Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25821
Views
6
Helpful
8
Replies

config ap cert-expiry-ignore {mic|ssc} enable

Go to solution
daswann
Level 1
Level 1

‎05-22-2019 06:41 AM - edited ‎07-05-2021 10:26 AM

We found a couple of old 1141N AP's in our network that were not associated with the controller. Upon investigation I found that the MIC had expired. We are currently running 8.3.133 on the controllers. If this command is used in the shot term, (until I can replace them with new models)  it will only be relevant to AP's with an expired MIC and not affect any other AP's from what I have read correct? Also would this leave them open to man-in-the middle attacks? Thank in advance!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎05-22-2019 07:28 AM

 

 - Yes, that is correct, those with valid certs (not expired) will not be prone to man-in-the-middle attacks.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

8 Replies 8

Go to solution
marce1000
VIP
VIP

‎05-22-2019 07:28 AM

 

 - Yes, that is correct, those with valid certs (not expired) will not be prone to man-in-the-middle attacks.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
daswann
Level 1
Level 1
In response to marce1000

‎05-22-2019 07:36 AM

Thank you M. just wanted to make sure. I will be replacing the access points tomorrow so I won't need to use the command but wanted a second set of eyes on it.

0 Helpful

Go to solution
steadroy_em1
Level 1
Level 1
In response to marce1000

‎10-14-2020 08:43 AM

Hi Marce - Do you know if the older APs "with expired" certs will be vulnerable to MIMs?

 

thanks 

0 Helpful

Go to solution
tanios191
Level 1
Level 1
In response to marce1000

‎07-14-2022 01:18 AM

Hello Marce,

 

Hello, I have a Cisco WLC 2504 with version 7.6.130.0 but both commands below are not available:
Command for Version 7.0.252.0:
config ap lifetime-check {mic|ssc} enable
Command for Versions 7.4.140.0 and later:
config ap cert-expiry-ignore {mic|ssc} enable
 
Please help
Thank you,
0 Helpful

Go to solution
marce1000
VIP
VIP
In response to tanios191

‎07-14-2022 02:37 AM

- You need at least 8.3.x for that.

M.


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
RHEA LINN
Level 1
Level 1

‎03-27-2020 06:31 AM

How do you determine the MIC on the expired AP?

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to RHEA LINN

‎03-27-2020 08:30 AM

 

      AP_CLI#sh crypto pki certificates

         Look for the line containing end date

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
namyong1276
Level 1
Level 1
In response to marce1000

‎01-12-2022 07:02 PM

AP_CLI#sh crypto pki certificates

 

Does the AP check?
Does WLC check?

If I use config ap cert-expiry-ignore mic enable on WLC 5520 model, is AP OK in MIC authentication?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card