管理AP白人
Campus orRemote APs appear as valid APs in the校园美联社orRemote APwhitelists when you manually enter their information into the校园美联社orRemote APwhitelists using the WebUI orCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.一个controller。另外,校园美联社S或Remote APS在controllersends a certificate to an AP as part of automatic certificate provisioning and the AP connects to thecontrollerover a secure tunnel. APs that are not approved or certified on the network are included in the校园美联社whitelists, but these APs appear in an unapproved state.
Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the校园美联社orRemote APwhitelists on acontrollerthat usesCPsec控制平面安全。CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller.,AP将无法与controlleragain, unless the AP obtains a new certificate.
这following sections discuss the procedures to manage AP whitelists:
一个dding an AP to the Campus or Remote AP Whitelists
You can add an AP to the校园美联社orRemote APwhitelists using the WebUI orCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.。这following procedure describes the steps to add an AP to the校园美联社orRemote AP白名单:
1.In the节点层次结构,导航到这tab.
2.Clickortab.
3.Click。
4.Define the following parameters for each AP you want to add to the AP whitelist:
5.Click。
6.Click。
7.In the窗口,选择复选框,然后单击。
这followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command adds an AP to the校园美联社白名单:
(主机)[myNode](config)#whitelist-db cpsec添加mac-address <地址>
ap-group
ap-name
description
这followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command adds an AP to theRemote AP白名单:
(主机)[myNode](config)#whitelist-db rap add mac-address
ap-group
ap-name
description
full-name
remote-ip
远程ipv6
查看AP白名单条目
这WebUI displays the table of entries in the selected AP whitelist. The table of entries page displays a list of AP whitelist entries.
这tab显示校园美联社whitelists by default. To view the list ofRemote AP白名单,单击。
这Remote APwhitelist entries page displays only the information you can manually configure. The校园美联社whitelist entries page displays both user-defined settings and additional information that are updated when the status of a校园美联社变化。
范围 |
Description |
显示AP白名单条目的状态。 |
|
Brief description for revoking the校园美联社校园AP用于私人网络中,其中APS通过私有链接(LAN,WLAN,WAN或MPLS)连接并直接终止在控制器上。校园AP被部署为企业办公楼,仓库,医院,大学等的室内校园解决方案的一部分。。 |
|
一个pproval status of the校园美联社校园AP用于私人网络中,其中APS通过私有链接(LAN,WLAN,WAN或MPLS)连接并直接终止在控制器上。校园AP被部署为企业办公楼,仓库,医院,大学等的室内校园解决方案的一部分。。 |
|
Time and date of the last AP status update. |
To view information about the校园美联社andRemote APwhitelists using theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.,发出以下命令:
(主机)[myNode] #show flyelist-db cpsec
Control-Plane Security Whitelist-entry Details
-----------------------------------------------------------------------------
MAC-ADDRESS AP-GROUP AP-NAME启用状态cert-type说明吊销文本上次更新
----------- -------- ------- ------ ----- --------- ----------- ----------- ------------
6c:f3:7f:cc:42:25 Enabled certified-factory-cert factory-cert Thu Jul 7 03:42:21 2016
9c:1c:12:c0:7c:a6 default san225 Enabled certified-factory-cert factory-cert Wed Aug 3 10:34:13 2016
24:de:c6:ca:94:ba Enabled certified-factory-cert factory-cert Fri Apr 22 06:28:46 2016
94:b4:0f:c0:cc:42 Enabled certified-factory-cert factory-cert Fri Aug 5 06:54:43 2016
18:64:72:cf:e6:9c Enabled certified-factory-cert factory-cert Tue Aug 9 07:35:41 2016
AC:A3:1E:C0:E6:82已启用认证的Factory-Cert Factory-Cert Wed,8月10日09:12:23 2016
AC:A3:1E:CD:36:84已启用认证的属性 - cert Factory-Cert星期五17 05:50:02 2016
ac:a3:1e:c0:e6:9a Enabled certified-factory-cert factory-cert Thu May 26 06:31:13 2016
总条目:8
(主机)[myNode] #show flyelist-db cpsec-status
My Mac-Address 00:1a:1e:00:1a:b8
My IP-Address 10.15.28.16
主IP地址10.15.28.16
Switch-Role Master
Whitelist-sync is disabled
Entries in Whitelist database
总条目:5
得到正式认可的entries: 0
Unapproved entries: 2
Certified entries: 2
认证持有条目:1
Revoked entries: 0
Marked for deletion entries: 0
当前序列编号:147
(主机)[myNode] #show fhewhitelist-db rap
Entries in Whitelist database
总条目:0
Revoked entries: 0
Marked for deletion entries: 0
一个P Entries: 4
在校园AP白名单中修改AP
Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the校园美联社whitelist using the WebUI orCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.。
这following procedure describes the steps to modify an AP in the校园美联社白名单:
1.In the节点层次结构,导航到这tab.
