msgbartop
msgbarbottom

25 Nov 16 Cisco 1142 not joining Cisco 2504 WLC

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID

Recently I was setting up my lab environment with a Cisco 1142 Access Point and a Cisco 2504 Wireless LAN Controller and I ran into a minor issue. Cisco 1142 Access Point was not joining the WLC. I was getting the following error message when I consoled into the access point.

*Jan 1 04:35:10.126: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 1 04:35:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.10.41 peer_port: 5246
*Jan 1 04:35:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 1 04:35:10.316: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 4E0E3D20000000116445) is not yet valid Validity period starts on 21:44:46 UTC Dec 7 2011
*Jan 1 04:35:10.317: %LWAPP-3-CLIEN2.16TERRORLOG: Peer certificate verification failed
*Jan 1 04:35:10.317: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 1 04:35:10.317: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Jan 1 04:35:10.317: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.10.41
*Jan 1 04:35:10.318: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.41:5246
*Jan 1 04:35:10.318: %DTLS-3-BAD_RECORD: Erroneous record received from 19: Malformed Certificate

Initially I kinda jumped on the certificate issue and ran the following commands to resolve the issue, thinking perhaps there actually is an issue with the certificate on the WLC or the Access Point:

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Disable
Lifetime Check Ignore for SSC ………………. Disable

(WLC1) >config ap cert-expiry-ignore mic enable

(WLC1) >config ap cert-expiry-ignore ssc enable

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Enable
Lifetime Check Ignore for SSC ………………. Enable

This however did not resolve my issue and Cisco 1142 still was not joining the 2504 WLC. With a little bit more checking I felt pretty embarrassed because I realized that the time on the Cisco 2504 WLC was wrong. So I fixed the time and date on the Cisco 2504 WLC, end result Cisco 1142 Access Point Successfully joined the Controller.
Lesson in this is sometimes issue is right there in front of you and is pretty simple :). By the way here is a good write up on Access Points and certificates. Lightweight AP – Fail to create CAPWAP/LWAPP connection due to certificate expiration

Tags: , ,

09 Mar 15 SNMP Communication issue between Cisco Prime and Cisco WLC

Cisco Prime 1.2 Unable to communicate via SNMP with Cisco Wireless LAN Controller

Recently had an issue with where Cisco Prime 1.2 started to show one of our Cisco Wireless LAN Controllers as Unreachable. I looked at the SNMP settings on Cisco Prime as well as the Controller and nothing changed. I even deleted the settings and tried to re add the Cisco WLC in Cisco Prime same results. After testing different things it ended up being an issue with a new dynamic interface that was added on the Cisco WLC for testing. This dynamic interface was on the same VLAN as the Cisco Prime’s interface.

So it looks like since there was an interface on the WLC that was on the same Subnet as Cisco Primes interface. SNMP requests were hitting that interface. But since Cisco WLC does not do Inter VLAN Routing like a L3 Switch. Those packets from the new dynamic Interface were not reaching the Management Interface. As soon as I deleted that new dynamic interface from Cisco WLC, SNMP started to work successfully.

By reading this site/post(s) you are agreeing to the Terms and Conditions of using this website

Tags: ,

05 Mar 15 Configure Primary and Secondary WLC on Cisco Light Weight Access Points

How to configure Primary and Secondary Wireless LAN Controller IP’s on Cisco Light Weight Access Points

I use this method to specify Primary and Secondary Wireless LAN Controller’s IP and Name on Cisco Light Weight Access Points. This can also be used if you want some Access Points on one Wireless LAN Controller and some on the other. This is strictly via controllers command line. It can be done via Controllers GUI as well but that will take forever especially if you are configuring multiple Access Points. Because you will need to put that information in one by one. Using Cisco Wireless LAN Controllers command line interface I can usually get this done faster.

config ap primary-base WLC-01 AP-01 10.10.10.10
config ap secondary-base WLC-02 AP-01 10.10.10.11
config ap primary-base WLC-01 AP-02 10.10.10.10
config ap secondary-base WLC-02 AP-02 10.10.10.11
|
|
| and so on….

There is one more easy way to do this is via Cisco Prime I will write a separate post on that. But this method can be used quickly if there is no Cisco Prime

By reading this site/post(s) you are agreeing to the Terms and Conditions of this website.

