No.

You need to because the Upgrade Tool will insert the certificate into the 1230.

Laohoo

So what are my options now?

use the upgrade tool.  You can still use it.  Just follow instructions.

When I use tool it tells me to supply IP, login ID and password of the ap but the AP keeps rebooting over and over again and sometimes it gets a new dhcp supplied IP and sometimes it reports the staic IP it had before conversion.

In additon there is no login and password on the ap .

Here is the show run

0011.212d.2f98#sh run

Building configuration...

Current configuration : 3397 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AP0011.212d.2f98

!

!

ip subnet-zero

ip name-server 10.49.4.75

!

crypto pki trustpoint CISCO_IOS_SSC_Cert

enrollment selfsigned

fqdn none

ip-address none

subject-name cn=C1200-0011212d2f98 , ea=support@cisco.com, o=Cisco Systems, C=US, ST=California, L=San Jose

revocation-check none

rsakeypair CISCO_IOS_SSC_Keys

!

!

crypto ca certificate chain CISCO_IOS_SSC_Cert

certificate self-signed 01

  30820413 308202FB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  818D3111 300F0603 55040713 0853616E 204A6F73 65311330 11060355 0408130A

  43616C69 666F726E 6961310B 30090603 55040613 02555331 16301406 0355040A

  130D4369 73636F20 53797374 656D7331 20301E06 092A8648 86F70D01 09011611

  73757070 6F727440 63697363 6F2E636F 6D311C30 1A060355 04031313 43313230

  302D3030 31313231 32643266 39382030 1E170D31 33303832 35303933 3032395A

  170D3230 30313031 30303030 30305A30 818D3111 300F0603 55040713 0853616E

  204A6F73 65311330 11060355 0408130A 43616C69 666F726E 6961310B 30090603

  55040613 02555331 16301406 0355040A 130D4369 73636F20 53797374 656D7331

  20301E06 092A8648 86F70D01 09011611 73757070 6F727440 63697363 6F2E636F

  6D311C30 1A060355 04031313 43313230 302D3030 31313231 32643266 39382030

  82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100

  E36567EB A689B0E9 C66CF1E9 F369AD28 0D0118D5 C985A740 AF97FF6E F4734F94

  189D5F9A 4B57A9A0 1B94335B 45214CFC 25D8FB71 3E28DE82 9A773F61 CDF168F2

  89CB178C 2855CC9C 277C0E87 7A537B0B 61DA4BDF DF39E432 64DF3A88 BCAE3E37

  1F4B6BDB 71181922 12BF83DE AC3A41EF B66F4CAB B5D62087 3CE6872E 9C2EDE3C

  951700C2 8C1433BC 53AB28E7 C95739B9 03E23E28 35AEA9EE 4F5BC46F 927E8158

  0FF9AF06 C1DA6ADC 28DEB067 1F74C4EA 061C0B5F 70E8A502 54B4AFD4 17B220AB

  90058028 F80FBF56 A9D51B0D 19E865EA E17DDCB3 184395EF 8A083BF7 2ED79E87

  AA9DBBD5 4A1566DD 54A1CAD6 03FA9F39 5F468D61 77B86282 64E34DB2 F20D2D37

  02030100 01A37C30 7A300F06 03551D13 0101FF04 05300301 01FF3027 0603551D

  11042030 1E821C31 32303074 65737477 632E6B62 632E6B61 6F627261 6E64732E

  6E657430 1F060355 1D230418 30168014 7826048D 1380F1A8 D64D178A 92F18795

  54B88979 301D0603 551D0E04 16041478 26048D13 80F1A8D6 4D178A92 F1879554

  B8897930 0D06092A 864886F7 0D010104 05000382 010100B1 C2547166 67116E1F

  E53708BF 2BD5873B D789F658 BCDED03E CF7254A7 FB488511 287889BB 925D8B96

  00F51B7E 7CE9307E B0F2047C BFBC44EC 6135B101 71DA7464 D1B8A216 FE130753

  219663AA 8D17F16D 1F7866BE 0D1F4BE9 6BCBC617 099E18BB C0158828 B11ABBDB

  0E0DA356 5AC0D357 EB73522C 2E2F1A1C 40731E90 FD4A19CB ABA5F8D5 B74295F2

  84E38A91 F933A45A 21F3F89A CFA741C6 AF014B5F 6BE07237 6742524D DDA2D141

  80E11790 D33C3F7C CDD0605D 7474D590 272AA60C 0B217BF1 DBEFD1DE D26DC8DE

  C30A8FCE FB6740EC E57BFE86 F98F165C EFFEB585 25455ADC D1CEB9DC 2639E872

  A9592DB5 2175A869 EB10CE5D CA6B29C2 F4DE2F5C 705CE9

  quit

!

!

interface FastEthernet0

ip address 10.52.16.10 255.255.254.0

no ip route-cache

duplex auto

speed auto

!

ip default-gateway 10.52.17.254

!

line con 0

transport preferred all

transport output all

line vty 0 4

login

transport preferred all

transport input none

transport output all

line vty 5 15

login

transport preferred all

transport input none

transport output all

!

end

AP0011.212d.2f98#

Hi John,

Here is a config example how you can add a SSC to your WLC from your AP. No need to reimage the ap just follow these instructions closely.

If you find this helpful please support the rating system!

Thanks

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Here is a quick recap of the command and the SSC

1. Turn on the AP and connect it to the network.

2. Enable the debugging on the WLC command-line interface (CLI).

   The command is debug pm pki enable.

   (Cisco Controller) >debug pm pki enable
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: getting (old) aes ID cert handle...
   Mon May 22 06:34:10 2006: sshpmGetCID: called to evaluate 
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, CA cert 
   >bsnOldDefaultCaCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 1, CA cert 
   >bsnDefaultRootCaCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 2, CA cert 
   >bsnDefaultCaCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 3, CA cert 
   >bsnDefaultBuildCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 4, CA cert 
   >cscoDefaultNewRootCaCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 5, CA cert 
   >cscoDefaultMfgCaCert<
   Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, ID cert 
   >bsnOldDefaultIdCert<
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key 
   Data
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  30820122 300d0609 
   2a864886 f70d0101 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  01050003 82010f00 
   3082010a 02820101 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  00c805cd 7d406ea0 
   cad8df69 b366fd4c 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  82fc0df0 39f2bff7 
   ad425fa7 face8f15 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  f356a6b3 9b876251 
   43b95a34 49292e11 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  038181eb 058c782e 
   56f0ad91 2d61a389 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  f81fa6ce cd1f400b 
   b5cf7cef 06ba4375 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  dde0648e c4d63259 
   774ce74e 9e2fde19 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  0f463f9e c77b79ea 
   65d8639b d63aa0e3 
   Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  7dd485db 251e2e07 
   9cd31041 b0734a55 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  463fbacc 1a61502d 
   c54e75f2 6d28fc6b 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  82315490 881e3e31 
   02d37140 7c9c865a 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  9ef3311b d514795f 
   7a9bac00 d13ff85f 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  97e1a693 f9f6c5cb 
   88053e8b 7fae6d67 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  ca364f6f 76cf78bc 
   bc1acc13 0d334aa6 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  031fb2a3 b5e572df 
   2c831e7e f765b7e5 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  fe64641f de2a6fe3 
   23311756 8302b8b8 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  1bfae1a8 eb076940 
   280cbed1 49b2d50f 
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  f7020301 0001
   Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 
   9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
   Mon May 22 06:34:14 2006: LWAPP Join-Request MTU path from AP 00:0e:84:32:04:f0 
   is 1500, remote debug mode is 0
   Mon May 22 06:34:14 2006: spamRadiusProcessResponse: AP Authorization failure for 
   00:0e:84:32:04:f0
   

   
   

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Thanks for the interest

I can see that the mac and hash were already in the 5508 but I removed and re-added anyway.

Here is what I now see.

(Cisco Controller) >show auth-list

Authorize MIC APs against AAA ................... disabled

Authorize LSC APs against Auth-List ............. disabled

Allow APs with MIC - Manufactured Installed C.... disabled

Allow APs with SSC - Self-Signed Certificate..... enabled

Allow APs with LSC - Locally Significant Cert.... disabled

Mac Addr                  Cert Type    Key Hash

-----------------------   ----------   ------------------------------------------

00:11:21:2d:2f:98         SSC          9997342e5108e5574112af3b09c4902f84017ff2

(Cisco Controller) >show ap summary

Number of APs.................................... 0

Global AP User Name.............................. superuser

Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country  Priority

------------------  -----  -------------------  -----------------  ----------------  ----  -------  ------

The ap continues to reboot over and over. Sometimes there is a dhcp provided IP and sometime the old static appears.

right now I see that old static is back.

Scott

Thanks for reply

I just rebooted and this is what I see

ar  1 00:04:31.604: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Sep  6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG:

*Sep  6 16:08:32.025: peer certificate verification failed

*Sep  6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificate is not valid

*Sep  6 16:08:32.025: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

*Sep  6 16:08:36.745: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

*Sep  6 16:08:36.745: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.

*Sep  6 16:08:36.745: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.

Scott

I decided to try adding another AP but different model, an 1141 and that one joined the 5508 after I added the mac address under the Security>AP Policies.

This AP received a DHCP provided addr from our production dhcp server user data range which is not what I really want.

I want them to have an IP from our current mgt vlan 54.

This 5508 is brand new and nothing is running on it yet. All the other AP's are autonomus with a production ssid vlan 57, a visitor ssid vlan 103 and a mgt vlan 54 for access.

Ideally I want to duplicate this setup with the 5508.

Config Items on 5508

I have the 5508 in our mgt vlan 54 and I have the management interface of the 5508 configed with an IP from this mgt vlan 54.

I also have one other interface,vlan 57 which also has an IP from this vlan with proper mask and default gate for that vlan.

I am not sure if I need this but I have it configed right now. I want the clients that connect to the AP's on the 5508 to get an IP address in the same range that the autononmous units are currently handing out via our production dhcp server.

So I also created an internal IP range of a subset of our current autononmus production IP range that we are not handing out in our production environment.

The 5508 is connected with LAG. The channel that connects the 5508 to our switch has this setting:.

interface Port-channel43

description *** Channel to WLC ***

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 54,56,57,103

switchport mode trunk

(the vlan 56 is another vlan for APs in another building that will be migrated latter). I am trying to migrate the vlan 57 to the 5508 presently.

The config for the LWAP on the switch is this:

switchport trunk encapsulation dot1q

switchport mode trunk

power inline static

Right now the 5508 shows that this one 1141 that joined is operationally down. Not sure how to change that status.

thanks for your help

Leo Laohoo

I checked the network portion of the config and one of the 802's was enabled but not the other. So I enabled both and the radio came up.

My laptop whcih is sitting next to the AP on my desk connected to it. But after a few minutes my laptop associated to one of our autononmus units which is about 30 feet from my desk.

I also had to do what Scott posted whcih is to change the switch port to an access port rather than a trunk.

Here are the messages I see on the AP when a client associates

*Sep  9 11:58:14.000: %LWAPP-5-RLDP: RLDP started on slot 0.

*Sep  9 11:58:35.174: %LWAPP-5-RLDP: RLDP stopped on slot 0.

*Sep  9 12:13:13.966: %LWAPP-5-RLDP: RLDP started on slot 0.

*Sep  9 12:13:27.226: %LWAPP-5-RLDP: RLDP stopped on slot 0.

I am wondering why the time is so different than the time of the 5508. The 5508 has the correct local time here in my office but the AP is four hours ahead.