77| Control Plane Security AOS-W 6.5.3.x| User Guide
Automatically send Certificates to Campus
APs
Manually Certify Campus APs
1. Access the control plane security window and
enable both the control plane security feature and the
auto certificate provisioning option. Next, specify
whether you want all associated campus APs to
automatically receive a certificate, or if you want to
certify only those APs within a defined range of IP
addresses.
1. Identify the campus APs that should receive
certificates by entering the campus APs’ MAC
addresses in the campus AP whitelist.
2. Once all APs have received their certificates,
disable auto certificate provisioning to prevent
certificates from being issued to any rogue APs that
may appear on your network at a later time.
2. If your network includes both master and local
switches, wait a few minutes, then verify that the
campus AP whitelist has been propagated to all
other switches on the network. Access the WebUI of
the master switch, navigate to Configuration >
Switch > Control Plane Security, then verify that
the Current Sequence Number field has the same
value as theSequence Number entry for each local
switch in the local switch whitelist. (For details, see
Verifying Whitelist Synchronization on page 78.)
3. If a valid AP did not receive a certificate during the
initial certificate distribution, you can manually certify
the AP by adding that MAC address of the AP to the
campus AP whitelist. You can also use this whitelist to
revoke certificates from APs that should not be
allowed access to the secure network.
3. Enable the control plane security feature.
Table 24: Control Plane Security Upgrade Strategies
If you upgraded your switch from AOS-W 5.0 or earlier and you want to use this feature for the first time, you must
either add all valid APs to the campus AP whitelist, or enable automatic certificate provisioning before you enable the
feature. If you do not enable automatic certificate provisioning, only the APs currently approved in the campus AP
whitelist are allowed to communicate with the switch over a secure channel. Any APs that do not receive a certificate
will not be able to communicate with the switch except to request a certificate.
Troubleshooting Control Plane Security
Identifying Certificate Problems
If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in
either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the
status of that AP before it can be certified.
n certified-hold-factory-cert: An AP is put in this state when the switch thinks the AP has been certified with
a factory certificate, but the AP requests to be certified again. Because this is not a normal condition, the AP
is not approved as a secure AP until you manually change the status of the AP to verify that it is not
compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of
this hold state as soon as connectivity is restored.
n certified-hold-switch-cert: An AP is put in this state when the switch thinks the AP has been certified with
a switch certificate yet the AP requests to be certified again. Because this is not a normal condition, the AP is
not be approved as a secure AP until a network administrator manually changes the status of the AP to
verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP recovers
and is taken out of this hold state as soon as connectivity is restored.
To Next Page
Loading...