Self-Signed Certificate Manual Addition to the Controller for LWAPP-Converted APs

Available Languages

Download Options

  • PDF     (99.6 KB)
    View with Adobe Reader on a variety of devices
Updated:August 4, 2008
Document ID:70341

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document explains the methods that you can use in order to manually add self-signed certificates (SSCs) to a Cisco Wireless LAN (WLAN) Controller (WLC).

The SSC of an access point (AP) should exist on all WLCs in the network to which the AP has permission to register. As a general rule, apply the SSC to all WLCs in the same mobility group. When addition of the SSC to the WLC does not occur through the upgrade utility, you must manually add the SSC to the WLC with use of the procedure in this document. You also need this procedure when an AP is moved to a different network or when additional WLCs are added to the existing network.

You can recognize this problem when a Lightweight AP Protocol (LWAPP)-converted AP does not associate to the WLC. When you troubleshoot the association problem, you see these outputs when you issue these debugs:

  • When you issue the debug pm pki enable command, you see:

    (Cisco Controller) >debug pm pki enable
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: locking ca cert table
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: calling x509_alloc() for user cert
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: calling x509_decode()
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: <subject> L=San Jose, ST=
California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1130-00146a1b3744 
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: <issuer>  L=San Jose, ST=
California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1130-00146a1b3744 
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: Mac Address in subject is 
00:XX:XX:XX:XX
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
Thu Jan 26 20:22:50 2006: sshpmGetIssuerHandles: SSC is not allowed by config; 
bailing...
Thu Jan 26 20:22:50 2006: sshpmFreePublicKeyHandle: called with (nil)
Thu Jan 26 20:22:50 2006: sshpmFreePublicKeyHandle: NULL argument.

  • When you issue the debug lwapp events enable command, you see:

    (Cisco Controller) >debug lwapp errors enable
....
Thu Jan 26 20:23:27 2006: Received LWAPP DISCOVERY REQUEST from AP 
00:13:5f:f8:c3:70 to ff:ff:ff:ff:ff:ff on port '1'
Thu Jan 26 20:23:27 2006: Successful transmission of LWAPP Discovery-Response to 
AP 00:13:5f:f8:c3:70 on Port 1
Thu Jan 26 20:23:27 2006: Received LWAPP JOIN REQUEST from AP 00:13:5f:f9:dc:b0 to 
06:0a:10:10:00:00 on port '1'
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: locking ca cert table
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: calling x509_alloc() for user cert
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: calling x509_decode()
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: <subject> L=San Jose, ST=
California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1130-00146a1b321a 
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: <issuer>  L=San Jose, ST=
California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1130-00146a1b321a 
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: Mac Address in subject is 
00:14:6a:1b:32:1a

Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
Thu Jan 26 20:23:27 2006: sshpmGetIssuerHandles: SSC is not allowed by config; 
bailing...
Thu Jan 26 20:23:27 2006: LWAPP Join-Request does not include valid certificate 
in CERTIFICATE_PAYLOAD from AP 00:13:5f:f9:dc:b0.
Thu Jan 26 20:23:27 2006: sshpmFreePublicKeyHandle: called with (nil)
Thu Jan 26 20:23:27 2006: sshpmFreePublicKeyHandle: NULL argument.
Thu Jan 26 20:23:27 2006: Unable to free public key for AP  00:13:5F:F9:DC:B0 
Thu Jan 26 20:23:27 2006: spamDeleteLCB: stats timer not initialized for AP 
00:13:5f:f9:dc:b0
Thu Jan 26 20:23:27 2006: spamProcessJoinRequest : spamDecodeJoinReq failed

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • The WLC does not contain the SSC that the upgrade utility generated.

  • The APs contain an SSC.

  • Telnet is enabled on the WLC and the AP.

  • The minimum version of pre-LWAPP Cisco IOS® Software code is on the AP to be upgraded.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 2006 WLC that runs firmware 3.2.116.21 with no SSC installed

  • Cisco Aironet 1230 Series AP with an SSC

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

In the Cisco Centralized WLAN architecture, APs operate in lightweight mode. The APs associate to a Cisco WLC with use of the LWAPP. LWAPP is an Internet Engineering Task Force (IETF) draft protocol that defines the control messaging for setup and path authentication and run-time operations. LWAPP also defines the tunneling mechanism for data traffic.

A lightweight AP (LAP) discovers a WLC with use of LWAPP discovery mechanisms. The LAP then sends the WLC an LWAPP join request. The WLC sends the LAP an LWAPP join response that allows the LAP to join the WLC. When the LAP is joined to the WLC, the LAP downloads the WLC software if the revisions on the LAP and the WLC do not match. Subsequently, the LAP is completely under the control of the WLC.

LWAPP secures the control communication between the AP and the WLC by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the WLC. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Aironet APs that shipped before July 18, 2005, do not have MICs. So these APs create an SSC when they are converted to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.

This is the upgrade process:

  1. The user runs an upgrade utility that accepts an input file with a list of APs and their IP addresses, in addition to their login credentials.

