Ok, I?ll try to uncheck the MIC certification.

The output of debug lwapp event didnt show any join message. The output of the debug pm pki enable didn?t show anithyng:

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >

Cisco Controller) >debug lwapp events enable

(Cisco Controller) >

(Cisco Controller) >

Cisco Controller) >Mon May 28 16:49:54 2007: 00:15:2b:ef:22:e8 Received LWAPP DISCOVERY REQUEST from AP 00:15:2b:ef:22:e8 to ff:ff:

ff:ff:ff:ff on port '1'

Mon May 28 16:49:54 2007: 00:15:2b:ef:22:e8 Successful transmission of LWAPP Discovery-Response to AP 00:15:2b:ef:22:e8 on Port 1

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >Mon May 28 16:51:12 2007: 00:15:2b:ef:22:e8 Received LWAPP DISCOVERY REQUEST from AP 00:15:2b:ef:22:e8 to ff:ff:

ff:ff:ff:ff on port '1'

Mon May 28 16:51:12 2007: 00:15:2b:ef:22:e8 Successful transmission of LWAPP Discovery-Response to AP 00:15:2b:ef:22:e8 on Port 1

Thanks.

I've got the same issue.

Mon Sep 10 15:38:30 2007: 00:19:55xx:xx:xx Received LWAPP DISCOVERY REQUEST from AP...

Mon Sep 10 15:38:30 2007: Discarding L3 Mode LWAPP DISCOVERY REQUEST...

I have my MAC address listed in the AP Authorization List with cert type MIC.

I wish I had an answer for you, but I'm stuck too.

Hellow,

yes, the 1121 are upgraded. I use the v2.05 of the upgrade tool and the checking of the releases and version are ok. I use the release4.0.217 on the WLC.

The PC are insync with the upgrade tool, despite it I used the "Use the controller time" option in the upgrade tool.

But checking the output txt file of this tool, it says that there is a message:

"MIC is already configured in the AP"

looking for the line, in the troubleshooting upograde tool .pdf, it says that because there is a MIC certificate the tool will not generate any other certificate.

So, there is no .csv file to load an the WCS or any hash to append to the WLC.

I set the MAC of every AP in the WLC and ther eis no joinig.

The output of the debug lwapp events enable is like I already posted. There is no joiining message after that. And the AP reboots again and again.

You started with a 'write erase' (per the instructions) when the AP was the full IOS version?

I did that and I'm still having problems. I know my config was erased because of my ip.txt file. It is the default username, password, and enable of 'Cisco,Cisco,Cisco'.

Anything else I can look at?

Only 1 AP is a problem or all of them are a problem?

Have any APs successfully upgraded (and joined the controller)?

You have set the domain name on the WLC?

You have set the time on the WLC? Does the time match your PC within 3 secs?

What option in the upgrade tool are you using for synchronizing the time?

Which IOS version did you use to upgrade the IOS APs?

What method are you using for the APs to find the controller? DHCP option 43 or DNS (CISCO-LWAPP-CONTROLLER.domain)?

Only one AP is the problem, and it is the only one I upgraded so far. The others are 1510s and they work good.

I'm using the time from the WLC in the upgrade tool. I'm unsure how workstation time comes into play when I choose this option, as my workstation time should be ignored. And the WLC has its time set.

This is the version of IOS I'm using:c1100-rcvk9w8-tar.123-11JX1.tar

I'm using option 43. Like I said, the access point contacts the WLC, but gets rejected.

Tue Sep 11 09:14:54 2007: 00:19:55:ea:90:b4 Received LWAPP DISCOVERY REQUEST from AP 00:19:55:xx:xx:xx to ff:ff:ff:ff:ff:ff on port '29'

Tue Sep 11 09:14:54 2007: Discarding L3 Mode LWAPP DISCOVERY REQUEST on intf '29', vlan = '132', Management vlan = '31' and AP-mgr vlan = '31'.

Got it working I think...will have more later if it does not.

Tue Sep 11 13:20:06 2007: 00:19:aa:xx:xx:xx Received LWAPP PRIMARY_DISCOVERY_REQ from AP 00:19:aa:51:0b:70

Tue Sep 11 13:20:06 2007: 00:19:55:xx:xx:xx Successfully transmission of LWAPP Primary Discovery-Response to AP 00:19:55:ea:90:b4

Tue Sep 11 13:23:06 2007: 00:19:55:xx:xx:xxSuccessfully transmission of LWAPP Primary Discovery-Response to AP 00:19:55:xx:xx:xx

Had to prime the access point by sticking it on the same subnet as the WLC. I also enabled master controller mode. I feel like I got a bit further, but still not all the way there.

Got it figured out. Prime it by setting the WLC to master controller mode and temporarily move the AP to the same VLAN as the AP management interface (not the AP manager interface). I had to do that and reboot the WLC.

Javier, APs with MIC will not have a SSC hash to import. Just add the AP to the authorization list by MAC address and choose MIC for the cert type.

So it sounds like your only issue was the AP's ability to locate the controller. Most likely because you don't have DHCP option 43 setup properly for that legacy IOS AP type.

Rather than 'master controller' mode, and layer2 connecting the AP to the AP manager vlan, you could create a DNS entry for CISCO-LWAPP-CONTROLLER. and point it to the management ip of the wlc (NOT the AP manager ip as the AP manager ip will not reply to any request). This is a more durable (and secure) solution and covers more scenerios.

You understand the DHCP option 43 configuration differences for IOS APs (Aironet, i.e. 1131,1231) and the Airespace APs (i.e. 1000,1100,1500)? The Aironet (IOS conversion) APs require model specific binary custom DHCP option 43 TLVs; while the Airespace APs simply read the option 43 text field. See the configuration guide and release notes. There is also a specific document with specific instructions for a Microsoft DHCP server.

Note that in all cases you need to point the APs to the WLC management IP rather than the WLC ap manager ip(s). Obviously, reachability between the AP ip and the WLC ap manager ip is required as well.

The time synchronization is critical because the update puts a signed config and multiple certificates on the AP. If the time on the AP is not close to the time on the controller, then the certificate install will fail.

Be careful with dhcp option 43 on the legacy IOS APs, it is not as simple as adding a single entry on your dhcp server. The IOS APs need binary option 43 information specific to the model of AP (see the configuration guide).

In most cases it is easier to use DNS (CISCO-LWAPP-CONTROLLER.) or L2 master controller mode to initialize the AP.

The Airespace APs (1000,1100,1500) simply use dhcp option 43 which is different than the ios APs.

It sounds to me like you have a certificate signing issue (which may be a clock sync issue) so the AP cannot send valid requests to the controller, or the AP is not even trying to reach the controller because it has erroneous dhcp option 43 info.