The scenario involves an AOS-8 Mobility Controller (MC) with Control Plane Security (CPSec) enabled and auto certificate provisioning disabled. CPSec is a feature that secures the control plane communication between the MC and APs using certificates. When CPSec is enabled, APs must be authorized and trusted by the MC to become managed.
CPSec Enabled, Auto Cert Provisioning Disabled: When CPSec is enabled, APs must have a valid certificate to establish a secure control plane connection with the MC. If auto certificate provisioning is disabled (as shown in the exhibit), the MC does not automatically provision certificates to the APs. Instead, the APs must already have a factory-installed certificate (or a manually installed certificate), and the MC must trust the AP’s certificate by having the issuing CA in its trust list. Additionally, the AP must be on the MC’s AP whitelist to be authorized.
AP Whitelist: The AP whitelist is a list of authorized APs maintained on the MC (or Mobility Master, MM, if present). For an AP to become managed, its MAC address must be in the whitelist, especially when CPSec is enabled and auto provisioning is disabled. This ensures that only authorized APs can connect to the MC.
Option A, "Installing CA-signed certificates on the APs," is incorrect because HPE Aruba Networking APs, such as the 335 series, come with factory-installed certificates signed by Aruba’s CA. These certificates are sufficient for CPSec, provided the MC trusts the Aruba CA (which is typically preconfigured). Manually installing CA-signed certificates is not required unless the factory certificates are not used or trusted.
Option B, "Approving the APs as authorized APs on the AP whitelist," is correct. With CPSec enabled and auto cert provisioning disabled, the APs must be explicitly authorized by adding their MAC addresses to the AP whitelist on the MC. This step ensures that the MC accepts the AP’s certificate and allows it to become managed.
Option C, "Installing self-signed certificates on the APs," is incorrect because self-signed certificates are not typically used for CPSec. APs use factory-installed certificates, and the MC must trust the issuing CA. Self-signed certificates would require manual trust configuration on the MC, which is not a standard practice.
Option D, "Configuring a PAPI key that matches on the APs and MCs," is incorrect. PAPI (Protocol for AP Provisioning and Information) keys are used for securing communication between APs and the MC in non-CPSec environments or for specific configurations (e.g., when CPSec is disabled). When CPSec is enabled, certificate-based authentication replaces the need for a PAPI key.
The HPE Aruba Networking AOS-8 8.11 User Guide states:
"When Control Plane Security (CPSec) is enabled and auto certificate provisioning is disabled, APs must be authorized by adding their MAC addresses to the AP whitelist on the Mobility Controller (or Mobility Master). The AP uses its factory-installed certificate to establish a secure control plane connection with the MC. The MC must trust the CA that issued the AP’s certificate (e.g., Aruba’s CA), and the AP must be in the whitelist to become managed. To add an AP to the whitelist, navigate to Configuration > Access Points > AP Whitelist in the MC UI and add the AP’s MAC address." (Page 395, CPSec Configuration Section)
Additionally, the HPE Aruba Networking CPSec Deployment Guide notes:
"If auto cert provisioning is disabled, the AP whitelist becomes mandatory for CPSec. Each AP must be explicitly approved by adding its MAC address to the whitelist, ensuring that only authorized APs can connect to the MC. The AP’s factory certificate is used for authentication, and no manual certificate installation is required on the AP." (Page 12, CPSec with Manual Provisioning Section)
[References:, HPE Aruba Networking AOS-8 8.11 User Guide, CPSec Configuration Section, Page 395., HPE Aruba Networking CPSec Deployment Guide, CPSec with Manual Provisioning Section, Page 12.===========, , ]
