Configuration Using the Catalyst 9800 CLI
The following steps show how to generate an RSA key, configure a trustpoint, request a certificate from an external Certificate Authority using manual enrollment or automatic enrollment and finally use the trustpoint for a particular service.
The progress bar is a visual indication of the steps that you are expected to complete in the module before you move on to the next configuration step.
What to do next
Create an RSA Key Pair using the CLI
Keys in a PKI system are used to encrypt and decrypt data. A key pair (a public and a private key) is required before you can obtain a certificate for your controller. The end host (here the controller) must generate a pair of keys and exchange the public key with the certification authority (CA) to obtain a certificate and enroll in a PKI. To generate key pairs, perform the following procedure on the controller's CLI:
Before you begin
Ensure that you have an understanding of the PKI framework.
Procedure
Step 1 |
enable Example:
|
Step 2 |
configure terminal Example:
Enters global configuration mode. |
Step 3 |
crypto key generate rsa Example:
Generates one, general-purpose RSA key pair. The default key modulus is 1024. To specify other modulus sizes, use the modulus keyword. |
Step 4 |
crypto key generate rsa label key-pair-label Example:
(Optional) Assigns a label to each key pair. The label is referenced by the trustpoint that uses the key pair. Hence, we recommend that you use the same name for both key pair and trustpoint. If you do not assign a label, the key pair is automatically labeled, Default-RSA-Key . Here we have named the key, ewlc-keys . |
Step 5 |
exit Example:
Exits global configuration mode and returns to privileged EXEC mode. |
Step 6 |
show crypto key mypubkey rsa name of key Example:
(Optional) Displays the RSA public keys of your controller. Verifies key pairs that you have generated. |
Step 7 |
write memory Example:
Saves the keypair you have generated into secure storage. |
This concludes the successful creation of an RSA keypair.
What to do next
Create a Trustpoint using the CLI
Trustpoints help to manage and track CAs and certificates that are used by the different services on the controller. Trustpoints work with RSA key pairs, hence we recommend that you use the same name for the key pair and trustpoint during configuration. To configure a trustpoint, perform the following steps:
Before you begin
Ensure that you have created a RSA keypair to be associated with the trustpoint.
Procedure
Step 1 |
enable Example:
|
||||||||||||||
Step 2 |
configure terminal Example:
Enters global configuration mode. |
||||||||||||||
Step 3 |
crypto pki trustpoint trustpoint-name Example:
Creates a trustpoint that corresponds to the CA from which the controller needs to receive a certificate. Enters the crypto ca trustpoint configuration mode, which controls CA-specific trustpoint parameters that you will start configuring. |
||||||||||||||
Step 4 |
Do one of the following:
Requests automatic enrollment using SCEP with the specified trustpoint and configures the enrollment URL.
Requests manual enrollment with the specified trustpoint by pasting the certificate received from the CA into the terminal. |
||||||||||||||
Step 5 |
subject-name subject_name Example:
Creates subject name parameters for the trustpoint.
|
||||||||||||||
Step 6 |
rsakeypair RSA_key Example:
Maps RSA key with that of the trustpoint. |
||||||||||||||
Step 7 |
revocation {crl | none | ocsp } Example:
Sets one or more methods for revocation checking: CRL, OCSP, and none. |
||||||||||||||
Step 8 |
exit Example:
Exits global configuration mode and returns to privileged EXEC mode. |
This concludes the successful creation of an RSA keypair and a trustpoint.
What to do next
Authenticate and Enroll the Trustpoint using the CLI
Certificate enrollment, which is the process of obtaining a certificate from a certification authority (CA), occurs between the end host that requests the certificate and the CA. Each peer that participates in the public key infrastructure (PKI) must enroll with a CA. You can choose to enroll the trustpoint manually or automatically. Select from the options below.
Authenticate and Enroll a Trustpoint Manually using the CLI
OR
Authenticate and Enroll a Trustpoint Automatically using the CLI
Authenticate and Enroll a Trustpoint Manually using the CLI
Manual certificate enrollment can be set up via TFTP or the manual cut-and-paste method. Both options can be used if your CA does not support SCEP or if a network connection between the controller and CA is not possible.