Tags: , , ,

26 Feb 15 Rename Access Points Cisco WLC – Wireless LAN Controller

How to rename Cisco Light Weight Access Points on Cisco Wireless LAN Controller

When I am configuring a Cisco Wireless LAN Controller and Access Points are added to it, I have to rename them to something meaningful from their default naming convention of APabcd.fghi.1234. Now I have been accomplishing this task via GUI by going to the Wireless Tab –> All APs and then renaming them one by one. It is really no big deal if you have to rename few of them. However if you are standing up a new site and there are like 30, 50, 100 etc Cisco light weight access points on that Cisco Wireless LAN Controller, it can take forever to do this via Controllers GUI. I like/try my best to work smarter and optimize the way I do things, so I decided to start using the CLI of the Cisco WLC to rename the Access Points.

First and most important thing is to make sure we have the inventory of the AP’s or get a list of their names from Prime. Then using Excel I simply created CLI configuration lines to rename the Cisco light weight access points.

config ap name AP-01 APtttt.abcd.1111
config ap name AP-02 APffff.1234.0asd
config ap name AP-03 APgggg.1234.uut7
config ap name AP-04 APhhhh.1234.6688
config ap name AP-05 APiiii.1234.9999

Now you can utilize this simple method to rename all the AP’s real quick. Here is a quick break down of the syntax:

config ap name NEW-NAME OLD-AP-NAME or Ethernet MAC or SerialNumber

Note: AP names are case sensitive

By reading this site/post(s) you are agreeing to the Terms and Conditions of this website.

Tags: , , ,

24 Feb 15 DHCP options for Cisco 2600 Series Access Points

Configuring DHCP Options for Cisco 2600 Series Access Points

I do not have to do this much so when I do I have to always look it up hence I decided to write it in my own words for my reference. Normally when I put Cisco Access Points on the same VLAN as the Wireless LAN Controllers Management Interface. Access Points have no issue joining the controller. However if the Cisco light weight access Points are on a different VLAN, they will not be able to join the controller initially and that usually requires DHCP Options 43 and 60. Below is an overview of how to configure DHCP Options 43 and 60 for Cisco light weight access points on a Cisco IOS Router.

I will use 192.168.10.0/24 network as an example where all the Cisco light weight access points will reside. Controller IP would be lets say 192.168.1.11. So now since the Cisco Access Points and the Wireless LAN Controller are on two different subnets. I would need to configure DHCP Options 43 and 60

ip dhcp pool AP_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
option 60 ascii “Cisco AP c2600” (I found this from Cisco website and is considered as the VCI String – Vendor Class Identifier)
option 43 hex f104c0a8010b

Note: Option 60 is not required when using Cisco IOS DHCP Server. But having that option will basically not send option 43 to clients that do not require it

Now getting the option 60 part is easy. DHCP Option 43 calculation requires further explanation:

  • Option 43 is basically Type(f1) + Length(Number of Controller Management IP’s x 4) + Value (IP Address in Hex)
  • Type = Will always be f1
  • Length = This value comes from taking the number of Controllers Management IP’s and multiplying it with 4. So if there is a single controller then 1 X 4, if there are two then 2 X 4. so in our cause it would be 1 X 4 = 04
  • Value = This is basically the IP address of the Controllers management interface into Hex so 192.168.10.11 = c0.a8.01.0b

Tags: , ,

26 Mar 14 Broadcast multiple SSID’s – Cisco Standalone Access Points

How to broadcast multiple SSID’s on Cisco Access Points

Usually using the command guest-mode under the SSID configuration on a Cisco Access Point you can broadcast a single SSID. I needed to actually broadcast multiple SSID’s on Cisco 1240 Access Points running the following code: Version 12.4(10b)JDA3. In that case I used the following configuration options.

interface dot11radio #
mbssid
!
dot11 ssid CORP
mbssid guest-mode
!
dot11 ssid GUEST
mbssid guest-mode

I used the following two links during my research.

  • http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_7_JA/configuration/guide/i1237sc/s37ssid.html#wp1050170
  • http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-_3g_JA/configuration/guide/ios1243gjaconfigguide/s43ssid.html#wp1035858

[sz-gplus-one size=”medium” annotation=”bubble”/]

Tags: , ,

26 Dec 13 Cisco WLC2504 Boot loader Failure

Cisco WLC2504 Boot Loader Failure Error

So today I had a Cisco WLC 2504 crash and it would not come back online after a reboot. So I gained access to it via Cisco Console cable to see what is going on with it. And I was presented with the following screen/error:

WLCNG Boot Loader Version 1.0.16 (Built on Feb 28 2011 at 13:14:54 by cisco)
Board Revision 0.0 (SN: PSZ17xxxxx, Type: AIR-CT2504-K9) (P)
Verifying boot loader integrity…
##########################################
### IMPROPER SYSTEM OPERATION DETECTED ###
### ———————————- ###
### System has been halted because: ###
### 1. Boot loader failed verification ###

WLC 2504 BootLoad Failure

I was hoping that this is something that can be recovered and we can bring the Cisco 2504 WLC back online. After some searching and talking to Cisco TAC, basically it just needed to be RMAed. Thank God to Cisco Smartnet :), was able to get it back up and running in a couple of hours.

Tags: , ,

25 Apr 12 Renew 3rd party Certificate on Cisco WLC 5508

How to renew and upload the third party Certificate on Cisco WLC 5508 for Web Authentication

If you need to generate a CSR Certificate Signing Request for Third Party Certificate and then load it up on your Cisco Wireless LAN Controller 5508. This is a pretty good guide and I used it myself to load the very first one. . Now this is all good however what happens once this certificate expires and you get it renewed and now you have to reload it. I wasn’t able to get specific information about it right away so hopefully this post will not only help me in future but also others :).

First and most important thing is, “hopefully you saved your private key” from when you initially setup your certificate. Because if you do have it then you do not have to start the whole process again. I save everything so I simply located my private key for the Cisco WLC 5508 and did the following: Note: This applies to Verisign which is what we use

  • So first I got the renewed Verisign Certificate and got hold of my old vs.pem file that I used initially
  • Next I replaced the old Verisign Certificate lines with the new ones and saved it This is the key step I guess
  • Now I took vs.pem and myprivatekey.pem files put them in the c:\openssl\bin folder
  • From the command prompt I changed to that folder and typed openssl
  • Next I used the following two commands:
  • pkcs12 -export -in vs.pem -inkey myprivatekey.pem -out vscert.p12 -clcerts -passin pass:12345 -passout pass:12345

    pkcs12 -in vscert.p12 -out vscert.pem -passin pass:12345 -passout pass:12345

  • So now I had the vscert.pem file just like before that I can load on the Cisco WLC 5508
  • Now get the Cisco WLC 5508 ready and load the new cert
  • I ran the following commands on the Cisco 5508 WLC:

    ** transfer download mode tftp
    ** transfer download datatype webauthcert
    ** transfer download serverip x.x.x.x
    ** transfer download path ./(I just typed that as my TFTP folder resides on the C:\TFTP)
    ** transfer download filename vscert.pem
    ** transfer download certpassword 12345
    ** Setting password to 12345
    ** transfer download certpassword 12345
    ** Setting password to 12345

  • Now Cisco WLC 5508 is ready to get the renewed Verisign Cert for the web authentication
  • Type the following command to start the process: transfer download start
  • You will see the screen like below, once it is done, just SAVE the config and reset the 5508 Wireless LAN Controller. New Verisign Certificate will take over

Note: These are the steps that I took to renew and then upload the renewed certificate from Verisign on Cisco 5508 WLC. Use this as a reference, always backup your configurations, do some research if you are not certain, don’t do something that you can’t undo 🙂

Tags: , ,

21 Apr 12 Cisco LWAP to Autonomous Conversion

Convert Cisco LWAP to Autnomous (Stand Alone)

It is a pretty straight forward process just like converting Autonomous to LWAP. Main difference is the IOS Image for Autonomous vs LWAP. Usually you’ll see k9w7 in the Cisco autonomous AP images and in case of Cisco LWAP you will see rcvk9w8. Note: Always confirm and make sure that you download the correct IOS image from the Cisco’s website regardless what you find on the web, just in case they decide to change their naming convention/scheme etc.

Ok now to accomplish this task enable command line access on the LWAP. Log into it and run the following command:

“archive download-sw /override /reload tftp://x.x.x.x/filename”

x.x.x.x is the IP of your TFTP server. This command will load the new software on the LWAP and then reload the AP with the Autonomous image

Tags: , ,

07 Dec 11 Upgrading multiple Cisco Access Points to LWAP’s

If you want to upgrade multiple Cisco Light Weight Access Points, one way to do that is utilizing the “Upgrade Tool”. Using an upgrade tool is pretty easy however it does ask you for a specific file called the “IP File”. You have to use a certain format for that “IP File” other wise it will not work. NOTE: Upgrade tool is not compatible with all the AP’s please check Cisco’s website for more assistance. I tried it on 1142’s and found out they are not compatible

Simply start a text file and call it “IP File.txt”. Now the contents of the file need to look like this for the upgrade tool to work:

ip-add,User,Password,Enable Password
x.x.x.x,Cisco,Cisco,Cisco

Tags: , , , ,

WordPress SEO