PAPI Enhanced Security. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
![PAPI Enhanced Security. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200 | Manualzz PAPI Enhanced Security. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200 | Manualzz](http://s3.manualzz.com/store/data/065045702_1-408b09793e6f944b7784da0f06210a05-360x466.png)
Chapter 30
PAPI Enhanced Security
Starting from ArubaOS 6.5.1.0, a minor security enhancement is made to Process Application Programming
Interface (PAPI) messages. With this enhancement, PAPI endpoints authenticate the sender by performing a sanity check of the incoming messages using MD5 (hash).
All PAPI endpoints—access points, Mobility Access Switches, controllers, Analytics and Location
Engine (ALE), HPE-ArubaOS Switch-based switches, and AirWave—must use the same secret key.
The PAPI Enhanced Security configuration provides protection to Aruba devices, AirWave, and ALE against malicious users sending fake messages that results in security challenges.
PAPI Enhanced Security does not solve all the PAPI security issues.
Topics in this chapter include:
Configuring PAPI Enhanced Security on page 693
Verifying PAPI Enhanced Security on page 694
n n n n
Interoperability
The following list of references provides the Aruba devices interoperability information with respect to PAPI
Enhanced security feature:
For information on interoperability with AirWave, refer to the AirWave 8.2.0.3 Release Notes .
For information on interoperability with Analytics and Location Engine (ALE), refer to the Analytics and
Location Engine 2.0.0.6 Release Notes .
For interoperability with Mobility Access Switches, refer to the ArubaOS 7.4.1.5 Release Notes .
For interoperability with HPE-ArubaOS Switch-based switches, refer to HPE's Management Configuration
Guide 16.02
.
AirWave Management Platforms–AMP 8.0.11.2 and AMP 8.2.3–support PAPI Enhanced Security.
Configuring PAPI Enhanced Security
You can configure the PAPI Enhanced Security feature from either the WebUI or the CLI.
In the WebUI
Perform the following steps to enable the PAPI Enhanced Security feature and configure a PAPI key in the
WebUI:
1. Go to Configuration > Network > Controller > System Settings .
2. Under the PAPI Security section, perform the following steps: a. Select Yes for the Enhanced Security Mode Enabled option.
b. Enter a key in the PAPI Key text box.
c. Re-enter the PAPI key in the Retype PAPI Key text box.
3. Click Apply .
ArubaOS 6.5.3.x
| User Guide PAPI Enhanced Security | 693
In the CLI
By default, the PAPI Enhanced Security configuration is disabled. If there is no configured key, the default key is used for authentication.
(config) #papi-security
(host) (PAPI Security Profile) #?
enhanced-security key no
Enable or disable the use of enhanced security mode
Key used to authenticate messages between systems
Delete Command
Verifying PAPI Enhanced Security
To verify the status of the PAPI Enhanced Security configuration, execute the following command:
(host) (config) #show papi-security
PAPI Security Profile
---------------------
Parameter
---------
PAPI Key
Value
-----
********
Enhanced security mode Disabled
To view the statistics of transmitted, received, and denied messages, three additional output parameters are introduced in the show ipc statistics command output.
n n
Tx Sign—the number of messages which were signed before transmitting
Rx Sign—the number of messages validated through digest validation n
Rx Denied—the number of messages denied due to incorrect digest
(host) #show ipc statistics app-ap sapd ap-name <ap-name>
Local Statistics
To application
AP LLDP Service
Tx Msg
0
Tx Blk
0
Tx Ret
0
Tx Fail
0
Rx Ack
0
Rx Msg
186
Rx Drop
0
Rx Err
0
AP STM 31 0 0 0 12 0 0 0
RF Client
BLE Daemon AP
Nanny
2
3
2
0
0
0
.
.
0
0
0
0
Tx Ack
0
Tx Sign
0
0
0
0
0
.
