Configuring Contro l Plane Security after Upgrading
Whenyou i nitially deploy a controller runningArubaOS 6.0 or later, create your initial control plane security
configuration usingt he initial setup wizard. However, if you are upgradingt o ArubaOS6.0 or if you are upgrading
fromA rubaOS5.0
but did not yet have control plane security enabledbefore the upgrade
, then you can use the
strategies described in Table 23 to enable and configure control planesecurity feature.
NOTE:If you upgrade a controller running ArubaOS 5.0.x to ArubaOS 6.0 or later, then the controller’s control plane security settings
donot change after the upgrade. If control plane security was already enabled, then it remains enabled after the upgrade. If it was
notenabled previously, but you wish to use the feature after upgrading, then it must be manually enabled.

Automaticallys endCertificates to CampusAPs ManuallyCertify Campus APs

1.Access the control plane security window and enable both
thecontrol plane security feature and the auto certificate
provisioning option. Next, specify whether you want all
associatedcampus APs to automaticall y receive a certificate,
ori fyou want to certify only those APs within a defined range
ofIP addresses.
1.Identify the campus APs that should receive certificates
byentering the campus APs’ MAC addresses in the campus
APwhi telist.
2.Once all APshave received their certificates, disable auto
certificateprovisioning to prevent certificates from being
issuedto any rogue APs that may appear on yournetwork at a
latertim e.
2.If your network incl udes both master and local Dell
controllers, wait a few minutes, then verifythat the campus
APwhi telist hasbeen propagated to all other Dell
controllerson the network. Access the WebUI of the master
controller, navigate toC onfiguration>Controller>Control
Plane Security, then verifythat the Current Sequence
Number field has the same value as theSequence Number
entryfor each local controller i n thel ocal switch whitelist.
(Fordetails, see "Verifying Whitelist Synchronization" on
page98.)
3.If a valid AP did not receive a certificate during the initial
certificatedistribution, you can manual ly certifythe AP by
adding thatAP’s MAC address to the campus AP whitelist.
Youcan al souse this whiteli stto revoke certificates from APs
thatshould not be allowed access to the secure network.
3.Enabl e thecontrol pl ane securityfeature.

Table23 :

ControlPlane Security UpgradeStrategies
NOTE:If you upgraded your controller from ArubaOS 5.0 or earlier and you want to use this featurefor the first time, you must either
addal l valid APs to thecam pusAP w hitelist or enable automatic certificate provisioning
beforeyou enable the feature
. Ifyou do not
enable automatic certificateprovisioni ng, only the APscurrently approved in the campus AP whiteli stare all owed to communicate
with thecontroll er overa secure channel. Any APs that do not receive a certificate are not be able to communicate with the
controller exceptto request a certificate.
Troubleshootin g Control Plane Security

Identifying Certificate P roblems

If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. I ft heA P is in
either the certified-hold-factory-certor certified-hold-switch-cert states, you may need to manuallyc hangethe status
of that AP before it can be certified.
lcertified-hold-factory-cert: An AP is put in this st ate whent heco ntrollerthinks the AP has been certified with a
factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not
DellPowerConnect W- Series ArubaOS 6.2 | User Guide ControlPlane Security | 97