Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

why ap1121G-A cant join 4404 WLC

when update ap1121 to LAP,the ap1121 cant join WLC4404,and cant telnet ap1121 on the pc.the wlc version is 6.0.182.0

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: why ap1121G-A cant join 4404 WLC

first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.

14 REPLIES
New Member

Re: why ap1121G-A cant join 4404 WLC

Can you be a bit more descriptive?

How did you do the conversion to LWAPP of the AP?

Did you add the AP's Self Signed Certificate to the Controller?

Re: why ap1121G-A cant join 4404 WLC

console into the ap, start it up and dump the view file ... we can take a look at it ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: why ap1121G-A cant join 4404 WLC

thx.the 1121 ap has not console port.only has ethernet port.

New Member

Re: why ap1121G-A cant join 4404 WLC

first thx.

we use the upgradeTool to lwAPP the 1121 ap.

like this,1130 or 1230 ap can join the wlc.but the 1121 cant.

other ,how to add the ap ssc to the controller?

Silver

Re: why ap1121G-A cant join 4404 WLC

Using the controller GUI, click the Security Tab and look on the left for AAA->AP Policies. Click the Add button in the top-right and use the provided form to enter the AP's MAC address and SSC (you'll need to select SSC from the drop-down menu).

Hopefully you have the SSC, which should have been provided by the upgrade tool. If not, you can reset the 1121 to autonomous using the standard reset procedure:

Configure a TFTP server/PC to use the address 10.0.0.2

Place an 1100 autonomous image in the TFTP root directory

Rename the file "c1100-k9w7-tar.default"

Connect the PC to the AP using a crossover cable

Turn the AP off, then power it back on while holding the MODE button

Release the button once the AP LEDs turn red

Once downgraded to autonomous, you can re-upgrade to lightweight, this time securing the SSC from the tool.

Jeff

New Member

Re: why ap1121G-A cant join 4404 WLC

by the way,all the ap should use SSC.like 1130\1230.

New Member

Re: why ap1121G-A cant join 4404 WLC

now have re-upgrade the ap,but still cant join the wlc.

first,when want join the SSC,but wlc require SHA1 Key Hash (hex only),where can find the sha1 key?

when the ap update,still cant telnet or url the ap.

Cisco Employee

Re: why ap1121G-A cant join 4404 WLC

As others have said, you need to add the SSC hash to the WLC, in order to get the AP to join.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

Btw, the AP1120 (as long as it has the G not B radio) *is* still supported, as of WLC 6.0.

Silver

Re: why ap1121G-A cant join 4404 WLC

Thanks Aaron, that's a great link for finding the hash.

New Member

Re: why ap1121G-A cant join 4404 WLC

today,try obtain the key,but cant,why?

under information about the debug pm pki enable.

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: locking ca cert table

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*Oct 10 09:17:53.077: sshpmGetIssuerHandles: calling x509_decode()

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1100-001b539b2a46, MAILTO=support@cisco.com

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: O=Cisco Systems, CN=Cisco Manufacturing CA

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Mac Address in subject is 00:1b:53:9b:2a:46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert Name in subject is C1100-001b539b2a46

*Oct 10 09:17:53.080: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*Oct 10 09:17:53.080: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: called to get cert for CID 226db043

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.080: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.080: ssphmUserCertVerify: calling x509_decode()

*Oct 10 09:17:53.087: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (current): 2009/10/10/09:17:53

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotBefore): 2007/03/19/06:38:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: ValidityString (NotAfter): 2017/03/19/06:48:29

*Oct 10 09:17:53.087: sshpmGetIssuerHandles: getting cisco ID cert handle...

*Oct 10 09:17:53.087: sshpmGetCID: called to evaluate

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*Oct 10 09:17:53.087: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*Oct 10 09:17:53.088: sshpmFreePublicKeyHandle: called with 0x18cd4abc

New Member

Re: why ap1121G-A cant join 4404 WLC

read the release notes, the 1120 is no longer supported, i believe as of 5.0.

New Member

Re: why ap1121G-A cant join 4404 WLC

1121Gs (listed as 1100s) are still supported, per the 6.0.182.0 release notes.

New Member

Re: why ap1121G-A cant join 4404 WLC

first,thanks everyone.now the problem had resulation.because the ap belong to us.so when we add the country code .the ap can join WLC.

New Member

Re: why ap1121G-A cant join 4404 WLC

I ran into the exactly same problem and found out that it is probably related to this:

http://www.cisco.com/en/US/ts/fn/200/fn21973.html

(we didn't care back then, 11 channels were enough and TX power could be limited)

All our units with affected serial numbers (ex. FHK0645....) don't work after the conversion, because the country code on the Controller is -E. They load the recovery image and connect to the controller, but once the controller image is downloaded they end up in a reboot loop.

So thanks for the hint.

Greetings

Rufer

950
Views
10
Helpful
14
Replies