65| Control Plane Security AOS-W 6.5.3.x| User Guide
3. Click the Entries>> button.
4. Select the checkbox of the AP you want to delete, then click delete.
If your campus AP whitelist is large and you cannot immediately locate the AP that you want to delete,
select the Search link. The Whitelist Search tab displays the fields APGroup, Cert Type, APMAC
Address, AP Name, and State that allow you to search for an AP. Specify the values of the AP that you
want to locate in these fields, then click Search. The campus APwhitelist displays a list of APs that match
your search criteria. Select the checkbox of the APthat you want to delete, then click Delete.
In the CLI
To delete an AP from the campus AP whitelist:
(host) #whitelist-db cpsec del mac-address <name>
Purging a Campus AP Whitelist
Before adding a new local switch to a network using control plane security, purge the campus AP whitelist on
the new switch. After adding the new switch to the hierarchy, the entries in the campus AP whitelist of the new
switch merge into the whitelist for all other master and local switches. If you add any old or invalid AP entries to
the campus AP whitelist, all switches in the hierarchy will trust those APs, creating a potential security risk. For
additional information on adding a new local switch using control plane security to your network, see Replacing
a Local Switch on page 73
In the WebUI
To purge a campus AP whitelist:
1. Navigate to Configuration > Wireless > AP Installation.
2. Click the Whitelist tab.
3. Click the Entries>> button.
4. Click Purge.
In the CLI
To purge a campus AP whitelist:
(host) #whitelist-db cpsec purge
Offloading a Switch Whitelist to ClearPass Policy Manager
This feature allows to externally maintain APwhitelist in a ClearPass Policy Manager (CPPM)server. The switch,
if configured to use an external server, can send a RADIUS access request to a CPPM server. The MAC address
of the AP is used as a username and password to construct the access request packet. The CPPM server
validates the RADIUS message and returns the relevant parameters for the authorized APs.
The following supported parameters are associated with the following VSAs. The CPPMserver sends them in
the RADIUS access accept packet for authorized APs:
n ap-group: Alcatel-Lucent-AP-Group
n ap-name: Alcatel-Lucent-Location-ID
n ap-remote-ip: Alcatel-Lucent-AP-IP-Address
The following defaults are used when any of the supported parameters are not provided by the CPPM server in
the RADIUS access accept response:
n ap-group: The default ap-group is assigned to the AP.
n ap-name: The MAC address of the APis used as the AP name.
To Next Page
Loading...