why ap1121G-A cant join 4404 WLC

Answered Question
Sep 27th, 2009

when update ap1121 to LAP,the ap1121 cant join WLC4404,and cant telnet ap1121 on the pc.the wlc version is 6.0.182.0

I have this problem too.
0 votes
Correct Answer by QFX527518 about 7 years 1 month ago

first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Gustavo Novais Sun, 09/27/2009 - 08:56

Can you be a bit more descriptive?

How did you do the conversion to LWAPP of the AP?

Did you add the AP's Self Signed Certificate to the Controller?

George Stefanick Sun, 09/27/2009 - 17:52

console into the ap, start it up and dump the view file ... we can take a look at it ...

goldtechcco Sun, 09/27/2009 - 23:15

first thx.

we use the upgradeTool to lwAPP the 1121 ap.

like this,1130 or 1230 ap can join the wlc.but the 1121 cant.

other ,how to add the ap ssc to the controller?

jeff.kish Mon, 09/28/2009 - 07:07

Using the controller GUI, click the Security Tab and look on the left for AAA->AP Policies. Click the Add button in the top-right and use the provided form to enter the AP's MAC address and SSC (you'll need to select SSC from the drop-down menu).

Hopefully you have the SSC, which should have been provided by the upgrade tool. If not, you can reset the 1121 to autonomous using the standard reset procedure:

Configure a TFTP server/PC to use the address 10.0.0.2

Place an 1100 autonomous image in the TFTP root directory

Rename the file "c1100-k9w7-tar.default"

Connect the PC to the AP using a crossover cable

Turn the AP off, then power it back on while holding the MODE button

Release the button once the AP LEDs turn red

Once downgraded to autonomous, you can re-upgrade to lightweight, this time securing the SSC from the tool.

Jeff

goldtechcco Tue, 09/29/2009 - 00:16

now have re-upgrade the ap,but still cant join the wlc.

first,when want join the SSC,but wlc require SHA1 Key Hash (hex only),where can find the sha1 key?

when the ap update,still cant telnet or url the ap.

goldtechcco Fri, 10/09/2009 - 17:53

today,try obtain the key,but cant,why?

under information about the debug pm pki enable.

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: locking ca cert table

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_decode()

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1100-001b539b2a46, MAILTO=[email protected]

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: O=Cisco Systems, CN=Cisco Manufacturing CA

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Mac Address in subject is 00:1b:53:9b:2a:46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert Name in subject is C1100-001b539b2a46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*Oct 10 09:17:53.080: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: called to get cert for CID 226db043

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: ssphmUserCertVerify: calling x509_decode()

*Oct 10 09:17:53.087: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (current): 2009/10/10/09:17:53

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotBefore): 2007/03/19/06:38:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotAfter): 2017/03/19/06:48:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: getting cisco ID cert handle...

*Oct 10 09:17:53.087: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*Oct 10 09:17:53.088: sshpmFreePublicKeyHandle: called with 0x18cd4abc

retiredmarine Tue, 09/29/2009 - 02:12

read the release notes, the 1120 is no longer supported, i believe as of 5.0.

JASON BOYERS Sun, 10/11/2009 - 18:55

1121Gs (listed as 1100s) are still supported, per the 6.0.182.0 release notes.

Correct Answer
QFX527518 Mon, 11/02/2009 - 00:31

first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.

I ran into the exactly same problem and found out that it is probably related to this:

http://www.cisco.com/en/US/ts/fn/200/fn21973.html

(we didn't care back then, 11 channels were enough and TX power could be limited)

All our units with affected serial numbers (ex. FHK0645....) don't work after the conversion, because the country code on the Controller is -E. They load the recovery image and connect to the controller, but once the controller image is downloaded they end up in a reboot loop.

So thanks for the hint.

Greetings

Rufer

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode