Users Guide
139 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide
Access the command-line interface on the old local controller and issue the whitelist-db cpsec purge
command.
or,
Access the local controller WebUI, navigate to Configuration > AP Installation > Campus AP Whitelist
and click Purge.
3. Once you purge the campus AP whitelist, you must inform the master controller that the local controlleris
no longer available using one of these two methods:
This step is very important; unused local controller entries in the local controller whitelist can significantly
increase network traffic and reduce controller memory resources.
l Access the command-line interface on the master controller, and issue the whitelist-db cpsec-local-
switch-list del mac-address <local--mac> command.
l Access the master controller WebUI, navigate to Configuration > Controller > Control Plane
Security, select the entry for the local controller you want to delete from the local controller whitelist,
and click Delete.
4. Install the new local controller, but do not connect it to the network yet. If the controller has been
previously installed on the network, you must ensure that the new local controller has a clean whitelist.
5. Purge the local controller whitelist using one of the following two methods:
l Access the command-line interface on the new local controller and issue the whitelist-db cpsec purge
command.
l Access the local controller WebUI, navigate to Configuration > AP Installation > Campus AP
Whitelist and click Purge.
6. Now connect the new local controller to the network. It is very important that the local controller be able to
contact the master controller the first time it connects to the network, because the master controller
certifies the local controller's control plane security certificate the first time the local controller contacts its
master.
7. Once the local controller has a valid control plane security certificate and configuration, the local controller
receives the campus AP whitelist from the master controller and starts certifying approved APs.
8. APs associated with the new local controller reboots and creates new IPsec tunnels to their controller using
the new certificate keys.
Replacing a Master Controller with No Backup
Use the following procedure to replace a master controller that does not have a backup controller:
1. Remove the old master controller from the network.
2. Install and configure the new master controller, then connect the new master to the network. The new
master controller generates a new certificate when it first becomes active.
3. If the new master controller has a different IP address than the old master controller, change the master IP
address on the local controllers to reflect the address of the new master.
4. Reboot each local controller to ensure the local controllers obtain their certificate from the new master.
Each local controller begins using a new certificate signed by the master controller.
5. APs are now no longer able to securely communicate with the controller using their current key, and must
obtain a new certificate. Access the campus AP whitelist on any local controller, and change all APs in a
“certified” state to an “approved” state. The new master controller sends the approved APs new certificates.
The APs reboot and create new IPsec tunnels to their controller using the new certificate key.
If the master controller does not have any local controllers, you must recreate the campus AP whitelist by
turning on automatic certificate provisioning or manually reentering the campus AP whitelist entries.