Users Guide
Dell Networking W-Series ArubaOS 6.4.x| User Guide Control Plane Security | 120
Chapter 2
Control Plane Security
ArubaOS supports secure IPsec communications between a controller and campus or remote APs using public-
key self-signed certificates created by each master controller. The controller certifies its APs by issuing them
certificates. If the master controller has any associated local controllers, the master controller sends a
certificate to each local controller, which in turn sends certificates to their own associated APs. If a local
controller is unable to contact the master controller to obtain its own certificate, it is not be able to certify its
APs, and those APs can not communicate with their local controller until master-local communication has been
reestablished. You create an initial control plane security configuration when you first configure the controller
using the initial setup wizard. The ArubaOS initial setup wizard enables control plane security by default, so it is
very important that the local controller be able to communicate with its master controller when it is first
provisioned.
Some AP model types have factory-installed digital certificates. These AP models use their factory-installed
certificates for IPsec, and do not need a certificate from the controller. Once a campus or remote AP is certified,
either through a factory-installed certificate or a certificate from the controller, the AP can failover between
local controllers and still stay connected to the secure network, because each AP has the same master
controller as a common trust anchor.
Starting with ArubaOS 6.2, the controller maintains two separate AP whitelists; one for campus APs and one for
Remote APs. These whitelists contain records of all campus APs or remote APs connected to the network. You
can use a campus or AP whitelist at any time to add a new valid campus or remote AP to the secure network, or
revoke network access to any suspected rogue or unauthorized APs.
The control plane security feature supports IPv4 campus and remote APs only. Do not enable control plane security
on a controller that terminates IPv6 APs.
When the controller sends an AP a certificate, that AP must reboot before it can connect to its controller over a
secure channel. If you are enabling control plane security for the first time on a large network, you may
experience several minutes of interrupted connectivity while each AP receives its certificate and establishes its
secure connection.
Topics in this chapter include:
l Control Plane Security Overview on page 120
l Configuring Control Plane Security on page 121
l Managing AP Whitelists on page 123
l Managing Whitelists on Master and Local Controllers on page 131
l Working in Environments with Multiple Master Controllers on page 135
l Replacing a Controller on a Multi-Controller Network on page 138
l Configuring Control Plane Security after Upgrading on page 142
l Troubleshooting Control Plane Security on page 143
Control Plane Security Overview
Controllers using control plane security only send certificates to APs that you have identified as valid APs on
the network. If you want closer control over each AP that is certified, you can manually add individual campus