09-06-2013 06:29 AM - edited 07-04-2021 12:46 AM
Should a 1231 AP be able to join a 5508 running 6.0 IOS? I changed this unit from autonomus to lwap before attempting this.
The ap receives an IP addr. but I see the following messages on the AP:
*Mar 1 00:04:18.721: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.49.12.205, mask 255.255.0.0, hostname AP0011.212d.2f98
*Mar 1 00:04:41.599: LWAPP_CLIENT_ERROR_DEBUG: spamHandleDiscoveryTimer : Found the discovery response from MASTER Mwar
*Sep 6 13:00:48.022: LWAPP_CLIENT_ERROR_DEBUG:
*Sep 6 13:00:48.023: peer certificate verification failed
*Sep 6 13:00:48.023: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificate is not valid
*Sep 6 13:00:48.023: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply
*Sep 6 13:00:52.744: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
*Sep 6 13:00:52.744: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
*Sep 6 13:00:52.744: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
*Sep 6 13:00:52.745: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
The time by the way is correct on the 5508. Here is what I see on 5508.
*Sep 06 09:22:49.622: sshpmPrivateKeyEncrypt: RSA_private_encrypt returned 256
*Sep 06 09:22:49.622: sshpmPrivateKeyEncrypt: encrypted bytes: 512
*Sep 06 09:23:52.476: sshpmLscTask: LSC Task received a message 4
*Sep 06 09:24:19.477: sshpmFreePublicKeyHandle: called with 0x1c9a35a4
*Sep 06 09:24:19.477: sshpmFreePublicKeyHandle: freeing public key
*Sep 06 09:25:52.476: sshpmLscTask: LSC Task received a message 4
Solved! Go to Solution.
09-06-2013 06:21 PM
Not sure how to change that status.
Go to wireless and downto either 802.11a or 802.11b, go to the Networks section and make sure they are enabled.
09-09-2013 05:21 AM
Turn of RLDP!!! You don't need this enabled. When you have this enabled, it will kick clients off the AP which you are seeing.
Sent from Cisco Technical Support iPhone App
09-06-2013 06:33 AM
Did you use the upgrade tool?
09-06-2013 06:36 AM
No.
09-06-2013 06:39 AM
You need to because the Upgrade Tool will insert the certificate into the 1230.
09-06-2013 06:41 AM
Laohoo
So what are my options now?
09-06-2013 06:54 AM
use the upgrade tool. You can still use it. Just follow instructions.
09-06-2013 07:03 AM
When I use tool it tells me to supply IP, login ID and password of the ap but the AP keeps rebooting over and over again and sometimes it gets a new dhcp supplied IP and sometimes it reports the staic IP it had before conversion.
In additon there is no login and password on the ap .
Here is the show run
0011.212d.2f98#sh run
Building configuration...
Current configuration : 3397 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AP0011.212d.2f98
!
!
ip subnet-zero
ip name-server 10.49.4.75
!
crypto pki trustpoint CISCO_IOS_SSC_Cert
enrollment selfsigned
fqdn none
ip-address none
subject-name cn=C1200-0011212d2f98 , ea=support@cisco.com, o=Cisco Systems, C=US, ST=California, L=San Jose
revocation-check none
rsakeypair CISCO_IOS_SSC_Keys
!
!