Allocated Buffers 0
Static Buffers 1
Static Buffer Size 1476
0
0
0
0
Rx Sign Rx Denied
0 0
0
0
0
0
0
0
0
0
0
0
2
2
2
1
4
0
0
0
0
0
0
0
694 | PAPI Enhanced Security ArubaOS 6.5.3.x | User Guide
advertisement
Related manuals
advertisement
Table of contents
- 3 Contents
- 16 Revision History
- 17 About this Guide
- 17 What's New In ArubaOS 6.5.x
- 29 Fundamentals
- 30 Related Documents
- 31 Conventions
- 32 Contacting Support
- 33 The Basic User-Centric Networks
- 33 Understanding Basic Deployment and Configuration Tasks
- 36 Controller Configuration Workflow
- 37 Connect the Controller to the Network
- 38 7000 Series and 7200 Series Controllers
- 40 Using the LCD Screen
- 43 Configuring a VLAN to Connect to the Network
- 46 Enabling Wireless Connectivity
- 47 Enabling Wireless Connectivity
- 47 Configuring Your User-Centric Network
- 47 Replacing a Controller
- 54 Control Plane Security
- 55 Control Plane Security Overview
- 55 Configuring Control Plane Security
- 57 Managing AP Whitelists
- 64 Managing Whitelists on Master and Local Controllers
- 68 Working in Environments with Multiple Master Controllers
- 71 Replacing a Controller on a Multi-Controller Network
- 75 Configuring Control Plane Security after Upgrading
- 76 Troubleshooting Control Plane Security
- 78 Software Licenses
- 78 Getting Started with ArubaOS Licenses
- 78 License Types and Usage
- 81 Licensing Best Practices and Limitations
- 82 Centralized Licensing Overview
- 88 Configuring Centralized Licensing
- 90 Installing a License
- 92 Deleting a License
- 93 Monitoring and Managing Centralized Licenses
- 96 Network Configuration Parameters
- 96 Campus WLAN Workflow
- 97 Understanding VLAN Assignments
- 105 Configuring VLANs
- 109 Configuring Ports
- 112 Configuring Static Routes
- 112 Configuring the Loopback IP Address
- 113 Configuring the Controller IP Address
- 114 Configuring GRE Tunnels
- 123 Configuring GRE Tunnel Groups
- 126 Jumbo Frame Support
- 129 IPv6 Support
- 129 Understanding IPv6 Notation
- 129 Understanding IPv6 Topology
- 130 Enabling IPv6
- 130 Enabling IPv6 Support for Controller and APs
- 138 Filtering an IPv6 Extension Header (EH)
- 138 Configuring a Captive Portal over IPv6
- 139 Working with IPv6 Router Advertisements (RAs)
- 143 RADIUS Over IPv6
- 144 TACACS Over IPv6
- 145 DHCPv6 Server
- 147 Understanding ArubaOS Supported Network Configuration for IPv6 Clients
- 148 Understanding ArubaOS Authentication and Firewall Features that Support IPv6
- 153 Managing IPv6 User Addresses
- 154 Understanding IPv6 Exceptions and Best Practices
- 156 Link Aggregation Control Protocol
- 156 Understanding LACP Best Practices and Exceptions
- 157 Configuring LACP
- 159 LACP Sample Configuration
- 160 OSPFv2
- 160 Understanding OSPF Deployment Best Practices and Exceptions
- 161 Understanding OSPFv2 by Example using a WLAN Scenario
- 162 Understanding OSPFv2 by Example using a Branch Scenario
- 164 Configuring OSPF
- 165 Sample Topology and Configuration
- 176 Tunneled Nodes
- 176 Understanding Tunneled Node Configuration
- 177 Configuring a Wired Tunneled Node Client
- 179 Authentication Servers
- 179 Understanding Authentication Server Best Practices and Exceptions
- 179 Understanding Servers and Server Groups
- 180 Configuring Authentication Servers
- 198 Managing the Internal Database