This configuration shows how to manually enroll, obtain and install the CA server certificate and the controller's device certificate. It uses an existing enterprise CA (Windows Certificate Server 2012) and does not cover the steps to set up a Windows Certificate Server CA from scratch. This procedure involves the following.
-
Authenticate the trustpoint - Obtain and accept issuer-certificate of CA-server used to sign the device certificate.
-
Enroll the trustpoint - Obtain the signed device certificate from the Certificate Authority by creating a Certificate Signing Request (CSR) and submitting the CSR to the CA.
-
Install the certificate - Load the cetificate into the Wireless LAN Controller.
To authenticate , enroll and install the trustpoint manually using the cut-and-paste method, perform the following procedure on the controller:
Before you begin
Before you authenticate and enroll a trustpoint you should:
-
have created an RSA key pair and a trustpoint and specified the enrollment method as manual by issuing the command Device(config-ca-trustpoint)# enrollment terminal pem . See step 4 of Create a Trustpoint using the CLI to configure this.
-
understand the certificate extensions and procedure to convert it to a format, acceptable to the controller.
-
understand the transport type that you will use to import the certificate or certificate chain from your CA in case the keys and Certificate Signing Request were generated outside the controller.
Procedure
Step 1 |
Go to your enterprise CA page in the browser usually (https://<CA-ip>/certserv). Authenticate as administrator and click Download a CA certificate, Certificate Chain or CRL. |
||
Step 2 |
In the Encoding Method, click the Base 64 encoded radio button and click Download CA Certificate. |
||
Step 3 |
Copy the Base 64 encoded CA certificate contents into a notepad. |
||
Step 4 |
Log into the controller's CLI either by SSH or Telnet and enter the following commands to import the CA certificate to the controller. |
||
Step 5 |
Send the full string of the certificate to the CA to get it signed. Example:
|
||
Step 6 |
Go to your enterprise CA page in the browser usually (https://<CA-ip>/certsrv). Authenticate as administrator and click Request a certificate. |
||
Step 7 |
Click the Advanced Certificate Request and enter the CSR details in the Certificate Template drop-down list, by selecting, Web Server and Submit. |
||
Step 8 |
Click the Base 64 encoded radio button and download the certificate.
|
||
Step 9 |
Log into the controller CLI either by SSH or Telnet and enter the following commands to import the device certificate that you received from your CA to the controller.
|
This concludes the successful authentication and subsequent enrollment of the trustpoint. It means that the certificate requested by the controller from the CA server is available and ready to be assigned to a specific service.
What to do next
Authenticate and Enroll a Trustpoint Automatically using the CLI
The following configuration shows how to request a certificate from an external Certificate Authority using automatic enrollment . It does not include the steps for setting up a Windows Server 2012 Standard R2, neither does it cover the steps for setting up the Simple Certificate Enrollment Protocol (SCEP) server. Refer to the SCEP document listed in Additional References for Trustpoint Configuration on Catalyst 9800 for specific configuration details.
With SCEP, the CA and device certificates are received from the CA server, and later installed automatically on the controller.
This procedure involves the following.
-
Authenticate the trustpoint - Obtain and accept issuer-certificate of CA-server used to sign the device certificate.
-
Enroll the trustpoint - Obtain the signed device certificate from the Certificate Authority over SCEP.
-
Install the certificate - Load the cetificate into the Wireless LAN Controller.
You can use automatic enrollment for any certificate. In this example, we will specifically talk about Locally Significant Certificates that are used for AP Join. Once you receive the certificates, you will need to provision the AP with the certificate.
Note |
Since LSCs can be used for both AP Join and 802.1x port authorization, the AP Authorization state is by default set to use for CAPWAAP-DTLS sessions. Note that this document does not talk about the additional configurations required if you want to use the LSC for 802.1x port authorization. |
To authenticate, enroll and install the certificate automatically using the SCEP server perform the following procedure on the controller:
Before you begin
Before you authenticate and enroll a trustpoint you should:
-
have an set up an external Certificate Authority and SCEP server and have a good understanding of these.
-
have created a RSA key pair and a trustpoint and specified the enrollment method as automatic by issuing the command Device(config-ca-trustpoint)#enrollment url http://<CA serverIP>/certsrv/mscep/mscep.dll>. This means that certificates will be obtained from the specified Certificate Authority sever over SCEP. See step 4 of Create a Trustpoint using the CLI
Procedure
Step 1 |
enable Example:
Enables privileged EXEC mode. Enter your password, if prompted. |
||
Step 2 |
configure terminal Example:
Enters global configuration mode. |
||
Step 3 |
crypto pki authenticate trustpoint Example:
Authenticate the trustpoint. This step imports the CA certificate for the configured trustpoint to ensure that the controller trusts your CA.
|
||
Step 4 |
crypto pki enroll trustpoint Example:
Enrolls the controller with the trustpoint. Generates a certificate for signing data and depending on the type of keys that you have configured, for encrypting data. To complete enrollment, obtain a certificate for the certificate request generated by the crypto pki enroll command from the CA represented by the applicable trustpoint. |
||
Step 5 |
exit Example:
Exits global configuration mode and enters privileged EXEC mode. |
||
Step 6 |
write memory Example:
Saves your entries in the configuration file. |
||
Step 7 |
show crypto pki certificates Example:
Verifies that the enrollment process was successful by displaying certificate details issued for the controller and the CA certificate for the trustpoint.
|
This concludes the successful authentication and subsequent enrollment of the trustpoint. In other words, it means that the certificate requested by the controller from the CA server is available and ready to be used by a specific service.
What to do next
If you are using the LSC certificate for AP Join, first provision the AP with the LSC. Refer to Provision Access Points with Locally Significant Certificates using the CLI. Next assign the trustpoint for AP Join using LSC, refer to Assign a Trustpoint for AP Join with LSC using the CLI.
OR
If you want to use the automatically obtained certificate for any other service, refer to Assign a Trustpoint for a Specific Service using the CLI
Configure AP with MIC/SUDI to join Controller with LSC using the CLI
Starting from release 17.5, you can onboard an AP with a MIC/SUDI certificate to join a LSC deployed controller. Earlier, an AP with the default MIC/SUDI certificate would fail to join a controller whose wireless management trustpoint had been set to use an LSC. You would need to separately provision the AP with the LSC on a staging server before it could join the controller using the LSC. With release 17.5, the new authorization policy on the AP allows APs with MIC to join an LSC deployed controller.
To enable authorization on the AP's certificate policy perform the following task on the controller:
Procedure
Step 1 |
enable Example:
Enables privileged EXEC mode. Enter your password if prompted. |
||
Step 2 |
configure terminal Example:
Enters global configuration mode. |
||
Step 3 |
ap auth-list ap-cert-policy allow-mic-ap Example:
Enables the AP certificate policy which allows APs with MIC to join during a CAPWAP-DTLS handshake. |
||
Step 4 |
ap auth-list ap-cert-policy allow-mic-ap trustpoint trustpoint-name Example:
Configures the trustpoint name for the controller certificate chain. When APs join the virtual controller, they need to Device(config)# ap auth-list ap-cert-policy allow-mic-ap trustpoint trustpoint-name be aware of the trustpoint being used by the wireless management interface. In all other appliance controller platforms, the default MIC certificate will be selected. This default certificate is manufacturer installed SUDI. |
||
Step 5 |
ap auth-list ap-cert-policy {mac-address AP-Ethenet MAC-address | serial number AP serial-number} policy-type mic Example:
Configures the list of APs based on Ethernet MAC address or based on the assembly serial number of the AP, that should join using MIC. |
||
Step 6 |
exit Example:
Exits global configuration mode and enters privileged EXEC mode. |
||
Step 7 |
show ap auth-list ap-cert-policy Example:
Verifies if the AP has been authorized to join using MIC. |
||
Step 8 |
show ap auth-list ap-cert-policy mac-address Example:
Verifies if the AP has been selected for the authorization policy, based on its MAC address or serial number. |
What to do next
If you want the AP to use the LSC, provision it using the steps in Provision Access Points with Locally Significant Certificates using the CLI.
