Is it possible to use the upgrade tool to generate SSC's anymore?

SHANNON WYATT · ‎10-15-2013

I have a hand few of really old 1130's, manufactured prior to when MICs were installed. In anycase I wanted to convert a few of them to lightweight for use in a remote location with a 4400 we have laying around. Long story short, during the upgrade process I see an error on access point. I looks like one of the airespace certs that is copied over has expired back in April of this year. After the upgrade the access point fail to join the controller. I see an error on the access point and it seems there is a problem with it accepting the certificate on the controller. I see several posts were it seems that some people are having the same problem, I have not seen a solution.

I think that if I got it to connect the first time it wold be good to go. I'm wondering if configuring the conversion tool with a date prior to expiration would get the certificate on the access point and maybe at that point it would work.

George Stefanick · ‎10-15-2013

Sounds like 2 issues. First need to make sure you have ssc check boxed under allowed. Then when the ap tries to join do the following debug to get the hash for the ap cert ..

(Cisco Controller) > debug pm pki enable

Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: getting (old) aes ID cert handle...
Mon May 22 06:34:10 2006: sshpmGetCID: called to evaluate
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0,
CA cert >bsnOldDefaultCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 1,
CA cert bsnDefaultRootCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 2,
CA cert >bsnDefaultCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 3,
CA cert >bsnDefaultBuildCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 4,
CA cert >cscoDefaultNewRootCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 5,
CA cert cscoDefaultMfgCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0,
ID cert >bsnOldDefaultIdCert<
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Calculate SHA1 hash on
Public Key Data
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 30820122 300d06092a864886 f70d0101
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 01050003 82010f003082010a 02820101
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 00c805cd 7d406ea0cad8df69 b366fd4c
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 82fc0df0 39f2bff7ad425fa7 face8f15
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data f356a6b3 9b87625143b95a34 49292e11
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 038181eb 058c782e56f0ad91 2d61a389
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data f81fa6ce cd1f400bb5cf7cef 06ba4375
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data dde0648e c4d63259774ce74e 9e2fde19
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 0f463f9e c77b79ea65d8639b d63aa0e3
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles:
Key Data 7dd485db 251e2e079cd31041 b0734a55
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 463fbacc 1a61502dc54e75f2 6d28fc6b
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 82315490 881e3e3102d37140 7c9c865a
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 9ef3311b d514795f7a9bac00 d13ff85f
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 97e1a693 f9f6c5cb88053e8b 7fae6d67
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data ca364f6f 76cf78bcbc1acc13 0d334aa6
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 031fb2a3 b5e572df2c831e7e f765b7e5
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data fe64641f de2a6fe323311756 8302b8b8
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
Key Data 1bfae1a8 eb076940280cbed1 49b2d50f
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data f7020301 0001
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles:
SSC Key Hash is 9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9

!--- This is the actual SSC key-hash value.

Mon May 22 06:34:14 2006: LWAPP Join-Request MTU path from
AP 00:0e:84:32:04:f0 is 1500, remote debug mode is 0
Mon May 22 06:34:14 2006: spamRadiusProcessResponse:
AP Authorization failure for 00:0e:84:32:04:f0

Then add the ap to the Mac filter ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎10-15-2013

Here is another link http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

If this helps please support the rating system..

Thanks bud

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

SHANNON WYATT · ‎10-16-2013

No, this isn't it. I have SSC's allowd and I have the hash added and I checked the hash based on the debug.

SHANNON WYATT · ‎10-16-2013

This is the output I see on the access point:

*Oct 16 12:19:46.029: %CAPWAP-3-ERRORLOG: Binding Config Initialization failed for binding 1

*Oct 16 12:19:56.051: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Oct 16 12:21:01.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.130.38.249 peer_port: 5246Peer certificate verification failed 000B

*Oct 16 12:21:01.070: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Oct 16 12:21:01.070: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

*Oct 16 12:21:01.070: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.130.38.249:5246

*Oct 16 12:21:01.071: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.130.38.249:5246

*Oct 16 12:21:01.072: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

SHANNON WYATT · ‎10-16-2013

Ha! If you run the upgrade utility, but set the date to 1/1/2012 (a date before the expiration of the airespace cert) the upgrade works. I guess that once it has the cert it doesn't validate it further.