- 201 Configuring Server Groups
- 207 Assigning Server Groups
- 212 Configuring Authentication Timers
- 213 Authentication Server Load Balancing
- 214 MAC-based Authentication
- 214 Configuring MAC-Based Authentication
- 215 Configuring Clients
- 217 Branch Controller Config for Cloud Services Controllers
- 218 Branch Deployment Features
- 219 Scalable Site-to-Site VPN Tunnels
- 219 Layer-3 Redundancy for Branch Controller Masters
- 220 WAN Failure (Authentication) Survivability
- 226 WAN Health Check
- 226 WAN Optimization through IP Payload Compression
- 227 Interface Bandwidth Contracts
- 228 Branch Integration with a Palo Alto Networks (PAN) Portal
- 231 Branch Controller Routing Features
- 232 Cloud Management
- 232 Zero-Touch Provisioning
- 239 Using Smart Config to create a Branch Config Group
- 260 PortFast and BPDU Guard
- 262 Preventing WAN Link Failure on Virtual APs
- 263 Branch WAN Dashboard
- 265 802.1X Authentication
- 265 Understanding 802.1X Authentication
- 268 Configuring 802.1X Authentication
- 276 Enabling 802.1X Supplicant Support on an AP
- 277 Sample Configurations
- 293 Performing Advanced Configuration Options for 802.1X
- 294 Application Single Sign-On Using L2 Authentication
- 296 Device Name as User Name for Non-802.1X Authentication
- 297 Stateful and WISPr Authentication
- 297 Working With Stateful Authentication
- 298 Working With WISPr Authentication
- 298 Understanding Stateful Authentication Best Practices
- 298 Configuring Stateful 802.1X Authentication
- 299 Configuring Stateful NTLM Authentication
- 300 Configuring Stateful Kerberos Authentication
- 301 Configuring WISPr Authentication
- 304 Certificate Revocation
- 304 Understanding OCSP and CRL
- 305 Configuring the Controller as an OCSP Client
- 307 Configuring the Controller as a CRL Client
- 308 Configuring the Controller as an OCSP Responder
- 309 Certificate Revocation Checking for SSH Pubkey Authentication
- 310 OCSP Configuration for VIA
- 312 Captive Portal Authentication
- 312 Understanding Captive Portal
- 313 Configuring Captive Portal in the Base Operating System
- 315 Using Captive Portal with a PEFNG License
- 318 Sample Authentication with Captive Portal
- 324 Configuring Guest VLANs
- 325 Configuring Captive Portal Authentication Profiles
- 330 Enabling Optional Captive Portal Configurations
- 333 Personalizing the Captive Portal Page
- 336 Creating and Installing an Internal Captive Portal
- 346 Creating Walled Garden Access
- 347 Enabling Captive Portal Enhancements
- 351 Netdestination for AAAA Records
- 352 Virtual Private Networks
- 352 Planning a VPN Configuration
- 356 Working with VPN Authentication Profiles
- 358 Configuring a Basic VPN for L2TP/IPsec
- 362 Configuring a VPN for L2TP/IPsec with IKEv2
- 367 Configuring a VPN for Smart Card Clients
- 368 Configuring a VPN for Clients with User Passwords
- 369 Configuring Remote Access VPNs for XAuth
- 370 Working with Remote Access VPNs for PPTP
- 371 Working with Site-to-Site VPNs
- 379 Working with VPN Dialer
- 381 Roles and Policies
- 381 Configuring Firewall Policies
- 391 User Roles
- 393 Assigning User Roles
- 399 Understanding Global Firewall Parameters
- 403 Using AppRF 2.0
- 408 ClearPass Policy Manager Integration
- 408 Introduction
- 408 Important Points to Remember
