Users Guide
141 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide
6. Remove the old cluster member from the network. Remember, that controller still has campus AP whitelist
entries from the entire cluster. You may want to delete or revoke unwanted entries from the campus AP
whitelist.
Now, you must install the new cluster member controller according to the procedure described in Creating a
Cluster Member on page 137. The new cluster member obtains a certificate from the cluster root when it first
becomes active.
7. If the new cluster member has any associated APs, reboot those APs so they obtain a trust update.
8. If the new cluster member has any local controllers, reboot the local controllers associated with the new
cluster member. The local controllers obtain a new certificate signed by the cluster member, and then pass
that trust update to their associated APs.
Replacing a Redundant Cluster Member Controller
The control plane security feature requires you to synchronize databases from the primary controller to the
backup controller at least once after the network is up and running. This ensures that all certificates, keys, and
whitelist entries are synchronized to the backup controller. Because the AP whitelist may change periodically,
you should regularly synchronize these settings to the backup controller. For details, see Configuring Networks
with a Backup Master Controller on page 135.
When you install a new backup cluster member, you must add it as a lower priority controller than the existing
primary controller. After you install the backup cluster member on the network, resynchronize the database
from the existing primary controller to the new backup controller to ensure that all certificates, keys, and
whitelist entries required for control plane security are added to the new backup controller configuration. If
you want the new controller to act as the primary controller, you can increase that controller’s priority after the
settings have been resynchronized.
Replacing a Cluster Root Controller with no Backup Controller
If you replace a cluster root controller that does not have a backup controller, the new cluster root controller
creates its own self-signed certificate. You then need to reboot each controller in the hierarchy in a specific
order to certify all APs with that new certificate:
1. Remove the old cluster root from the network.
2. Install and configure the new cluster root.
3. Connect the new cluster root to the network so it can access cluster masters and local controllers.
4. If necessary, reconfigure the cluster masters and local controllers with their new cluster root IP and master
IP addresses.
5. Reboot every cluster member controller. The cluster member begins using a new certificate signed by the
cluster root.
6. Reboot every local controller. Each local controller begins using a new certificate signed by the cluster
member.
7. Because the cluster root is new, it does not have a configured campus AP whitelist. Access the campus AP
whitelist on any local controller or cluster master, and change all APs in a “certified” state to an “approved”
state. The APs get re-certified, reboot, and create new IPsec tunnels to their controller using the new
certificate key.
If a cluster root controller does not have any cluster master or local controllers, you must recreate the
campus AP whitelist on the cluster root by turning on automatic certificate provisioning or manually
reentering the campus AP whitelist entries.