Users Guide
Dell PowerConnect W-Series ArubaOS 6.1 | User Guide Control Plane Security | 433
Chapter 20
Control Plane Security
ArubaOS supports secure IPsec communications between a controller and campus APs using public-key self-
signed certificates created by each master controller. The controller certifies its APs by issuing them certificates.
If the master controller has any associated local controllers, the master controller sends a certificate to each local
controller, which in turn sends certificates to their own associated campus APs. If a local controller is unable to
contact the master AP to obtain its own certificate, it will not be able to certify its APs, and those APs will not be
able to communicate with their local controller until master-local communication has been reestablished. You
will create an initial control plane security configuration when you first configure the controller using the initial
setup wizard. The ArubaOS initial setup wizard enables control plane security by default, so it is very important
that the local controller is able to communicate with its master controller when it is first provisioned.
Some AP model types have factory-installed digital certificates. These AP models will use their factory-installed
certificates for IPsec, and do not need a certificate from the controller. Once a campus AP is certified, either
through a factory-installed certificate or a certificate from the controller, the AP can failover between local
controllers and still stay connected to the secure network, because each campus AP will have the same master
controller as a common trust anchor. The campus AP whitelist contains a list of all APs connected to the network.
You can use this whitelist at any time to add new valid APs to the secure network, or revoke network access to any
suspected rogue or unauthorized AP.
When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a
secure channel. If you are enabling control plane security for the first time on a large network, you may experience
several minutes of interrupted connectivity while each AP receives its certificate and establishes its secure
connection.
This chapter describes the following topics:
“Control Plane Security Overview” on page433
“Configuring Control Plane Security” on page434
“Whitelists on Master and Local Controllers” on page439
“Environments with Multiple Master Controllers” on page442
“Replacing a Controller on a Multi-Controller Network” on page445
“Configuring Control Plane Security after Upgrading” on page449
“Troubleshooting Control Plane Security” on page450
Control Plane Security Overview
Controllers using control plane security will only send certificates to APs that you have identified as valid APs on
the network. If you want closer control over each AP that gets certified, you can manually add individual campus
APs to the secure network by adding each AP's information to the campus AP whitelist when you first run the
initial setup wizard. If you are confident that all campus APs currently on your network are valid APs, then you
can use the initial setup wizard to configure automatic certificate provisioning to send certificates from the
controller to each campus AP, or to all campus APs within a specific range of IP addresses.
NOTE: The control plane security feature supports IPv4 campus APs only and is not intended for use with Remote APscontroller
that terminates IPv6 APs.