Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
5
Replies

4500 Wireless Controller and 3600 Series APs - Expired Certificates

MattP118
Level 1
Level 1

‎07-22-2022 01:20 PM

Hi all, 

I have a client with some older Cisco hardware and the certificates stored in their 3600 series APs have recently expired. I'm bypassing the authentication on that front for now so that the network stays up, but I'm looking for a better long-term solution that hopefully doesn't involve purchasing new hardware. I saw on another forum that upgrading the firmware can force the certificates to renew, but I've had very little luck figuring out how to do that. All I can find as far as a manual goes for these APs is a "getting started guide" that doesn't really include any info on managing these devices once they're deployed. Any help you can offer would be appreciated.

Thanks, 

Matt

Labels:
0 Helpful
5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-22-2022 04:50 PM

A 4500 WLC?  
Is this a Sup8/Sup9?

0 Helpful

Rich R
VIP
VIP

‎07-25-2022 05:32 AM

The field notice about certs is at https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

3600 APs are end of support: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/eos-eol-notice-c51-737511.html

Converged access - the short-lived WLC on switch solution you appear to be using - is end of life as Cisco abandoned it.  Now superseded by the 9800 series controllers.

Upgrading firmware does not replace the MIC certificate.

Your only option is new hardware because pretty much everything you're using is close to or already past end of support.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

MattP118
Level 1
Level 1
In response to Rich R

‎07-25-2022 12:37 PM

Thanks, that link gives me a lot of information. I think the update to the fixed software version might be what I found elsewhere, but I couldn't find much in the way of specific instructions. I can get everything else in place, but I'm not sure how to update the devices. I've looked all through the management portal. Any chance you could point me in the right direction?

0 Helpful

johnd2310
Level 8
Level 8
In response to MattP118

‎07-25-2022 05:49 PM

Hi,

Have you tried the following command on the wireless controller:

config ap cert-expiry-ignore {mic|ssc} enable

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Rich R
VIP
VIP

‎07-25-2022 10:15 PM

@johnd2310 this will be IOS-XE - those commands are for AireOS.
@MattP118 I thought you'd already configured the cert expiry workaround?
Generic config for IOS-XE https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/2_xe/sec_secure_connectivity_xe_book/sec_cfg_auth_rev_cert_xe.html
For that old IOS I assume the 9800 config in the field notice should work - otherwise use as a guide and work from there.  

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card