- 409 Enabling Downloadable Role on a Controller
- 409 Sample Configuration
- 417 Virtual APs
- 417 Virtual AP Configuration Workflow
- 418 Virtual AP Profiles
- 426 Changing a Virtual AP Forwarding Mode
- 427 Radio Resource Management (802.11k)
- 434 BSS Transition Management (802.11v)
- 434 Fast BSS Transition ( 802.11r)
- 436 SSID Profiles
- 443 WLAN Authentication
- 446 High-Throughput Virtual APs
- 451 Guest WLANs
- 454 Changing a Virtual AP Forwarding Mode
- 455 Adaptive Radio Management
- 455 Understanding ARM
- 457 Client Match
- 459 ARM Coverage and Interference Metrics
- 460 Configuring ARM Profiles
- 470 Assigning an ARM Profile to an AP Group
- 470 Using Multi-Band ARM for 802.11a/802.11g Traffic
- 471 Band Steering
- 472 Dynamic Bandwidth Switch
- 473 Enabling Traffic Shaping
- 475 Traffic Steering
- 476 Spectrum Load Balancing
- 476 Reusing Channels to Control RX Sensitivity Tuning
- 477 Configuring Non-802.11 Noise Interference Immunity
- 477 Troubleshooting ARM
- 479 Wireless Intrusion Prevention
- 479 Working with the Reusable Wizard
- 482 Monitoring the Dashboard
- 483 Detecting Rogue APs
- 486 Working with Intrusion Detection
- 498 Configuring Intrusion Protection
- 502 Configuring the WLAN Management System
- 505 Understanding Client Blacklisting
- 508 Working with WIP Advanced Features
- 508 Configuring TotalWatch
- 510 Administering TotalWatch
- 511 Tarpit Shielding Overview
- 512 Configuring Tarpit Shielding
- 513 Access Points
- 513 Important Points to Remember
- 514 AP Discovery Logic
- 527 Basic Functions and Features
- 528 Naming and Grouping APs
- 530 Understanding AP Configuration Profiles
- 537 Before you Deploy an AP
- 537 Enable Controller Discovery
- 538 Enable DHCP to Provide APs with IP Addresses
- 539 AP Provisioning Profiles
- 542 Configuring Installed APs
- 547 Optional AP Configuration Settings
- 563 RF Management
- 577 Optimizing APs Over Low-Speed Links
- 585 AP Scanning Optimization
- 587 Channel Group Scanning
- 588 Configuring AP Channel Assignments
- 590 Managing AP Console Settings
- 593 Link Aggregation Support on 220 Series, 270 Series, 320 Series, and 330 Series
- 596 Recording Consolidated AP-Provisioned Information
- 598 Intelligent Power Monitoring
- 600 Secure Enterprise Mesh
- 600 Mesh Overview Information
- 600 Mesh Configuration Procedures
- 600 Understanding Mesh Access Points
- 602 Understanding Mesh Links
- 604 Understanding Mesh Profiles
- 608 Understanding Remote Mesh Portals (RMPs)
- 609 Understanding the AP Boot Sequence
- 610 Mesh Deployment Solutions
- 612 Mesh Deployment Planning
- 614 Configuring Mesh Cluster Profiles
- 618 Creating and Editing Mesh Radio Profiles
- 623 Creating and Editing Mesh High-Throughput SSID Profiles
- 629 Configuring Ethernet Ports for Mesh
- 631 Provisioning Mesh Nodes
- 633 Verifying Your Mesh Network
- 635 Configuring Remote Mesh Portals (RMPs)
- 638 Increasing Network Uptime Through Redundancy and VRRP
- 638 High Availability
- 638 VRRP-Based Redundancy
- 639 High Availability Deployment Models
- 641 Client State Synchronization
- 642 High Availability Inter-Controller Heartbeats
- 642 High Availability Extended Controller Capacity
- 643 Configuring High Availability
- 645 High Availability Alerting
- 646 Migrating from VRRP or Backup-LMS Redundancy