crypto ca certificate chain CISCO_IOS_SSC_Cert
certificate self-signed 01
30820413 308202FB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
818D3111 300F0603 55040713 0853616E 204A6F73 65311330 11060355 0408130A
43616C69 666F726E 6961310B 30090603 55040613 02555331 16301406 0355040A
130D4369 73636F20 53797374 656D7331 20301E06 092A8648 86F70D01 09011611
73757070 6F727440 63697363 6F2E636F 6D311C30 1A060355 04031313 43313230
302D3030 31313231 32643266 39382030 1E170D31 33303832 35303933 3032395A
170D3230 30313031 30303030 30305A30 818D3111 300F0603 55040713 0853616E
204A6F73 65311330 11060355 0408130A 43616C69 666F726E 6961310B 30090603
55040613 02555331 16301406 0355040A 130D4369 73636F20 53797374 656D7331
20301E06 092A8648 86F70D01 09011611 73757070 6F727440 63697363 6F2E636F
6D311C30 1A060355 04031313 43313230 302D3030 31313231 32643266 39382030
82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100
E36567EB A689B0E9 C66CF1E9 F369AD28 0D0118D5 C985A740 AF97FF6E F4734F94
189D5F9A 4B57A9A0 1B94335B 45214CFC 25D8FB71 3E28DE82 9A773F61 CDF168F2
89CB178C 2855CC9C 277C0E87 7A537B0B 61DA4BDF DF39E432 64DF3A88 BCAE3E37
1F4B6BDB 71181922 12BF83DE AC3A41EF B66F4CAB B5D62087 3CE6872E 9C2EDE3C
951700C2 8C1433BC 53AB28E7 C95739B9 03E23E28 35AEA9EE 4F5BC46F 927E8158
0FF9AF06 C1DA6ADC 28DEB067 1F74C4EA 061C0B5F 70E8A502 54B4AFD4 17B220AB
90058028 F80FBF56 A9D51B0D 19E865EA E17DDCB3 184395EF 8A083BF7 2ED79E87
AA9DBBD5 4A1566DD 54A1CAD6 03FA9F39 5F468D61 77B86282 64E34DB2 F20D2D37
02030100 01A37C30 7A300F06 03551D13 0101FF04 05300301 01FF3027 0603551D
11042030 1E821C31 32303074 65737477 632E6B62 632E6B61 6F627261 6E64732E
6E657430 1F060355 1D230418 30168014 7826048D 1380F1A8 D64D178A 92F18795
54B88979 301D0603 551D0E04 16041478 26048D13 80F1A8D6 4D178A92 F1879554
B8897930 0D06092A 864886F7 0D010104 05000382 010100B1 C2547166 67116E1F
E53708BF 2BD5873B D789F658 BCDED03E CF7254A7 FB488511 287889BB 925D8B96
00F51B7E 7CE9307E B0F2047C BFBC44EC 6135B101 71DA7464 D1B8A216 FE130753
219663AA 8D17F16D 1F7866BE 0D1F4BE9 6BCBC617 099E18BB C0158828 B11ABBDB
0E0DA356 5AC0D357 EB73522C 2E2F1A1C 40731E90 FD4A19CB ABA5F8D5 B74295F2
84E38A91 F933A45A 21F3F89A CFA741C6 AF014B5F 6BE07237 6742524D DDA2D141
80E11790 D33C3F7C CDD0605D 7474D590 272AA60C 0B217BF1 DBEFD1DE D26DC8DE
C30A8FCE FB6740EC E57BFE86 F98F165C EFFEB585 25455ADC D1CEB9DC 2639E872
A9592DB5 2175A869 EB10CE5D CA6B29C2 F4DE2F5C 705CE9
quit
!
!
interface FastEthernet0
ip address 10.52.16.10 255.255.254.0
no ip route-cache
duplex auto
speed auto
!
ip default-gateway 10.52.17.254
!
line con 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input none
transport output all
line vty 5 15
login
transport preferred all
transport input none
transport output all
!
end
AP0011.212d.2f98#
09-06-2013 07:17 AM
Hi John,
Here is a config example how you can add a SSC to your WLC from your AP. No need to reimage the ap just follow these instructions closely.
If you find this helpful please support the rating system!
Thanks
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 07:18 AM
Here is a quick recap of the command and the SSC
Enable the debugging on the WLC command-line interface (CLI).
The command is debug pm pki enable.
(Cisco Controller) >debug pm pki enable Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: getting (old) aes ID cert handle... Mon May 22 06:34:10 2006: sshpmGetCID: called to evaluateMon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert< Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert< Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key Data Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 30820122 300d0609 2a864886 f70d0101 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 01050003 82010f00 3082010a 02820101 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 00c805cd 7d406ea0 cad8df69 b366fd4c Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 82fc0df0 39f2bff7 ad425fa7 face8f15 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data f356a6b3 9b876251 43b95a34 49292e11 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 038181eb 058c782e 56f0ad91 2d61a389 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data f81fa6ce cd1f400b b5cf7cef 06ba4375 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data dde0648e c4d63259 774ce74e 9e2fde19 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 0f463f9e c77b79ea 65d8639b d63aa0e3 Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data 7dd485db 251e2e07 9cd31041 b0734a55 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 463fbacc 1a61502d c54e75f2 6d28fc6b Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 82315490 881e3e31 02d37140 7c9c865a Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 9ef3311b d514795f 7a9bac00 d13ff85f Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 97e1a693 f9f6c5cb 88053e8b 7fae6d67 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data ca364f6f 76cf78bc bc1acc13 0d334aa6 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 031fb2a3 b5e572df 2c831e7e f765b7e5 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data fe64641f de2a6fe3 23311756 8302b8b8 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data 1bfae1a8 eb076940 280cbed1 49b2d50f Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data f7020301 0001 Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9 Mon May 22 06:34:14 2006: LWAPP Join-Request MTU path from AP 00:0e:84:32:04:f0 is 1500, remote debug mode is 0 Mon May 22 06:34:14 2006: spamRadiusProcessResponse: AP Authorization failure for 00:0e:84:32:04:f0
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 07:43 AM
Thanks for the interest
I can see that the mac and hash were already in the 5508 but I removed and re-added anyway.
Here is what I now see.
(Cisco Controller) >show auth-list
Authorize MIC APs against AAA ................... disabled
Authorize LSC APs against Auth-List ............. disabled
Allow APs with MIC - Manufactured Installed C.... disabled
Allow APs with SSC - Self-Signed Certificate..... enabled
Allow APs with LSC - Locally Significant Cert.... disabled
Mac Addr Cert Type Key Hash
----------------------- ---------- ------------------------------------------
00:11:21:2d:2f:98 SSC 9997342e5108e5574112af3b09c4902f84017ff2
(Cisco Controller) >show ap summary
Number of APs.................................... 0
Global AP User Name.............................. superuser
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
------------------ ----- ------------------- ----------------- ---------------- ---- ------- ------
The ap continues to reboot over and over. Sometimes there is a dhcp provided IP and sometime the old static appears.
right now I see that old static is back.
09-06-2013 07:59 AM
I would console into the ap and reboot it and take a look at the output. It will show you if the certificate you entered into the WLC is valid or not.
Sent from Cisco Technical Support iPhone App
09-06-2013 09:13 AM
Scott
Thanks for reply
I just rebooted and this is what I see
ar 1 00:04:31.604: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Sep 6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG:
*Sep 6 16:08:32.025: peer certificate verification failed
*Sep 6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificate is not valid
*Sep 6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply
*Sep 6 16:08:36.745: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
*Sep 6 16:08:36.745: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
*Sep 6 16:08:36.745: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
09-06-2013 11:14 AM
Scott
I decided to try adding another AP but different model, an 1141 and that one joined the 5508 after I added the mac address under the Security>AP Policies.
This AP received a DHCP provided addr from our production dhcp server user data range which is not what I really want.
I want them to have an IP from our current mgt vlan 54.
This 5508 is brand new and nothing is running on it yet. All the other AP's are autonomus with a production ssid vlan 57, a visitor ssid vlan 103 and a mgt vlan 54 for access.
Ideally I want to duplicate this setup with the 5508.
Config Items on 5508
I have the 5508 in our mgt vlan 54 and I have the management interface of the 5508 configed with an IP from this mgt vlan 54.
I also have one other interface,vlan 57 which also has an IP from this vlan with proper mask and default gate for that vlan.
I am not sure if I need this but I have it configed right now. I want the clients that connect to the AP's on the 5508 to get an IP address in the same range that the autononmous units are currently handing out via our production dhcp server.
So I also created an internal IP range of a subset of our current autononmus production IP range that we are not handing out in our production environment.
The 5508 is connected with LAG. The channel that connects the 5508 to our switch has this setting:.
interface Port-channel43
description *** Channel to WLC ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 54,56,57,103
switchport mode trunk
(the vlan 56 is another vlan for APs in another building that will be migrated latter). I am trying to migrate the vlan 57 to the 5508 presently.
The config for the LWAP on the switch is this:
switchport trunk encapsulation dot1q
switchport mode trunk
power inline static
Right now the 5508 shows that this one 1141 that joined is operationally down. Not sure how to change that status.
thanks for your help
09-06-2013 06:21 PM
Not sure how to change that status.
Go to wireless and downto either 802.11a or 802.11b, go to the Networks section and make sure they are enabled.
09-09-2013 05:18 AM
Leo Laohoo
I checked the network portion of the config and one of the 802's was enabled but not the other. So I enabled both and the radio came up.
My laptop whcih is sitting next to the AP on my desk connected to it. But after a few minutes my laptop associated to one of our autononmus units which is about 30 feet from my desk.
I also had to do what Scott posted whcih is to change the switch port to an access port rather than a trunk.
Here are the messages I see on the AP when a client associates
*Sep 9 11:58:14.000: %LWAPP-5-RLDP: RLDP started on slot 0.
*Sep 9 11:58:35.174: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Sep 9 12:13:13.966: %LWAPP-5-RLDP: RLDP started on slot 0.
*Sep 9 12:13:27.226: %LWAPP-5-RLDP: RLDP stopped on slot 0.
I am wondering why the time is so different than the time of the 5508. The 5508 has the correct local time here in my office but the AP is four hours ahead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide