PAPI Enhanced Security. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
Chapter 30
PAPI Enhanced Security
Starting from ArubaOS 6.5.1.0, a minor security enhancement is made to Process Application Programming
Interface (PAPI) messages. With this enhancement, PAPI endpoints authenticate the sender by performing a sanity check of the incoming messages using MD5 (hash).
All PAPI endpoints—access points, Mobility Access Switches, controllers, Analytics and Location
Engine (ALE), HPE-ArubaOS Switch-based switches, and AirWave—must use the same secret key.
The PAPI Enhanced Security configuration provides protection to Aruba devices, AirWave, and ALE against malicious users sending fake messages that results in security challenges.
PAPI Enhanced Security does not solve all the PAPI security issues.
Topics in this chapter include:
Configuring PAPI Enhanced Security on page 693
Verifying PAPI Enhanced Security on page 694
n n n n
Interoperability
The following list of references provides the Aruba devices interoperability information with respect to PAPI
Enhanced security feature:
For information on interoperability with AirWave, refer to the AirWave 8.2.0.3 Release Notes .
For information on interoperability with Analytics and Location Engine (ALE), refer to the Analytics and
Location Engine 2.0.0.6 Release Notes .
For interoperability with Mobility Access Switches, refer to the ArubaOS 7.4.1.5 Release Notes .
For interoperability with HPE-ArubaOS Switch-based switches, refer to HPE's Management Configuration
Guide 16.02
.
AirWave Management Platforms–AMP 8.0.11.2 and AMP 8.2.3–support PAPI Enhanced Security.
Configuring PAPI Enhanced Security
You can configure the PAPI Enhanced Security feature from either the WebUI or the CLI.
In the WebUI
Perform the following steps to enable the PAPI Enhanced Security feature and configure a PAPI key in the
WebUI:
1. Go to Configuration > Network > Controller > System Settings .
2. Under the PAPI Security section, perform the following steps: a. Select Yes for the Enhanced Security Mode Enabled option.
b. Enter a key in the PAPI Key text box.
c. Re-enter the PAPI key in the Retype PAPI Key text box.
3. Click Apply .
ArubaOS 6.5.3.x
| User Guide PAPI Enhanced Security | 693
In the CLI
By default, the PAPI Enhanced Security configuration is disabled. If there is no configured key, the default key is used for authentication.
(config) #papi-security
(host) (PAPI Security Profile) #?
enhanced-security key no
Enable or disable the use of enhanced security mode
Key used to authenticate messages between systems
Delete Command
Verifying PAPI Enhanced Security
To verify the status of the PAPI Enhanced Security configuration, execute the following command:
(host) (config) #show papi-security
PAPI Security Profile
---------------------
Parameter
---------
PAPI Key
Value
-----
********
Enhanced security mode Disabled
To view the statistics of transmitted, received, and denied messages, three additional output parameters are introduced in the show ipc statistics command output.
n n
Tx Sign—the number of messages which were signed before transmitting
Rx Sign—the number of messages validated through digest validation n
Rx Denied—the number of messages denied due to incorrect digest
(host) #show ipc statistics app-ap sapd ap-name <ap-name>
Local Statistics
To application
AP LLDP Service
Tx Msg
0
Tx Blk
0
Tx Ret
0
Tx Fail
0
Rx Ack
0
Rx Msg
186
Rx Drop
0
Rx Err
0
AP STM 31 0 0 0 12 0 0 0
RF Client
BLE Daemon AP
Nanny
2
3
2
0
0
0
.
.
0
0
0
0
Tx Ack
0
Tx Sign
0
0
0
0
0
.
Allocated Buffers 0
Static Buffers 1
Static Buffer Size 1476
0
0
0
0
Rx Sign Rx Denied
0 0
0
0
0
0
0
0
0
0
0
0
2
2
2
1
4
0
0
0
0
0
0
0
694 | PAPI Enhanced Security ArubaOS 6.5.3.x | User Guide
advertisement
Related manuals
advertisement