Provision Access Points with Locally Significant Certificates using the CLI
Other than Manufacturer Installed Certificate (MIC) or Secure Unique Device Identifier (SUDI) certificates, Access Points (AP) can also be provisioned with Locally Significant Certificates (LSC). For APs to be provisioned with LSCs, the controller acts as a proxy for the AP and any request to issue and sign the CA certificate is initiated by the controller. Once the controller receives the third-party certificates, they are pushed from the controller to the AP and next the APs are provisioned with the LSC.
Other than Manufacturer Installed Certificate (MIC) or Secure Unique Device Identifier (SUDI) certificates, Access Points (AP) can also be provisioned with Locally Significant Certificates (LSC). For APs to be provisioned with LSCs, the controller acts as a proxy for the AP and any request to issue and sign the CA certificate is initiated by the controller. Once the controller receives the third-party certificates, they are pushed from the controller to the AP and next the APs are provisioned with the LSC.
For LSC certificates that have been issued by an intermediate certificate authority:
-
Ensure that you select the associated trustpoint and RSA key pair , created earlier while provisioning the AP.
-
Ensure that you import the complete chain of CA certificates into the Trustpool using the command.
The complete chain should be present on the controller, otherwise you will not be able to provision the AP. This step is not required, if the certificate has been issued by a root CA.Device(config)#crypto pki trustpool import
To provision the APs with the certificates perform the following task on the controller:
Before you begin
Before you start assigning the trustpoint for a specific service ensure that
-
The trustpoint is valid.
-
There is an RSA key pair.
Procedure
Step 1 |
enable Example:
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
Enters global configuration mode. |
Step 3 |
ap lsc-provision subject-name-parameter Example:
Configure subject name parameters for AP's device certificate. |
Step 4 |
ap lsc-provision join-attempt number of attempts Example:
Enter the number of unsuccesful join-attempts after which the AP uses the MIC to join the controller. |
Step 5 |
ap lsc-provision trustpoint trustpoint name Example:
Selects the previously created trustpoint to be associated with this LSC. |
Step 6 |
ap lsc-provision key-size key size Example:
|
Step 7 |
ap lsc-provision mac-address Example:
If LSC is required only on specific group of APs, configure an allowed list of AP mac-addresses. |
Step 8 |
ap lsc-provision Example:
Enables LSC provisioning for all the APs joining the controller. |
Step 9 |
ap lsc-provision provision-list Example:
Enables LSC provisioning for the allowed list of APs. |
Step 10 |
exit Example:
Exits global configuration mode and enters privileged EXEC mode. |
Step 11 |
show ap lsc-provision summary Example:
Verifies the details about the AP LSC provisioning configuration, along with the list of APs added to the provision list. |
Step 12 |
show crypto Example:
Verifies the certificates installed in the AP from the AP CLI and ensures that both CA Root certificate and Device certificate are present |
This concludes the successful authentication and subsequent enrollment of the trustpoint. It means that the certificate requested by the controller from the CA server is available and ready to be assigned to a specific service.
What to do next
Once the certificate is fully installed, the AP reboots, and starts the join process with the new certificate. Now that you have the LSC certificate installed on the AP, assign the certificate following the steps in Assign a Trustpoint for AP Join with LSC using the CLI.
Assign a Trustpoint for a Specific Service using the CLI
Now that the trustpoint configuration is complete, how do you make use of the new certificates that have been created?
The following sections show how to assign the trustpoint to a specific service so that the right certificate is used for the right purpose. This step concludes your trustpoint configuration.
Assign a Trustpoint for AP Join with MIC or SSC using the CLI
The wireless management interface is used for AP Join. Note that both for physical controllers and for virtual controllers, no additional configuration is required to assign the trustpoint. The physical controller uses the default MIC or SUDI and the virtual controller uses the self-signed certificate.
However, if you have not generated the self-signed certificate for virtual controllers on Day 0, follow the procedure outlined in Workflow to Configure a Trustpoint for a Self-signed Certificate on Catalyst 9800-CL.
This concludes the workflow of configuring a trustpoint.
