Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AP 1131ag not able to join with WLC 4402

In some of my spare time, I've been trying to get this AP to join with this WLC. It's been about two weeks now. I'm not sure what the problem is. I think that there are a few possible issues, but I'm asking the more experienced & knowledgeable support community. I did convert the autonomous AP to a LAP. So here are some outputs:

AP sh ver

AP0014.6956.6926#sh ver

Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(25e)JAO3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Wed 18-Dec-13 20:53 by prod_rel_team

ROM: Bootstrap program is C1130 boot loader

BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(2)JA3, RELEASE SOFTWARE (fc2)

AP0014.6956.6926 uptime is 2 hours, 11 minutes

System returned to ROM by power-on

System image file is "flash:/c1130-k9w8-mx.124-25e.JAO3/c1130-k9w8-mx.124-25e.JAO3"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.

Processor board ID FTX0924T1NR

PowerPCElvis CPU at 262Mhz, revision number 0x0950

Last reset from power-on

LWAPP image version 7.3.1.72

1 FastEthernet interface

2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:14:69:56:69:26

Part Number                          : 73-8962-07

PCA Assembly Number                  : 800-24818-06

PCA Revision Number                  : C0

PCB Serial Number                    : FOC092238UU

Top Assembly Part Number             : 800-25544-01

Top Assembly Serial Number           : FTX0924T1NR

Top Revision Number                  : A0

Product/Model Number                 : AIR-AP1131AG-A-K9  

Configuration register is 0xF

WLC sh sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 4.2.205.0

RTOS Version..................................... 4.2.205.0

Bootloader Version............................... 4.2.205.0

Build Type....................................... DATA + WPS

System Name...................................... wlcVA010a03a01

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3

IP Address....................................... 10.10.1.1

System Up Time................................... 4 days 0 hrs 54 mins 42 secs

Configured Country............................... US  - United States

Operating Environment............................ Commercial (0 to 40 C)

Internal Temp Alarm Limits....................... 0 to 65 C

Internal Temperature............................. +39 C

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 1

3rd Party Access Point Support................... Disabled

Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:18:73:35:DC:40

Crypto Accelerator 1............................. Absent

Crypto Accelerator 2............................. Absent

Power Supply 1................................... Absent

Power Supply 2................................... Present, OK

WLC debug lwapp errors enable

Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0

WLC debug lwapp events enable

Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'

Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1

Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'

Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1

Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'

Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0

WLC debug pm pki enable

Fri Jan 24 16:49:45 2014: sshpmGetIssuerHandles: invalid args (0x13d7edd0/0x13d7edd4/0x13d7edd8/0x30231b14/0)

Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: called with (nil)

Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: NULL argument.

Fri Jan 24 16:49:50 2014: sshpmGetIssuerHandles: invalid args (0x13d91320/0x13d91324/0x13d91328/0x30231b14/0)

Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: called with (nil)

Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: NULL argument.

Thanks!

Leon

Everyone's tags (2)
5 REPLIES
Hall of Fame Super Silver

Re: AP 1131ag not able to join with WLC 4402

Your WLC code is very old and your using a new lightweight AP image. I would either upgrade your WLC or upload the older recovery image to your AP

c1130-rcvk9w8-tar.123-7.JX9.tar

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
VIP Purple

AP 1131ag not able to join with WLC 4402

cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.

WLC sh sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 4.2.205.0

RTOS Version..................................... 4.2.205.0

Bootloader Version............................... 4.2.205.0

Build Type....................................... DATA + WPS

Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

adding to Above .

Manually add self-signed certificates (SSCs) to a Cisco Wireless LAN (WLAN) Controller (WLC).

you can manually add the SSC to the WLC.

these kind problems occure with Lightweight AP Protocol (LWAPP)-converted AP.

Via GUI:

Choose Security > AP Policies and click Enabled beside Accept Self Signed Certificate.

Select SSC from the Certificate Type drop-down menu.

Enter the MAC address of the AP and the hash key, and click Add.

Via CLI:

Enable Accept Self Signed Certificate on the WLC. The command is config auth-list ap-policy ssc enable.

(Cisco Controller) >config auth-list ap-policy ssc enable


Add the AP MAC address and hash key to the authorization list,The command is config auth-list add ssc AP_MAC AP_key .

(Cisco Controller) >config auth-list add ssc

More to check here:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml.

Also mention by Scott that this is very old version on WLC.Please upgrade it.

Hope ite helps.

REgards

Dont forget to rate helpful posts

New Member

AP 1131ag not able to join with WLC 4402

Okay, so I've been trying some of what you've mentioned the past few days. The WLC is updated. The AP still can't connect. So I tried the the "config auth-list ap-policy ssc enable" & "config auth-list add ssc " commands. Problems I don't have the sha1 key hash. How/where do I locate this? I didn't use the cisco lwapp upgrade tool because it doesn't do anything when I tell it to start. It just says "Validating User Input" or something along those lines and never changes. So I used tftpd32 to upgrade the AP.

Now then, where can I find or get the AP hash key? It doesn't show up on the debug pm pki enable output. Can I find it on the AP through gui or cli?

VIP Purple

Re: AP 1131ag not able to join with WLC 4402


Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0

Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0

This information clearly shows that the controller time is outside the certificate validity interval of the LAP. Therefore, the LAP cannot register with the controller. Certificates installed in the LAP have a predefined validity interval. The controller time should be set in such a way that it is within the certificate validity interval of the LAP’s certificate.

If the time is not set correctly on the controller, choose Commands > Set Time in the controller GUI mode, or issue the config time command in the controller CLI in order to set the controller time.

also paste the output of this command:

AP#show crypto ca certificates

Regards

Cisco Employee

Re: AP 1131ag not able to join with WLC 4402

As per the logs it seesm to be the SSC certificate installation issue .

928
Views
0
Helpful
5
Replies