Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series 207 Access Points
301302303304305306307308309310
Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide Cluster Security | 304
Chapter 24
Cluster Security
This chapter describes cluster security and the procedure for configuring cluster security DTLS for secure
communication. It includes the following topics:
l Overview on page 304
l Enabling Cluster Security on page 305
l Cluster Security Debugging Logs on page 305
l on page 306
Overview
Cluster security is a communication protocol that secures control plane messages between Instant access
points. Control plane messages such as configuration, cluster join, and other messages distributed between the
devices in a cluster are secured using this protocol. Cluster security operates on the UDPport 4434 and uses
DTLSprotocol to secure messages.
Cluster Security Using DTLS
Cluster security provides secure communication using Datagram Transport Layer Security (DTLS). A DTLS
connection is established between the W-IAPs communicating with each other in the cluster. Following are
some of the advantages of using DTLS for cluster security:
l Mutual authentication is done between the W-IAPs in a cluster using device certificate.
l Peer MAC address validation against AP whitelist can be enabled in the configuration.
l Control plane messages between cluster members are transmitted securely using the DTLS connection
established.
If auto-join is enabled, backward compatibility and recovery of W-IAPs is allowed on ARUBA UDP port 8211.
Messages required for image synchronization and cluster security DTLS state synchronization are the only
messages allowed.
If auto-join is disabled, the MAC address of a peer W-IAP is verified against the AP whitelist during device
certificate validation.
Locked Mode Slave W-IAP
A slave W-IAP with non-factory default configuration is considered to be in locked mode of operation. These
slave W-IAPs will not be able to join the existing non-DTLScluster as backward compatibility and recovery is not
allowed.
To recover the slave W-IAPs in locked mode:
l Execute the disable-cluster-security-dtls action command on the slave W-IAP , or
l Factory reset the slave W-IAP.