09-27-2009 01:00 AM - edited 07-03-2021 06:05 PM
when update ap1121 to LAP,the ap1121 cant join WLC4404,and cant telnet ap1121 on the pc.the wlc version is 6.0.182.0
Solved! Go to Solution.
11-02-2009 12:31 AM
first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.
09-27-2009 08:56 AM
Can you be a bit more descriptive?
How did you do the conversion to LWAPP of the AP?
Did you add the AP's Self Signed Certificate to the Controller?
09-27-2009 05:52 PM
console into the ap, start it up and dump the view file ... we can take a look at it ...
09-27-2009 11:16 PM
thx.the 1121 ap has not console port.only has ethernet port.
09-27-2009 11:15 PM
first thx.
we use the upgradeTool to lwAPP the 1121 ap.
like this,1130 or 1230 ap can join the wlc.but the 1121 cant.
other ,how to add the ap ssc to the controller?
09-28-2009 07:07 AM
Using the controller GUI, click the Security Tab and look on the left for AAA->AP Policies. Click the Add button in the top-right and use the provided form to enter the AP's MAC address and SSC (you'll need to select SSC from the drop-down menu).
Hopefully you have the SSC, which should have been provided by the upgrade tool. If not, you can reset the 1121 to autonomous using the standard reset procedure:
Configure a TFTP server/PC to use the address 10.0.0.2
Place an 1100 autonomous image in the TFTP root directory
Rename the file "c1100-k9w7-tar.default"
Connect the PC to the AP using a crossover cable
Turn the AP off, then power it back on while holding the MODE button
Release the button once the AP LEDs turn red
Once downgraded to autonomous, you can re-upgrade to lightweight, this time securing the SSC from the tool.
Jeff
09-28-2009 07:59 PM
by the way,all the ap should use SSC.like 1130\1230.
09-29-2009 12:16 AM
now have re-upgrade the ap,but still cant join the wlc.
first,when want join the SSC,but wlc require SHA1 Key Hash (hex only),where can find the sha1 key?
when the ap update,still cant telnet or url the ap.
09-29-2009 04:47 PM
As others have said, you need to add the SSC hash to the WLC, in order to get the AP to join.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml
Btw, the AP1120 (as long as it has the G not B radio) *is* still supported, as of WLC 6.0.
09-30-2009 07:48 AM
Thanks Aaron, that's a great link for finding the hash.
10-09-2009 05:53 PM
today,try obtain the key,but cant,why?
under information about the debug pm pki enable.
*Oct 10 09:17:53.077: sshpmGetIssuerHandles: locking ca cert table
*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_alloc() for user cert
*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_decode()
*Oct 10 09:17:53.080: sshpmGetIssuerHandles:
*Oct 10 09:17:53.080: sshpmGetIssuerHandles:
*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Mac Address in subject is 00:1b:53:9b:2a:46
*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert Name in subject is C1100-001b539b2a46
*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
*Oct 10 09:17:53.080: sshpmGetCID: called to evaluate
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: called to get cert for CID 226db043
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*Oct 10 09:17:53.080: ssphmUserCertVerify: calling x509_decode()
*Oct 10 09:17:53.087: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (current): 2009/10/10/09:17:53
*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotBefore): 2007/03/19/06:38:29
*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotAfter): 2017/03/19/06:48:29
*Oct 10 09:17:53.087: sshpmGetIssuerHandles: getting cisco ID cert handle...
*Oct 10 09:17:53.087: sshpmGetCID: called to evaluate
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Oct 10 09:17:53.088: sshpmFreePublicKeyHandle: called with 0x18cd4abc
09-29-2009 02:12 AM
read the release notes, the 1120 is no longer supported, i believe as of 5.0.
10-11-2009 06:55 PM
1121Gs (listed as 1100s) are still supported, per the 6.0.182.0 release notes.
11-02-2009 12:31 AM
first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.
11-13-2009 09:18 AM
I ran into the exactly same problem and found out that it is probably related to this:
http://www.cisco.com/en/US/ts/fn/200/fn21973.html
(we didn't care back then, 11 channels were enough and TX power could be limited)
All our units with affected serial numbers (ex. FHK0645....) don't work after the conversion, because the country code on the Controller is -E. They load the recovery image and connect to the controller, but once the controller image is downloaded they end up in a reboot loop.
So thanks for the hint.
Greetings
Rufer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: