Cluster Security. Aruba Instant 6.5.2.0, RAP-155, IAP-207, RAP-108, IAP-305, Instant
Add to My manuals466 Pages
advertisement
Chapter 24
Cluster Security
This chapter describes cluster security and the procedure for configuring cluster security DTLS for secure communication. It includes the following topics: n n n n
Enabling Cluster Security on page 308
Cluster Security Debugging Logs on page 309 on page 309
Overview
Cluster security is a communication protocol that secures control plane messages between Instant access points. Control plane messages such as configuration, cluster join, and other messages distributed between the devices in a cluster are secured using this protocol. Cluster security operates on the UDP port 4434 and uses
DTLS protocol to secure messages.
Cluster Security Using DTLS
Cluster security provides secure communication using Datagram Transport Layer Security (DTLS). A DTLS connection is established between the IAPs communicating with each other in the cluster. Following are some of the advantages of using DTLS for cluster security: n n n
Mutual authentication is done between the IAPs in a cluster using device certificate.
Peer MAC address validation against AP whitelist can be enabled in the configuration.
Control plane messages between cluster members are transmitted securely using the DTLS connection established.
If auto-join is enabled, backward compatibility and recovery of IAPs is allowed on ARUBA UDP port 8211. Messages required for image synchronization and cluster security DTLS state synchronization are the only messages allowed.
If auto-join is disabled, the MAC address of a peer IAP is verified against the AP whitelist during device certificate validation.
Locked Mode Slave IAP
A slave IAP with non-factory default configuration and DTLS enabled in that configuration is considered to be in locked mode of operation. These slave IAPs will not be able to join the existing non-DTLS cluster as backward compatibility and recovery is not allowed. This is done for security reasons.
To recover the slave IAPs in locked mode: n n
Execute the disable-cluster-security-dtls action command on the slave IAP , or
Factory reset the slave IAP.
Auto-Join Disabled Mode
A cluster with DTLS enabled and auto-join disabled is the most secure mode of operation. In this mode, the cluster communicates only using DTLS, and backward compatility and recovery are denied. This is done for security reasons.
Aruba Instant 6.5.2.0 | User Guide Cluster Security | 307
In this mode, a new slave IAP with DTLS disabled or running a software version prior to Instant 6.5.1.0-4.3.1.0
will not be able to join the cluster even if the MAC address of the slave IAP is added to the allowed AP whitelist.
To recover the slave IAP: n
Enable Auto join mode.
n n
Wait for the new slave IAP to join the cluster. The MAC address of the IAP is automatically added to the allowed AP whitelist.
Disable Auto join mode.
Enabling Cluster Security
You can enable cluster security using the Instant UI or the CLI. Ensure that the following pre-requisites are satisfied:
Pre-requisites
1. NTP server must be reachable—If internet is reachable, pool.ntp.org will be used by default, otherwise a static NTP server needs to be configured.
2. UDP port 4434 should be permitted.
In the Instant UI
To enable cluster security:
1. Navigate to System > General .
2. Select Enabled from the Cluster security drop-down list.
3. Click OK .
Reboot all the IAPs in the swarm for the configuration to take effect.
In the CLI:
To enable cluster security:
(Instant AP)(config)# cluster-security
(Instant AP)(cluster-security)# dtls
(Instant AP)(cluster-security)# end
(Instant AP)# commit apply
To disable cluster security DTLS:
(Instant AP)(config)# cluster-security
(Instant AP)(cluster-security)# no dtls
(Instant AP)(cluster-security)# end
(Instant AP)# commit apply
To change per module logging level of cluster security:
(Instant AP)# cluster-security logging module <module_name> log-level <level>
To set individual log level for each module:
(Instant AP)# cluster-security logging module <module_name> log-level-individual <level>
After enabling or disabling the cluster security option, ensure that the Config Sync Status is TRUE in the output of the show summary command, before rebooting the cluster.
Cluster security is not supported for L3 mobility.
308 | Cluster Security Aruba Instant 6.5.2.0 | User Guide
Cluster Security Debugging Logs
Cluster security logging is organized into modules based on functionality. The following are the core modules which are useful and should be used for debugging: peer —The peer module is used to log connection initiation, renegotiation, collision and active connection updates. The log-level should be set to debug level while debugging any issues.
conn —The connection module is used to log connection creation, establishment, data transfer and maintenance updates. The log-level should be set to debug level for debugging DTLS connection issues.
mcap—The module capture module is used to log messages sent and received to the socket. Set log-level to debug to log only control messages. Set log-level to debug1 to log control and data messages.
The following command can be used to set per module logging level:
(Instant AP)# cluster-security logging module <module_name> log-level <level>
Once the log-level is set, logs can be viewed using:
(Instant AP)# show log papi-handler
Verifying the Configuration
The following show commands can be used to view the cluster security configuration:
To view current cluster security Configuration and running state
(Instant AP)# show cluster-security
To view the cluster security statistics:
(Instant AP)# show cluster-security stats
To view the cluster security connection table:
(Instant AP)# show cluster-security connections
To view the cluster security peers:
(Instant AP)# show cluster-security peers
To view the message handler process logs:
(Instant AP) # show log papi-handler <count>
Aruba Instant 6.5.2.0 | User Guide Cluster Security | 309
advertisement
Related manuals
advertisement