Users Guide
143 | Control Plane Security Dell Networking W-Series ArubaOS 6.4.x| User Guide
Automatically send Certificates to Campus
APs
Manually Certify Campus APs
1. Access the control plane security window and
enable both the control plane security feature and
the auto certificate provisioning option. Next, specify
whether you want all associated campus APs to
automatically receive a certificate, or if you want to
certify only those APs within a defined range of IP
addresses.
1. Identify the campus APs that should receive
certificates by entering the campus APs’ MAC
addresses in the campus AP whitelist.
2. Once all APs have received their certificates,
disable auto certificate provisioning to prevent
certificates from being issued to any rogue APs that
may appear on your network at a later time.
2. If your network includes both master and local
controllers, wait a few minutes, then verify that the
campus AP whitelist has been propagated to all
other controllers on the network. Access the
WebUI of the master controller, navigate to
Configuration > Controller > Control Plane
Security, then verify that the Current Sequence
Number field has the same value as
theSequence Number entry for each local
controller in the local controller whitelist. (For
details, see Verifying Whitelist Synchronization on
page 144.)
3. If a valid AP did not receive a certificate during the
initial certificate distribution, you can manually
certify the AP by adding that MAC address of the AP
to the campus AP whitelist. You can also use this
whitelist to revoke certificates from APs that should
not be allowed access to the secure network.
3. Enable the control plane security feature.
Table 26: Control Plane Security Upgrade Strategies
If you upgraded your controller from ArubaOS 5.0 or earlier and you want to use this feature for the first time, you
must either add all valid APs to the campus AP whitelist, or enable automatic certificate provisioning before you
enable the feature. If you do not enable automatic certificate provisioning, only the APs currently approved in the
campus AP whitelist are allowed to communicate with the controller over a secure channel. Any APs that do not
receive a certificate will not be able to communicate with the controller except to request a certificate.
Troubleshooting Control Plane Security
Identifying Certificate Problems
If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in
either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the
status of that AP before it can be certified.
l certified-hold-factory-cert: An AP is put in this state when the controller thinks the AP has been certified
with a factory certificate, but the AP requests to be certified again. Because this is not a normal condition,
the AP is not approved as a secure AP until you manually change the status of the AP to verify that it is not
compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of
this hold state as soon as connectivity is restored.
l certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified
with a controller certificate yet the AP requests to be certified again. Because this is not a normal condition,