Hello and welcome, my name is Tyler McMinn. And this is the Aruba Networks Security Basics Course, part 2, where we are hardening the Aruba mobility controller and this third task in lab 3. We're going to authorize the AP and establish secure communication over CPSeC. Simply validate that it's working. Let's get started, [MUSIC] All right, in this section, what we're going to do is authorize the AP. Is to use CPSeC control plane security and establish that secure connection. Right now, I have an access point that's pending access here, and it's in this down status and in all likelihood, that's because it has not been approved. It could be due to licensing. If you go to your configuration and you check out under licensing, you can see that we have a valid set of AP licenses that are required and also because we have enabled these three services. We need an equal number of licenses, at least enough licenses for the maximum number of a piece that we're connecting and the policy enforcement firewall they are protect. Those are all enabled, we can disable to our protect for now and re enable that later. That's fine, as long as the service is disabled, it doesn't really make a difference. So the licenses are in place. That's not why the access point is failing to join, what we would then check. And this is a good thing to check by the way we run into this quite a bit is go under your system settings, and I'll do this from the actual controller itself. So we'll go down the system and find CPSeC, and we can see that CPSeC is enabled. But auto start provisioning by default is disabled. This is your default settings that you're observing here, so quick way to just allow these access points to join would be to auto sir provisioning. The security issue with doing that is anybody could plug in and Aruba AP that doesn't belong to your organization, and it, too, would be automatically asserted as well, meaning it would be given access to this controller and be able to use one of those available licenses. Much more strict way to do this would be, perhaps you could enable this and then only accept from a specific submit range of IP addresses, that's a strategy a lot of people employed, or you could just simply enable it while you're plugging in your APs. Once you see all of your APs are plugged in, disable it so no further APs could join. All of those are valid approaches and strategies to enabling, or to making sure that CPSeC accepts your access points, now that we verify that it is enabled. Let's go and let's create an AP group because we just have the default in here. So we'll add in a new one called I don't know, MainCampus, and this will be the group that will place our access point into and any future access points. We could place them in there as well, and then we can verify that the group is in there, and finally, a very restrictive way to add your access points is to go in and just line by line, approve them. If I go to my configuration access points and white list, I can see the Mac address of the access point has been learned. If you put in the AP name here, then it will approve it and assign this name, and it will approve it to this group. What will happen is the AP will now be provision accordingly. And now all I need to do is check the box for that AP and hit approve, and it will take a few minutes while the AP reboots. And once it does, it should come up with this name part of this group, and it will accept all the settings, the wireless lands and everything else that we have in that group, so we can come back to that in the next task. All right, so after about a minute or two, the access point has shifted over from being down, two up, and if I click on it there, you can see the name is applied. It's part of the main campus group, and it's ready to accept any of the wireless lands that we have running. If you like your dashboard overview, this will show you that we currently have no wireless lands that are being advertised by any of our radios. If we did, we would see a list of those wireless lands right here. So in a later lab, we are going to be setting up some wireless local area networks, but for now the access point is running and it is secure between the controller and the IP address of the AP.
