Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
5
Helpful
1
Replies

LWAP - push ca cert to access point

Go to solution
rdediana
Cisco Employee
Cisco Employee

‎08-14-2019 02:39 PM - edited ‎07-05-2021 10:51 AM

Hello team

 

Is it possible to push a CA cert (Root / Sub) to an AP?

 

What we're trying to achieve is AP 802.1x authentication with ISE who's certs have been issued by a private PKI issuing CA. 

Since the AP attempts to validate the ISE device cert during the mutual authn phase prior to 802.1x EAP/EAP-TLS transactions, the AP does not trust the cert presented by ISE and prevents the AP from initiating dot1x AuthN

 

one approach we're considering is to push a CA cert down to the AP.

 

ISE Live Logs:

Event
  • 5411 Supplicant stopped responding to ISE
Failure Reason
  • 12931 Supplicant stopped responding to ISE after sending it the first EAP-TLS message
Resolution
  • Verify that supplicant is configured properly to conduct a full EAP conversation with ISE.
  • Verify that NAS is configured properly to transfer EAP messages to/from supplicant.
  • Verify that supplicant or NAS does not have a short timeout for EAP conversation. 
  • Check the network that connects the Network Access Server to ISE.
Root cause
  • Supplicant stopped responding to ISE after sending it the first EAP-TLS message

 

thanks for any guidance or recommendations.

Regan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
superego
Level 1
Level 1

‎08-15-2019 08:40 AM

Hi,

 

Refer to:

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1638

Downloading Device Certificates (GUI)

Procedure

Step 1

Copy the device certificate to the default directory on your server.

Step 2

Choose Commands > Download File to open the Download File to Controller page.

Step 3

From the File Type drop-down list, choose Vendor Device Certificate.

Step 4

In the Certificate Password text box, enter the password that was used to protect the certificate.

Step 5

From the Transfer Mode drop-down list, choose from the following options:

  • TFTP
  • FTP
  • SFTP (available in 7.4 and later releases)
Step 6

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Step 7

Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.

Step 8

In the File Path text box, enter the directory path of the certificate.

Step 9

In the File Name text box, enter the name of the certificate.

Step 10

If you are using an FTP server, follow these steps:

  1. In the Server Login Username text box, enter the username to log into the FTP server.

  2. In the Server Login Password text box, enter the password to log into the FTP server.

  3. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.

Step 11

Click Download to download the device certificate to the controller. A message appears indicating the status of the download.

Step 12

After the download is complete, choose Commands > Reboot > Reboot.

Step 13

If prompted to save your changes, click Save and Reboot.

Step 14

Click OK to confirm your decision to reboot the controller.

Downloading Device Certificates (CLI)

Procedure

Step 1

Log onto the controller CLI.

Step 2

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp }

Step 3

Specify the type of the file to be downloaded by entering this command:

transfer download datatype eapdevcert

Step 4

Specify the certificate’s private key by entering this command:

transfer download certpassword password

Step 5

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Step 6

Specify the name of the config file to be downloaded by entering this command:

transfer download path server-path-to-file

Step 7

Specify the directory path of the config file by entering this command:

transfer download filename filename.pem

Step 8

(Optional) If you are using a TFTP server, enter these commands:

  • transfer download tftpMaxRetries retries

  • transfer download tftpPktTimeout timeout

    Note The default values of 10 retries and a 6-second timeout should work correctly without any adjustment. However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.
Step 9

If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):

  • transfer download username username

  • transfer download password password

  • transfer download port port

    Note The default value for the port parameter is 21.
Step 10

View the updated settings by entering the transfer download start command. Answer y when prompted to confirm the current settings and start the download process.

Step 11

Reboot the controller by entering this command:

reset system

 

 

***Please mark as accepted solution if it helped you***

View solution in original post

1 Reply 1

Go to solution
superego
Level 1
Level 1

‎08-15-2019 08:40 AM

Hi,

 

Refer to:

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1638

Downloading Device Certificates (GUI)

Procedure

Step 1

Copy the device certificate to the default directory on your server.

Step 2

Choose Commands > Download File to open the Download File to Controller page.

Step 3

From the File Type drop-down list, choose Vendor Device Certificate.

Step 4

In the Certificate Password text box, enter the password that was used to protect the certificate.

Step 5

From the Transfer Mode drop-down list, choose from the following options:

  • TFTP
  • FTP
  • SFTP (available in 7.4 and later releases)
Step 6

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Step 7

Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.

Step 8

In the File Path text box, enter the directory path of the certificate.

Step 9

In the File Name text box, enter the name of the certificate.

Step 10

If you are using an FTP server, follow these steps:

  1. In the Server Login Username text box, enter the username to log into the FTP server.

  2. In the Server Login Password text box, enter the password to log into the FTP server.

  3. In the Server Port Number text box, enter the port number on the FTP server through which the download occurs. The default value is 21.

Step 11

Click Download to download the device certificate to the controller. A message appears indicating the status of the download.

Step 12

After the download is complete, choose Commands > Reboot > Reboot.

Step 13

If prompted to save your changes, click Save and Reboot.

Step 14

Click OK to confirm your decision to reboot the controller.

Downloading Device Certificates (CLI)

Procedure

Step 1

Log onto the controller CLI.

Step 2

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp }

Step 3

Specify the type of the file to be downloaded by entering this command:

transfer download datatype eapdevcert

Step 4

Specify the certificate’s private key by entering this command:

transfer download certpassword password

Step 5

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Step 6

Specify the name of the config file to be downloaded by entering this command:

transfer download path server-path-to-file

Step 7

Specify the directory path of the config file by entering this command:

transfer download filename filename.pem

Step 8

(Optional) If you are using a TFTP server, enter these commands:

  • transfer download tftpMaxRetries retries

  • transfer download tftpPktTimeout timeout

    Note The default values of 10 retries and a 6-second timeout should work correctly without any adjustment. However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.
Step 9

If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):

  • transfer download username username

  • transfer download password password

  • transfer download port port

    Note The default value for the port parameter is 21.
Step 10

View the updated settings by entering the transfer download start command. Answer y when prompted to confirm the current settings and start the download process.

Step 11

Reboot the controller by entering this command:

reset system

 

 

***Please mark as accepted solution if it helped you***

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card