What to do next
The above workflow should help you successfully configure a trustpoint. In case you have trustpoint configuration issues, refer to the resolutions to common problem scenarios listed in Troubleshoot Common Issues for Certificate Configuration.
Assign a Trustpoint for AP Join with LSC using the CLI
When configured to use a Locally Significant Certificate (LSC), Access Points join the Controllers using an LSC. To set the wireless management trustpoint to use an LSC for AP Join, perform the following procedure:
Before you begin
-
You should have configured a trustpoint for LSC and should have received a certificate from a third-party.
-
The AP must have been provisioned with the LSC. For more information on how to do this refer to Provision Access Points with Locally Significant Certificates using the CLI.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
wireless management trustpoint AP-LSC Example:
|
|
Step 4 |
exit Example:
|
Exits global configuration mode and returns to privileged EXEC mode. |
Step 5 |
show wireless management trustpoint Example:
Example:
|
(Optional) Verifies that the wireless management is using the LSC trustpoint for AP Join.
|
This concludes the workflow of configuring a trustpoint.
Assign a Trustpoint for Web Authentication using the CLI
By default, web authentication uses the IOS XE device self-signed certificate to secure the connection between the user and the guest portal. If you want web authentication to use another certificate instead of the self-signed certificate, you must assign it through the web authentication parameter map.
Note |
Note that when you configure a trustpoint for web authentication purposes, the controller does not present the entire chain, but presents only the device and the CA certificate. |
Before you begin
-
Ensure that a certificate is installed on your controller.
Procedure
Step 1 |
enable Example:
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
Enters global configuration mode. |
Step 3 |
parameter-map type webauth global Example:
Creates the parameter map. |
Step 4 |
trustpoint webauth cert Example:
Configures trustpoint for local web authentication. |
Step 5 |
virtual-ip ipv4 ip-address virtual-host virtual hostname Example:
Ensures that the client trusts the web authentication certificate that has the matching hostname in the Common Name (CN) parameter of the certificate. |
Step 6 |
exit Example:
Exits parameter configuration mode and returns to privileged EXEC mode. |
Step 7 |
show parameter-map type webauth global Example:
Verifies that the WebAuth service is using the correct trustpoint. |
This concludes the workflow of configuring a trustpoint.
Assign a Trustpoint for Webadmin using the CLI
By default, the HTTPS service uses the self-signed certificate generated by the controller's HTTPS server . If you want the HTTPS service to use a third-party certificate instead of the self-signed certificate, you must assign it using the CLI. Before assignning a new certificate, you must have completed the tasks mentioned below.
Note |
Note that when you configure a trustpoint for web admin purposes, the controller does not present the entire chain, but presents only the device and the CA certificate. |
Before you begin
-
Ensure that a certificate has been created for webadmin specifically and is saved.
-
Ensure that the HTTP server has been restarted for this configuration to take effect.
Procedure
Step 1 |
enable Example:
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
Enters global configuration mode. |
Step 3 |
ip http secure-trustpoint trustpoint name Example:
Assigns the trustpoint to the HTTPS service. |
Step 4 |
show ip http server secure status Example:
Verifies that the HTTPS service is using the correct trustpoint. |
This concludes the workflow of configuring a trustpoint.
Assign a Trustpoint for Local EAP Authentication using the CLI
To assign a trustpoint for Local EAP authentication, perform the following procedure on the controller:
Before you begin
Ensure that the controller and the client each have their own device certifcate. They must also have a root certificate for the controller and a CA certificate for the client.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
eap profile profile-name Example:
|
Configures an eap profile and specifies a profile name. |
Step 4 |
method peap Example:
|
Adds an allowed method for e.g. EAP-PEAP. |
Step 5 |
pki-trustpoint certificate name Example:
|
Sets the default pki trustpoint to be used for local eap authentication. |
Step 6 |
exit Example:
|
Exits EAP configuration. |
Step 7 |
show run eap profiles Example:
|
Shows the trustpoint configured for the EAP profile. |
This completes the workflow for configuring a trustpoint.
What to do next
The above workflow should help you successfully configure a trustpoint. In case you have trustpoint configuration issues, refer to the resolutions to common problem scenarios listed in Troubleshoot Common Issues for Certificate Configuration.