console into the ap, start it up and dump the view file ... we can take a look at it ...

thx.the 1121 ap has not console port.only has ethernet port.

first thx.

we use the upgradeTool to lwAPP the 1121 ap.

like this,1130 or 1230 ap can join the wlc.but the 1121 cant.

other ,how to add the ap ssc to the controller?

Using the controller GUI, click the Security Tab and look on the left for AAA->AP Policies. Click the Add button in the top-right and use the provided form to enter the AP's MAC address and SSC (you'll need to select SSC from the drop-down menu).

Hopefully you have the SSC, which should have been provided by the upgrade tool. If not, you can reset the 1121 to autonomous using the standard reset procedure:

Configure a TFTP server/PC to use the address 10.0.0.2

Place an 1100 autonomous image in the TFTP root directory

Rename the file "c1100-k9w7-tar.default"

Connect the PC to the AP using a crossover cable

Turn the AP off, then power it back on while holding the MODE button

Release the button once the AP LEDs turn red

Once downgraded to autonomous, you can re-upgrade to lightweight, this time securing the SSC from the tool.

Jeff

by the way,all the ap should use SSC.like 1130\1230.

now have re-upgrade the ap,but still cant join the wlc.

first,when want join the SSC,but wlc require SHA1 Key Hash (hex only),where can find the sha1 key?

when the ap update,still cant telnet or url the ap.

As others have said, you need to add the SSC hash to the WLC, in order to get the AP to join.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

Btw, the AP1120 (as long as it has the G not B radio) *is* still supported, as of WLC 6.0.

Thanks Aaron, that's a great link for finding the hash.

today,try obtain the key,but cant,why?

under information about the debug pm pki enable.

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: locking ca cert table

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_decode()

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1100-001b539b2a46, MAILTO=support@cisco.com

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: O=Cisco Systems, CN=Cisco Manufacturing CA

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Mac Address in subject is 00:1b:53:9b:2a:46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert Name in subject is C1100-001b539b2a46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*Oct 10 09:17:53.080: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: called to get cert for CID 226db043

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: ssphmUserCertVerify: calling x509_decode()

*Oct 10 09:17:53.087: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (current): 2009/10/10/09:17:53

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotBefore): 2007/03/19/06:38:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotAfter): 2017/03/19/06:48:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: getting cisco ID cert handle...

*Oct 10 09:17:53.087: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*Oct 10 09:17:53.088: sshpmFreePublicKeyHandle: called with 0x18cd4abc

1121Gs (listed as 1100s) are still supported, per the 6.0.182.0 release notes.

I ran into the exactly same problem and found out that it is probably related to this:

http://www.cisco.com/en/US/ts/fn/200/fn21973.html

(we didn't care back then, 11 channels were enough and TX power could be limited)

All our units with affected serial numbers (ex. FHK0645....) don't work after the conversion, because the country code on the Controller is -E. They load the recovery image and connect to the controller, but once the controller image is downloaded they end up in a reboot loop.

So thanks for the hint.

Greetings

Rufer