Users Guide

Table Of Contents
51| Control Plane Security Dell Networking W-Series ArubaOS 6.5.x| User Guide
l 2615
l 2915
l 8200
These HP platforms are running version k.16.02.
Topics in this chapter include:
l Control Plane Security Overview on page 51
l Configuring Control Plane Security on page 51
l Managing AP Whitelists on page 53
l Managing Whitelists on Master and Local Controllers on page 61
l Working in Environments with Multiple Master Controllers on page 65
l Replacing a Controller on a Multi-Controller Network on page 68
l Configuring Control Plane Security after Upgrading on page 72
l Troubleshooting Control Plane Security on page 73
Control Plane Security Overview
Controllers using control plane security only send certificates to APs that you have identified as valid APs on
the network. If you want closer control over each AP that is certified, you can manually add individual campus
and remote APs to the secure network by adding each AP's information to the whitelists when you first run the
initial setup wizard. If you are confident that all APs currently on your network are valid APs, then you can use
the initial setup wizard to configure automatic certificate provisioning to send certificates from the controller to
each campus or remote AP, or to all campus and remote APs within specific ranges of IP addresses.
The default automatic certificate provisioning setting requires that you manually enter each campus AP’s
information into the campus AP whitelist, and each remote AP's information into the remote AP whitelist. If
you change the default automatic certificate provisioning values to let the controller send certificates to all APs
on the network, that new setting ensures that all valid APs receive a certificate, but also increases the chance
that you will certify a rogue or unwanted AP. If you configure the controller to send certificates to only those
APs within a range of IP addresses, there is a smaller chance that a rogue AP receives a certificate, but any valid
AP with an IP address outside the specified address ranges will not receive a certificate, and can not
communicate with the controller (except to obtain a certificate). Consider both options carefully before you
complete the control plane security portion of the initial setup wizard. If your controller has a publicly
accessible interface, you should identify the APs on the network by IP address range. This prevents the
controller from sending certificates to external or rogue campus APs that may attempt to access your
controller through that publicly accessible interface.
Configuring Control Plane Security
When you initially deploy the controller, you create your initial control plane security configuration using the
initial setup wizard. These settings can be changed at any time using the WebUI or the command-line
interfaces.
If you are configuring control plane security for the first time after upgrading from ArubaOS 5.0 or earlier, see
Configuring Control Plane Security after Upgrading on page 72 for details on enabling this feature using the WebUI
or CLI.