- 648 Configuring VRRP Redundancy
- 656 RSTP
- 656 Understanding RSTP Migration and Interoperability
- 656 Working with Rapid Convergence
- 657 Configuring RSTP
- 659 Troubleshooting RSTP
- 660 PVST+
- 660 Understanding PVST+ Interoperability and Best Practices
- 660 Enabling PVST+ in the CLI
- 661 Enabling PVST+ in the WebUI
- 662 Link Layer Discovery Protocol
- 662 Important Points to Remember
- 662 LLDP Overview
- 663 Configuring LLDP
- 664 Monitoring LLDP Configuration
- 668 IP Mobility
- 668 Understanding Aruba Mobility Architecture
- 669 Configuring Mobility Domains
- 673 Tracking Mobile Users
- 675 Configuring Advanced Mobility Functions
- 684 Understanding Bridge Mode Mobility Deployments
- 684 Enabling Mobility Multicast
- 689 External Firewall Configuration
- 689 Understanding Firewall Port Configuration Among Aruba Devices
- 690 Enabling Network Access
- 690 Ports Used for Virtual Intranet Access (VIA)
- 692 Configuring Ports to Allow Other Traffic Types
- 693 PAPI Enhanced Security
- 693 Interoperability
- 693 Configuring PAPI Enhanced Security
- 694 Verifying PAPI Enhanced Security
- 695 Palo Alto Networks Firewall Integration
- 695 Limitation
- 695 Preconfiguration on the PAN Firewall
- 697 Configuring PAN Firewall Integration
- 701 Remote Access Points
- 701 About Remote Access Points
- 703 Configuring the Secure Remote Access Point Service
- 709 Deploying a Branch/Home Office Solution
- 714 Enabling Remote AP Advanced Configuration Options
- 728 Understanding Split Tunneling
- 734 Understanding Bridge
- 739 Provisioning Wi-Fi Multimedia
- 739 Reserving Uplink Bandwidth
- 740 Provisioning 4G USB Modems on Remote Access Points
- 742 Provisioning RAPs at Home
- 745 Configuring RAP-3WN and RAP-3WNP Access Points
- 746 Converting an IAP to RAP or CAP
- 747 Enabling Bandwidth Contract Support for RAPs
- 750 RAP TFTP Image Upgrade
- 753 Virtual Intranet Access
- 754 Spectrum Analysis
- 754 Understanding Spectrum Analysis
- 759 Creating Spectrum Monitors and Hybrid APs
- 761 Connecting Spectrum Devices to the Spectrum Analysis Client
- 764 Configuring the Spectrum Analysis Dashboards
- 767 Customizing Spectrum Analysis Graphs
- 793 Working with Non-Wi-Fi Interferers
- 795 Understanding the Spectrum Analysis Session Log
- 795 Viewing Spectrum Analysis Data
- 796 Recording Spectrum Analysis Data
- 799 Troubleshooting Spectrum Analysis
- 801 Dashboard Monitoring
- 801 WAN
- 802 Performance
- 803 Usage
- 804 Potential Issues
- 804 Traffic Analysis
- 826 AirGroup
- 827 Security
- 827 UCC
- 829 Controller
- 831 WLANs
- 832 Access Points
- 832 Clients
- 833 Firewall
- 839 Automatic Reporting (PhoneHome)
- 839 Pre-Deployment Information
- 839 Configuration Procedures
- 839 Sending Reports to Activate vs. SMTP Servers
- 840 Configuring PhoneHome Automatic Reporting
- 841 Sending an Individual Report
- 842 Viewing Report Status
- 843 PhoneHome-Lite
- 844 Management Access
- 844 Configuring Certificate Authentication for WebUI Access
- 845 Secure Shell (SSH)
- 846 WebUI Session Timer
- 847 Enabling RADIUS Server Authentication
- 853 Connecting to an AirWave Server
- 856 Custom Certificate Support for RAP
- 858 Implementing a Specific Management Password Policy
- 860 Configuring AP Image Preload
- 863 Configuring Centralized Image Upgrades
