LWAP - push ca cert to access point

rdediana — Mon, 05 Jul 2021 17:51:37 GMT

Hello team

Is it possible to push a CA cert (Root / Sub) to an AP?

What we're trying to achieve is AP 802.1x authentication with ISE who's certs have been issued by a private PKI issuing CA.

Since the AP attempts to validate the ISE device cert during the mutual authn phase prior to 802.1x EAP/EAP-TLS transactions, the AP does not trust the cert presented by ISE and prevents the AP from initiating dot1x AuthN

one approach we're considering is to push a CA cert down to the AP.

ISE Live Logs:

Event

5411 Supplicant stopped responding to ISE

Failure Reason

12931 Supplicant stopped responding to ISE after sending it the first EAP-TLS message

Resolution

Verify that supplicant is configured properly to conduct a full EAP conversation with ISE.
Verify that NAS is configured properly to transfer EAP messages to/from supplicant.
Verify that supplicant or NAS does not have a short timeout for EAP conversation.
Check the network that connects the Network Access Server to ISE.

Root cause

Supplicant stopped responding to ISE after sending it the first EAP-TLS message

thanks for any guidance or recommendations.

Regan

Re: LWAP - push ca cert to access point

superego — Thu, 15 Aug 2019 15:40:30 GMT

Hi,

Refer to:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1638

Downloading Device Certificates (GUI)

Procedure

Step 1	Copy the device certificate to the default directory on your server.
Step 2	Choose Commands > Download File to open the Download File to Controller page.
Step 3	From the File Type drop-down list, choose Vendor Device Certificate.
Step 4	In the Certificate Password text box, enter the password that was used to protect the certificate.
Step 5	From the Transfer Mode drop-down list, choose from the following options: TFTP FTP SFTP (available in 7.4 and later releases)
Step 6	In the IP Address text box, enter the IP address of the server. If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.
Step 7	Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.
Step 8	In the File Path text box, enter the directory path of the certificate.
Step 9	In the File Name text box, enter the name of the certificate.
Step 10	If you are using an FTP server, follow these steps: In the Server Login Username text box, enter the username to log into the FTP server. In the Server Login Password text box, enter the password to log into the FTP server. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.
Step 11	Click Download to download the device certificate to the controller. A message appears indicating the status of the download.
Step 12	After the download is complete, choose Commands > Reboot > Reboot.
Step 13	If prompted to save your changes, click Save and Reboot.
Step 14	Click OK to confirm your decision to reboot the controller.

Downloading Device Certificates (CLI)

Procedure

Step 1

Log onto the controller CLI.

Step 2

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp }

Step 3

Specify the type of the file to be downloaded by entering this command:

transfer download datatype eapdevcert

Step 4

Specify the certificate’s private key by entering this command:

transfer download certpassword password

Step 5

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Step 6

Specify the name of the config file to be downloaded by entering this command:

transfer download path server-path-to-file

Step 7

Specify the directory path of the config file by entering this command:

transfer download filename filename.pem

Step 8

(Optional) If you are using a TFTP server, enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment. However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

Step 9

If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):

transfer download username username
transfer download password password
transfer download port port
Note The default value for the port parameter is 21.

Step 10

View the updated settings by entering the transfer download start command. Answer y when prompted to confirm the current settings and start the download process.

Step 11

Reboot the controller by entering this command:

reset system

***Please mark as accepted solution if it helped you***

topic LWAP - push ca cert to access point in Wireless

LWAP - push ca cert to access point

Re: LWAP - push ca cert to access point

Downloading Device Certificates (GUI)

Procedure

Downloading Device Certificates (CLI)

Procedure