it from the Campus AP whitelist; the controller immediately re-certifies the AP and re-creates its whitelist entry.

You can delete an AP from the Campus AP whitelist using the WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The following procedure describes the steps to delete an AP from the Campus AP whitelist:

1. In the Managed Network node hierarchy, navigate to the Configuration > Access Points > Whitelist tab.

2. Click Campus AP Whitelist tab.

3. Select the check box of the AP that you want to delete, then click Delete.

4. Click Delete.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy changes.

The following animation displays how to delete an AP from the Campus AP whitelist in the WebUI:

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command deletes an AP from the Campus AP whitelist:

(host) [mynode] (config) #whitelist-db cpsec del mac-address <name>

Purging a Campus AP Whitelist

Before adding a new managed device to a network using CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. , purge the campus APCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. whitelist on the new managed device. To purge a Campus AP whitelist, issue the following command:

(host) [mynode] (config) #whitelist-db cpsec purge

Offloading a Controller Whitelist to ClearPass Policy Manager

This feature allows to externally maintain AP whitelist in a ClearPass Policy Manager server. The controller, if configured to use an external server, can send a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access request to a ClearPass Policy Manager server. The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as a username and password to construct the access request packet. The ClearPass Policy Manager server validates the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  message and returns the relevant parameters for the authorized APs.

The following supported parameters are associated with the following Vendor Specific Attributes (VSAs). The ClearPass Policy Manager server sends them in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access accept packet for authorized APs:

ap-group: Aruba-AP-Group

ap-name: Aruba-Location-ID

ap-remote-ip: Aruba-AP-IP-Address

The following defaults are used when any of the supported parameters are not provided by the ClearPass Policy Manager server in the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  access accept response:

ap-group: The default ap-group is assigned to the AP.

ap-name: The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the AP is used as the AP name.

There is no change in the Remote AP role assignment. The Remote AP is assigned the role that is configured in the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. default-rap profile.

ArubaOS now provides support for ClearPass Policy Manager to whitelist Remote APs in a cluster environment. You can configure ClearPass Policy Manager as an external server that authenticates Remote APs using the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of Remote APs. The Remote APs are authenticated by maintaining whitelist entries in ClearPass Policy Manager, and the cluster inner IP addresses are assigned on the Mobility Master. Hence, the inner IP address assignment is centralized and forwarded to the associated managed devices in the cluster.

The following procedure describes the steps to assign a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote AP:

1. Configure a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server using the WebUI:

a. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

b. Click + in the Server Groups table.

c. In the Add Server Group window, enter the server group name in the Name field.

d. Click Submit.

e. Select the server group created.

f. Click + in the Server Group > <name> table.

g. To assign an existing server as the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server,

Select Add existing server option.

Choose a server from the list.

Click Submit.

h. To create a new ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server,

Select Add new server option.

Enter/ Select appropriate values in the following fields:

Name,

IP address / hostname

Type

Click Submit.

Select the new server created in the All Servers table.

Under Server Options, enter a value in the Shared Key field and re-enter the value in the Retype key field.

Click Submit.

i. Click Pending Changes.

j. In the Pending Changes window, select the checkbox and click Deploy Changes.

2. In the Mobility Master node hierarchy, navigate to the Configuration > System > Profiles tab.

3. In the All profiles list, select Wireless LAN > VPN Authentication> default-rap> Server Group.

4. Select the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the Server Group drop-down list.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

To assign a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server to a Remote AP that was initially an Instant AP:

1. Ensure that a ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server is configured on the controller.

2. In the Mobility Master node hierarchy, navigate to the Configuration > System > Profiles tab.

3. In the All profiles list, select Wireless LAN > VPN Authentication> default-iap> Server Group.

4. Select the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server from the Server Group drop-down list.

5. Click Save.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

The following commands add a ClearPass Policy Manager server to a Remote AP:

Configure a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server as host address. In this example cppm-rad is the ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. server name and cppm-sg is the server group name.

(host) [md] (config) #aaa authentication-server radius cppm-rad

(host) [md] (RADIUS Server "test") # host 1.1.1.1

Run the following commands to add this server to a server group:

(host) [md] (config) #aaa server-group cppm-sg

(host) (Server Group "cppm-sg") #auth-server cppm-rad

Run the following commands to add this server group to the default-rap vpn profile:

(host) [md] (config) #aaa authentication vpn default-rap

(host)(VPN Authentication Profile "default-rap") #server-group cppm-sg

Run the following command to configure the Remote AP inner IP pool on the Mobility Master for cluster deployment :

(host) [mynode] (config) #lc-rap-pool rap-cluster 3.1.1.3 3.1.1.10

Important Points to Remember

The lc-rap-pool command currently supports only IPv4 address in a cluster environment.

In the cluster environment, the managed device does not use the IP address received from ClearPass Policy Manager, and tries to obtain the cluster inner IP address from Remote AP inner IP pool for cluster deployment (lc-rap-pool) configured on the Mobility Master. If the managed device fails to obtain the inner IP address, the Remote AP does not establish IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with the managed device. The whitelist entries are automatically generated after successful authentication and IP assignment from the Remote AP inner IP pool.

When the Remote AP goes down on all cluster members, both the managed device and Mobility Master delete the Remote AP whitelist entries that are generated automatically.

/*]]>*/