Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-1
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-2
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CPSec allows for distributed encryption, bridging, etc for Campus APs. The network must be able to prevent unauthorized APs from connecting to controllers Security-sensitive information sent to the AP must be protected from eavesdropping. APs using control plane security establish an IPsec tunnel to their controllers. APs that are not configured to use control plane security send clear, unencrypted information to the controller.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-3
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-4
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
• Master controller will automatically generate a self-signed certificate and become the trust anchor • Locals will get certs from the master and be certified by the master • APs will be certified by its LMS controller, either a local or master • Local controllers synchronize whitelist with master periodically
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-5
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
• Each AP may be provisioned with a digital certificate to authenticate it to the controller • Control-plane security forms an IPSEC tunnel between APs and controllers
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-6
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
NOTE: Support for Legacy APs (AP-60, 61, 65, 70, 80, 85, RAP-2, RAP-5,etc), that do not support Certs, will no longer be supported beginning with AOS 6.4.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-7
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-8
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Creating a cluster begins with creating a Cluster Root (CR). Theoretically any Master controller can be used as a CR. Since the CR is going to be the Trust Anchor for the whole cluster and also the link between Cluster Members for whitelist sync, it is recommended that the CR be a high-end controller with good memory capacity and good processing power. Also, it is highly recommended that the CR have a backup controller because loss of Keys and Certificate of the CR will result in need for recertification of all APs in the cluster. With backup controller, this problem can be avoided to large extent. In next section, you will read about the RMA situation for CR and at that time, you will get a better idea on this. One important thing to remember while creating a cluster is the smaller the cluster, the better the performance and the better the resiliency. Therefore, one must evaluate the requirements carefully before creating/joining a cluster. Generally, clusters should be made out of master controllers for which APs move (failover) between their hierarchies. One should try to group them and make as many clusters out of them as allowed by the AP’s failover (or moving) requirements. (continued on next page)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-9
Aruba Bootcamp – CPSec RMA Local Controller RMA’ing a local is same as disconnecting a local and then adding a new (replacement) local. Therefore follow the steps listed under sections Disconnecting a local controller and Adding a local controller. Since the new local controller will get its certificate from the master along with the whole whitelist, there is no need to re-approve or re-certify any APs. In the worst case, APs will reboot multiple (2-3 times) to get trust update and adjust their certificate chain. RMA Master Controller It is highly recommended to have a backup controller for master controller when using CPSec. This is because the master controller is the trust anchor for the hierarchy. If you have a backup controller, you can follow the steps in Adding/Replacing/Configuring a backup controller for master section to put the replacement back in the network.
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-10
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
To send cer*ficates to a group of campus APs within a range of IP addresses, select Auto Cert Allowed Addresses. In the two fields below, enter the start and end IP addresses, then click Add. Repeat this procedure to add addi*onal IP ranges to the list of allowed addresses. If both control plane security and auto cer*ficate provisioning is enabled, all campus APs in the address list will receive automa*c cer*ficate provisioning. Remove a range IP addresses from the list of allowed addresses by selec*ng the IP address range from the list and clicking Delete.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-11
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-12
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-13
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-14
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Delete – deletes an AP entry from that controller whitelist
Purge – removes the entire whitelist database from a controller
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-15
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
controller-‐cert: The campus AP is using a cer*ficate signed by the controller. If you are not sure if your AP includes a factory-‐installed cer*ficate, select this op*on.
y l n O e s U l a n r e t In
factory-‐cert: the campus AP is using a factory-‐installed cer*ficate. This op*on should only be used for newer AP models with a TPM: AP-‐104/105, AP-‐12x, AP-‐22x, AP-‐9x, AP-‐13x, AP-‐11x, and AP-‐175.
1. When the AP comes up in the clear channel it is placed in the unapproved state Unapproved State
unapproved-‐no-‐cert: AP has no cer*ficate and is not approved.
unapproved-‐factory-‐cert: AP has a preinstalled cer*ficate that was not approved.
2. When AP is added to the white list (via auto–cert-‐prov or manual addi*on ) it changes state to approved Approved State No cert – the AP has no cert so it requests for a certificate from the controller Controller cert – AP already has a cert from the controller Factory cert – AP has a factory cert and sends trust update to controller
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-16
Aruba Bootcamp – CPSec 3.Once the certificate from AP is verified it is moved to the certified state Certified State Controller cert – AP certified using controller cert Factory cert – AP certified using factory cert 4a. The AP may have issues with its certificate (stale, corrupted, expired etc.) and therefore controller puts the AP in hold state or the admin can put AP in hold state if its not already been done. Controller cert – Controller resends the cert for AP to fix its certificate chain Factory cert - Controller sends trust update to AP to fix its certificate chain
y l n O l Use
4b. If AP is able to fix its chain, it is put back into certified state, else AP goes back to unapproved state
a n r e t In
*If a white-list entry is in ‘Approved for certified’ state for more than allowed time (set to 2 hours right now), it will be put into unapproved state
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-17
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-18
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
unapproved-‐no-‐cert: AP has no cer*ficate and is not approved. unapproved-‐factory-‐cert: AP has a preinstalled cer*ficate that was not approved.
y l n O e s U l a n r e t In
approved-‐ready-‐for-‐cert: The AP has been approved as a valid campus AP and is ready to receive a cer*ficate, only for legacy AP’s cer1fied-‐factory-‐cert: The AP is already has a factory cer*ficate. If an AP has the factory-‐cert cer*ficate type and is in the cer*fied-‐factory-‐cert state, then that campus AP will not be re-‐issued a new cer*ficate if automa*c cer*ficate provisioning is enabled (applicable for all newer 802.11n and 802.11ac Aps) cer1fied-‐controller-‐cert: AP has an approved cer*ficate from the controller.
cer1fied-‐hold-‐factory-‐cert: An AP is put in this state when the controller thinks the AP has been cer*fied with a factory cer*ficate yet the AP requests to be cer*fied again. Since this is not a normal condi*on, the AP will not be approved as a secure AP un*l a network administrator manually changes the status of the AP to verify that it is not compromised. cer1fied-‐hold-‐controller-‐cert: An AP is put in this state when the controller thinks the AP has been cer*fied with a controller cer*ficate yet the AP requests to be cer*fied again. Since this is not a normal condi*on,
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-19
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-20
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
• Independent masters are grouped into clusters and their databases are synced periodically. • Allows APs to move from one master controller domain to another master controller domain and still connect securely using certificates • One master controller is configured as cluster root with self signed certificate
• All other master controllers act as cluster members certified by the cluster root, which in turn certifies the local controllers • The trust anchor for all the AP’s in the cluster is the cluster root • Cluster root and cluster members communications is secured by PSK
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-21
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-22
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
For APs not coming up
y l n O e s U l a n r e t In
On the controller, set the logging levels to debugging for STM and IKE and capture the logs logging level debugging system process stm logging level debugging security subcat ike process On the AP Save the AP environment variables and reboot /tmp/sapd_debug_log will give detailed information about the processes on AP Set the sapd_debug 1 If whitelist db sync does not work, set logging levels for localdb process logging level debugging security process localdb
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-23
Aruba Bootcamp – CPSec
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
16-24