Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8702
Views
0
Helpful
6
Replies

LSC sertificate issue on WLC

RDavidov
Level 1
Level 1

‎03-07-2018 03:44 AM - edited ‎07-05-2021 08:21 AM

Greetings

 

I`m trying to configure LSC on WLC, everything goes OK before the moment when AP tries to establish DTLS connection with WLC.

 

Output from AP:

 

CAPWAP State: DTLS Setup
dtls_disconnect: ERROR shutting down dtls connection ...
CAPWAP State: DTLS Teardown

 

Debug from WLC indicates that problem is with issuer certificate:

 

sshpmGetCID: Found matching CA cert othSslLscCaCert in row 12
Found CID **** for certname othSslLscCaCert
CACertTable: Found matching CID othSslLscCaCert in row 12 x509 ****
Verify User Certificate: X509 Cert Verification return code: 0
Verify User Certificate: X509 Cert Verification result text: unable to get issuer certificate
Verify User Certificate: Error in X509 Cert Verification at 1 depth: unable to get issuer certificate
X509 OpenSSL Errors...

NONE
OpenSSL Get Issuer Handles: Cert issuer unknown; bailing ...

Certificate verification - failed!

 

In this document there is an interesting paragraph in which the joining process is described:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html

 

Both the LSC CA and the LAP Device certificates are installed into the LAP, and the system self-reboots. The next time it comes up, since it is configured to use LSCs, the AP sends the LSC Device Certificate to the Controller as part of the JOIN Request. As part of the JOIN Response, the controller sends its new Device certificate and also validates the inbound LAP certificate with the new CA Root Certificate.

 

The question is: how can I upload CA Root Certificate to WLC controller ?

 

Many thanks

 

Raul

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Ric Beeching
Level 7
Level 7

‎03-07-2018 04:49 AM

Hi,

The LSC certificates on the AP, have you installed those and are they from your PKI infrastructure that you intend to use with the WLC?

Normally you would install the CA certificate on the WLC (or point towards the url for the CA server) which would then facilitate issuing the certificates to the APs. Have you done it in this order or are you just trying to authenticate using LSC straight off the bat?

-----------------------------
Please rate helpful / correct posts
0 Helpful

RDavidov
Level 1
Level 1
In response to Ric Beeching

‎03-07-2018 05:18 AM

Yes, I have Root CA and Sub CA sha2 in infrastructure on Windows 2016 server. On WLC I specified URL, CA and Device certificates was added also. After provisioning AP is rebooting:

Reset Request from Controller(LSC enabled) and after boot AP cannot connect to controller.

 

Screenshot_1.jpgScreenshot_2.jpg

0 Helpful

Ric Beeching
Level 7
Level 7
In response to RDavidov

‎03-07-2018 05:32 AM

Can you do a show certificate lsc summary and show certificate lsc ap-provision on the WLC?

Is it possible the whole chain isn't included in the WLC device cert? Unlikely but just checking..

Thanks,
Ric
-----------------------------
Please rate helpful / correct posts
0 Helpful

RDavidov
Level 1
Level 1
In response to Ric Beeching

‎03-07-2018 05:50 AM


Is it possible the whole chain isn't included in the WLC device cert? - how can I check this ?

 

(Cisco Controller) >show certificate lsc summary

LSC Enabled...................................... Yes
LSC CA-Server.................................... http://1.1.1.1/certsrv/mscep/mscep.dll

LSC AP-Provisioning.............................. Yes
    Provision-List............................... Not Configured
    LSC Revert Count in AP reboots............... 3

LSC Params:
    Country...................................... ***
    State........................................ ***
    City......................................... ***
    Orgn......................................... ***
    Dept......................................... ITI
    Email........................................ ***@***.**
    KeySize...................................... 2048

LSC Certs:
    CA Cert...................................... Present
    RA Cert...................................... Not Configured
    DEV Cert..................................... Present
 
 
(Cisco Controller) >show certificate lsc ap-provision

LSC AP-Provisioning.............................. Yes
Provision-List................................... Present

Idx   Mac Address
---  -------------
 1    00:27:e3:81:00:00
 2    00:27:e3:81:11:11

0 Helpful

Ric Beeching
Level 7
Level 7
In response to RDavidov

‎03-07-2018 07:12 AM

Everything looks ok but I don't have extensive experience with LSC. To confirm:

-Setup LSC
-Joined the AP to the WLC as normal
-Provisioned the AP with LSC certificates
-Restarted AP and ensured "Accept Local Significant Certificates (LSC) is enabled
- Encountered this issue

Perhaps some of the others may have more suggestions on this but I am following the same logic as you.. the WLC does not have the same Root CA cert as the AP is presenting.

Ric


-----------------------------
Please rate helpful / correct posts
0 Helpful

gordon.patynowski
Level 1
Level 1
In response to RDavidov

‎03-12-2019 07:54 AM

Hi, can you please tell me, how you added the device certificate?

 

Greetings

Gordon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card