  2. The utility establishes Telnet sessions with the APs and sends a series of Cisco IOS Software commands in the input file in order to prepare the AP for the upgrade. These commands include the commands to create the SSCs. Also, the utility establishes a Telnet session with the WLC in order to program the device to allow the authorization of specific SSC APs.

  3. The utility then loads Cisco IOS Software Release 12.3(7)JX onto the AP so that the AP can join the WLC.

  4. After the AP joins the WLC, the AP downloads a complete Cisco IOS Software version from the WLC. The upgrade utility generates an output file that includes the list of APs and corresponding SSC key-hash values that can be imported into the Wireless Control System (WCS) management software.

  5. The WCS can then send this information to other WLCs on the network.

After an AP joins a WLC, you can reassign the AP to any WLC on your network, if necessary.

Locate the SHA1 Key Hash

If the computer that performed the AP conversion is available, you can obtain the Secure Hash Algorithm 1 (SHA1) Key Hash from the .csv file that is in the Cisco Upgrade Tool directory. If the .csv file is unavailable, you can issue a debug command on the WLC in order to retrieve the SHA1 Key Hash.

Complete these steps:

  1. Turn on the AP and connect it to the network.

  2. Enable the debugging on the WLC command-line interface (CLI).

    The command is debug pm pki enable.

    (Cisco Controller) >debug pm pki enable
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: getting (old) aes ID cert handle...
Mon May 22 06:34:10 2006: sshpmGetCID: called to evaluate <bsnOldDefaultIdCert>
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, CA cert 
>bsnOldDefaultCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 1, CA cert 
>bsnDefaultRootCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 2, CA cert 
>bsnDefaultCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 3, CA cert 
>bsnDefaultBuildCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 4, CA cert 
>cscoDefaultNewRootCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 5, CA cert 
>cscoDefaultMfgCaCert<
Mon May 22 06:34:10 2006: sshpmGetCID: comparing to row 0, ID cert 
>bsnOldDefaultIdCert<
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key 
Data
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  30820122 300d0609 
2a864886 f70d0101 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  01050003 82010f00 
3082010a 02820101 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  00c805cd 7d406ea0 
cad8df69 b366fd4c 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  82fc0df0 39f2bff7 
ad425fa7 face8f15 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  f356a6b3 9b876251 
43b95a34 49292e11 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  038181eb 058c782e 
56f0ad91 2d61a389 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  f81fa6ce cd1f400b 
b5cf7cef 06ba4375 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  dde0648e c4d63259 
774ce74e 9e2fde19 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  0f463f9e c77b79ea 
65d8639b d63aa0e3 
Mon May 22 06:34:10 2006: sshpmGetIssuerHandles: Key Data  7dd485db 251e2e07 
9cd31041 b0734a55 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  463fbacc 1a61502d 
c54e75f2 6d28fc6b 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  82315490 881e3e31 
02d37140 7c9c865a 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  9ef3311b d514795f 
7a9bac00 d13ff85f 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  97e1a693 f9f6c5cb 
88053e8b 7fae6d67 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  ca364f6f 76cf78bc 
bc1acc13 0d334aa6 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  031fb2a3 b5e572df 
2c831e7e f765b7e5 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  fe64641f de2a6fe3 
23311756 8302b8b8 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  1bfae1a8 eb076940 
280cbed1 49b2d50f 
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: Key Data  f7020301 0001
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 
9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
Mon May 22 06:34:14 2006: LWAPP Join-Request MTU path from AP 00:0e:84:32:04:f0 
is 1500, remote debug mode is 0
Mon May 22 06:34:14 2006: spamRadiusProcessResponse: AP Authorization failure for 
00:0e:84:32:04:f0

Add the SSC to the WLC

Task

In this section, you are presented with the information to configure the features described in this document.

GUI Configuration

Complete these steps from the GUI:

  1. Choose Security > AP Policies and click Enabled beside Accept Self Signed Certificate.

    manual_add_ssc1.gif

  2. Select SSC from the Certificate Type drop-down menu.

    manual_add_ssc2.gif

  3. Enter the MAC address of the AP and the hash key, and click Add.

CLI Configuration

Complete these steps from the CLI:

  1. Enable Accept Self Signed Certificate on the WLC.

    The command is config auth-list ap-policy ssc enable.

    (Cisco Controller) >config auth-list ap-policy ssc enable

  2. Add the AP MAC address and hash key to the authorization list.

    The command is config auth-list add ssc AP_MAC AP_key .

    (Cisco Controller) >config auth-list add ssc 00:0e:84:32:04:f0 
9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9

!--- This command should be on one line.

Verify

Use this section to confirm that your configuration works properly.

GUI Verification

Complete these steps:

  1. In the AP Policies window, verify that the AP MAC address and SHA1 Key Hash appear in the AP Authorization List area.

    manual_add_ssc3.gif

  2. In the All APs window, verify that all APs are registered with the WLC.

    manual_add_ssc4.gif

CLI Verification

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show auth-list—Displays the AP authorization list.

  • show ap summary—Displays a summary of all connected APs.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Revision History

Revision Publish Date Comments
1.0
01-Dec-2013
Initial Release

Was this Document Helpful?

FeedbackFeedback

Contact Cisco