2.Clicktab.
3.选择要修改的AP的复选框。
4.修改所选AP的设置。将AP添加到校园美联社白名单。
:名称校园美联社。如果您没有指定名称,则AP使用其使用苹果电脑Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address as a name.
:AP组的名称校园美联社被安排了。
:简要说明校园美联社。
:Selector。
:Enter a value for this string.
5.Clickto update the校园美联社whitelist entry with its new settings.
6.Click。
7.In the窗口,选择复选框,然后单击。
这followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.命令在校园美联社白名单:
(主机)#Whitelist-DB CPSEC修改MAC-ADDRESS
ap-group
ap-name
cert-type {switch-cert|factory-cert}
description
mode {disable|enable}
revoke-text
状态{已批准已准备就绪的|认证的factory-cert}
从校园AP白名单中撤销AP
You can revoke an invalid or rogue AP either by modifying its revoke status (as described in在校园AP白名单中修改AP)或直接从校园美联社whitelist without modifying any other parameter. When revoking an invalid or rogue AP, enter a brief description why the AP is being revoked. When you revoke an AP from the校园美联社白名单,校园美联社白名单保留了AP的信息。要撤销无效或流氓AP并将其永久从白名单中删除,请删除该条目。
您可以从校园美联社whitelist using the WebUI orCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.。
以下过程描述了从校园美联社白名单:
1.In the节点层次结构,导航到这tab.
2.Clicktab.
3.单击您要撤销的AP旁边的复选框,然后单击。这window is displayed.
4.Enter a brief description of why the AP is being revoked in thefield.
5.Click。
6.Click。
7.In the窗口,选择复选框,然后单击。
这followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command revokes an AP via the校园美联社白名单:
(host) [mynode] (config) #whitelist-db cpsec revoke mac-address
Deleting an AP from the Campus AP Whitelist
Before deleting an AP from the校园美联社白名单,确认汽车provisioni证书ng is either enabled or disabled only for IP addresses that do not include the AP being deleted. If you enable automatic certificate provisioning for an AP that is still connected to the network, you cannot delete it from the校园美联社whitelist; thecontroller立即重新认证AP并重新创建其白名单入口。
您可以从校园美联社whitelist using the WebUI orCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.。这following procedure describes the steps to delete an AP from the校园美联社白名单:
1.In the节点层次结构,导航到这tab.
2.Clicktab.
3.选择要删除的AP的复选框,然后单击。
4.Click。
5.Click。
6.In the窗口,选择复选框,然后单击。
这following animation displays how to delete an AP from the校园美联社whitelist in the WebUI:
这followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command deletes an AP from the校园美联社白名单:
(主机)[myNode](config)#whitelist-db cpsec del mac-address <名称>
Purging a Campus AP Whitelist
Before adding a new托管设备使用网络使用CPsec控制平面安全。CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller.,清除校园美联社校园AP用于私人网络中,其中APS通过私有链接(LAN,WLAN,WAN或MPLS)连接并直接终止在控制器上。校园AP被部署为企业办公楼,仓库,医院,大学等的室内校园解决方案的一部分。whitelist on the new托管设备。To purge a校园美联社白名单,issue the following command:
(host) [mynode] (config) #whitelist-db cpsec purge
Offloading aControllerWhitelist to ClearPass Policy Manager
此功能允许外部维护AP白名单Clearpass政策经理服务器。这controller,如果配置为使用外部服务器,可以发送RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.访问请求Clearpass政策经理服务器。这苹果电脑Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.AP的地址用作用户名和密码来构建访问请求数据包。这Clearpass政策经理server validates theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.message and returns the relevant parameters for the authorized APs.