- 865 Managing Certificates
- 871 Configuring SNMP
- 873 Enabling Capacity Alerts
- 874 Configuring Logging
- 878 Enabling Guest Provisioning
- 894 Managing Files on the Controller
- 897 Setting the System Clock
- 899 ClearPass Profiling with IF-MAP
- 900 Whitelist Synchronization
- 901 Downloadable Regulatory Table
- 904 802.11u Hotspots
- 904 Hotspot Profile Configuration Tasks
- 904 Hotspot 2.0 Overview
- 907 Configuring Hotspot 2.0 Profiles
- 911 Configuring Hotspot Advertisement Profiles
- 913 Configuring ANQP Venue Name Profiles
- 915 Configuring ANQP Network Authentication Profiles
- 916 Configuring ANQP Domain Name Profiles
- 917 Configuring ANQP IP Address Availability Profiles
- 918 Configuring ANQP NAI Realm Profiles
- 921 Configuring ANQP Roaming Consortium Profiles
- 921 Configuring ANQP 3GPP Cellular Network Profiles
- 922 Configuring H2QP Connection Capability Profiles
- 924 Configuring H2QP Operator Friendly Name Profiles
- 925 Configuring H2QP Operating Class Indication Profiles
- 926 Configuring H2QP WAN Metrics Profiles
- 927 Configuring H2QP OSU Provider List Profiles
- 930 Adding Local Controllers
- 930 Moving to a Multi-Controller Environment
- 933 Configuring Local Controllers
- 935 Uplink Monitoring and Management
- 937 Voice and Video
- 937 Voice and Video License Requirements
- 937 Configuring Voice and Video
- 946 Working with QoS for Voice and Video
- 955 Unified Communication and Collaboration
- 974 Understanding Extended Voice and Video Features
- 998 Advanced Voice Troubleshooting
- 1004 AirGroup
- 1004 Zero Configuration Networking
- 1004 AirGroup Solution
- 1008 AirGroup Integrated Deployment Model
- 1009 Features Supported in AirGroup
- 1014 ClearPass Policy Manager and ClearPass Guest Features
- 1014 Auto-association and Controller-based Policy
- 1016 Best Practices and Limitations
- 1020 Integrated Deployment Model
- 1028 Controller Dashboard Monitoring
- 1031 Configuring the AirGroup-CPPM Interface
- 1038 Bluetooth-Based Discovery and AirGroup
- 1039 AirGroup mDNS Static Records
- 1041 mDNS AP VLAN Aggregation
- 1043 mDNS Multicast Response Propagation
- 1045 Troubleshooting and Log Messages
- 1048 Instant AP VPN Support
- 1048 Overview
- 1053 VPN Configuration
- 1054 Viewing Branch Status
- 1056 External Services Interface
- 1056 Sample ESI Topology
- 1058 Understanding the ESI Syslog Parser
- 1060 Configuring ESI
- 1067 Sample Route-Mode ESI Topology
- 1072 Sample NAT-mode ESI Topology
- 1077 Understanding Basic Regular Expression (BRE) Syntax
- 1080 External User Management
- 1080 Overview
- 1080 How the ArubaOS XML API Works
- 1080 Creating an XML Request
- 1083 XML Response
- 1086 Using the XML API Server
- 1091 Sample Scripts
- 1097 Behavior and Defaults
- 1097 Understanding Mode Support
- 1099 Understanding Basic System Defaults
- 1107 Understanding Default Management User Roles
- 1110 Understanding Default Open Ports
- 1113 DHCP with Vendor-Specific Options
- 1113 Configuring a Windows-Based DHCP Server
- 1116 Enabling DHCP Relay Agent Information Option (Option-82)
- 1118 Enabling Linux DHCP Servers
- 1120 802.1X Configuration for IAS and Windows Clients
- 1120 Configuring Microsoft IAS
- 1122 Configuring Management Authentication using IAS
- 1124 Window XP Wireless Client Sample Configuration
- 1127 Glossary of Terms