HP Aruba JL253A - User-Based Tunneling in V6 Networks; PAPI Security; Protocol Application Programming Interface (PAPI); PAPI Configurable Secret Key

To Next Page

To Previous Page

When the primary user role is downloaded onto the switch and the secondary user role is manually configured on

the controller (not sent through VSA):

NOTE: For more information on user roles, see Access Security Guide for ArubaOS-Switch for your

switch.

User-Based Tunneling in v6 networks

Starting with 16.08, User-Based Tunnels are supported in IPv6 environments where all the components forming

tunnels are reachable over IPv6. This is important for users who are in the process of migrating from IPv4 to IPv6-

only environments. To support those users, User-Based Tunnels will work not only in IPv6-only environments but

also hybrid environments where some components run IPv4 while others run IPv6.

The switch, controller, and AirWave can operate in an IPv6-only environment while ClearPass, as of 6.7, still has

to be reachable over IPv4 (but supports v4 and v6 clients). Mixed mode is also supported, where one controller

can be reachable through v4 and the backup controller can be reachable through IPv6, and the deployment

supports clients with dual stacks (v4/v6). Using User-Based Tunnels in a IPv6 network is similar in setup and the

configuration and show command covered in earlier sections work for IPv4 as well as IPv6 environments.

PAPI security

Protocol Application Programming Interface (PAPI)

The PAPI Enhanced Security configuration provides protection to Aruba devices, AirWave, and ALE against

malicious users sending fake messages that results in security challenges.

Starting from ArubaOS-Switch version 16.02, a minor security enhancement has been made to Protocol

Application Programming Interface (PAPI) messages. Protocol Application Programming Interface endpoint

authenticates the sender by performing a check of the incoming messages using MD5 (hash). All PAPI endpoints

— APs, Controllers, Mobility Access Switches, AirWave, and ALE — must use the same secret key. The switch

software currently uses a fixed key to calculate the MD5 digest and cooperate with the controller for PAPI

enhanced security.

NOTE: To use this functionality, the PAPI security profile must be configured on the controller. For

more information on the Aruba controller, see the Aruba Networks Controller Configuration

Manual.

PAPI configurable secret key

To support enhanced PAPI security, a command is available to configure a MD5 secret key.

638 Aruba 2930F / 2930M Management and Configuration Guide

for ArubaOS-Switch 16.08

Related product manuals