以下支持的参数与以下供应商特定属性(VSA)相关联。这Clearpass政策经理server sends them in theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.访问接受授权APS的数据包:
ap-group:一个ruba-AP-Group
ap-name:一个ruba-location-id
ap-remote-ip:一个ruba-ap-ip-address
这following defaults are used when any of the supported parameters are not provided by theClearpass政策经理server in theRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.访问接受答复:
ap-group: The default ap-group is assigned to the AP.
ap-name:苹果电脑Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.地址一个P is used as the AP name.
这re is no change in theRemote AProle assignment. TheRemote AP分配了在VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.default-rapprofile.
阿鲁巴斯now provides support forClearpass政策经理to whitelistRemote APs in a cluster environment. You can configureClearpass政策经理as an external server that authenticatesRemote APs using the苹果电脑Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address ofRemote APs. TheRemote APs are authenticated by maintaining whitelist entries inClearpass政策经理, and the cluster inner IP addresses are assigned on theMobility Master。Hence, the inner IP address assignment is centralized and forwarded to the associated托管设备s在集群中。
这following procedure describes the steps to assign aClearpass政策经理Clearpass政策经理is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.server to aRemote AP:
a.In the节点层次结构,导航到这tab.
b。Clickin the桌子。
C。In thewindow, enter the server group name in thefield.
d。Click。
e。Select the server group created.
F。Clickin the桌子。
Selectoption.
Choose a server from the list.
Click。
Selectoption.
在以下字段中输入/选择适当的值:
Click。
选择在桌子。
Under,在字段并重新输入该值field.
Click。
一世。Click。
j。In thewindow, select the checkbox and click。
2.In the节点层次结构,导航到这>>tab.
3.In the列表,选择
5.Click。
6.Click。
7.In the窗口,选择复选框,然后单击。
分配一个Clearpass政策经理Clearpass政策经理is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.server to aRemote APthat was initially an Instant AP:
2.In the节点层次结构,导航到这>>tab.
3.In the列表,选择
5.Click。
6.Click。
7.In the窗口,选择复选框,然后单击。
以下命令添加了Clearpass政策经理server to aRemote AP:
配置aRADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.服务器Clearpass政策经理Clearpass政策经理is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.server as host address. In this exampleis theClearpass政策经理Clearpass政策经理is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.server name andis the server group name.
(host) [md] (config) #aaa authentication-server radius cppm-rad
(host) [md] (RADIUS Server "test") # host 1.1.1.1
Run the following commands to add this server to a server group:
(主机)[MD](config)#AAA服务器组CPPM-SG
(主机)(服务器组“ CPPM-SG”)#auth-server CPPM-RAD
Run the following commands to add this server group to theVPN配置文件:
(host) [md] (config) #aaa authentication vpn default-rap
(host)(VPN Authentication Profile "default-rap") #server-group cppm-sg
Run the following command to configure theRemote AP内部IP池Mobility Masterfor cluster deployment :
(host) [mynode] (config) #lc-rap-pool rap-cluster 3.1.1.3 3.1.1.10
要记住的要点
这在一个命令目前只支持IPv4地址cluster environment.
在集群环境中托管设备does not use the IP address received fromClearpass政策经理并试图从Remote AP内部IP池用于群集部署) configured on theMobility Master。If the托管设备无法获得内部IP地址,Remote AP不建立IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.带有隧道托管设备。白名单条目将在成功的身份验证和IP分配后自动生成Remote APinner IP pool.
When theRemote APgoes down on all cluster members, both the托管设备andMobility Master删除Remote APwhitelist entries that are generated automatically.
