01-27-2014 03:56 PM - edited 07-05-2021 12:03 AM
In some of my spare time, I've been trying to get this AP to join with this WLC. It's been about two weeks now. I'm not sure what the problem is. I think that there are a few possible issues, but I'm asking the more experienced & knowledgeable support community. I did convert the autonomous AP to a LAP. So here are some outputs:
AP sh ver
AP0014.6956.6926#sh ver
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(25e)JAO3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 18-Dec-13 20:53 by prod_rel_team
ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(2)JA3, RELEASE SOFTWARE (fc2)
AP0014.6956.6926 uptime is 2 hours, 11 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w8-mx.124-25e.JAO3/c1130-k9w8-mx.124-25e.JAO3"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
Processor board ID FTX0924T1NR
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version 7.3.1.72
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:14:69:56:69:26
Part Number : 73-8962-07
PCA Assembly Number : 800-24818-06
PCA Revision Number : C0
PCB Serial Number : FOC092238UU
Top Assembly Part Number : 800-25544-01
Top Assembly Serial Number : FTX0924T1NR
Top Revision Number : A0
Product/Model Number : AIR-AP1131AG-A-K9
Configuration register is 0xF
WLC sh sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 4.2.205.0
RTOS Version..................................... 4.2.205.0
Bootloader Version............................... 4.2.205.0
Build Type....................................... DATA + WPS
System Name...................................... wlcVA010a03a01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.1.1
System Up Time................................... 4 days 0 hrs 54 mins 42 secs
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
3rd Party Access Point Support................... Disabled
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:18:73:35:DC:40
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
WLC debug lwapp errors enable
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
WLC debug lwapp events enable
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
WLC debug pm pki enable
Fri Jan 24 16:49:45 2014: sshpmGetIssuerHandles: invalid args (0x13d7edd0/0x13d7edd4/0x13d7edd8/0x30231b14/0)
Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: called with (nil)
Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: NULL argument.
Fri Jan 24 16:49:50 2014: sshpmGetIssuerHandles: invalid args (0x13d91320/0x13d91324/0x13d91328/0x30231b14/0)
Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: called with (nil)
Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: NULL argument.
Thanks!
Leon
01-27-2014 10:07 PM
Your WLC code is very old and your using a new lightweight AP image. I would either upgrade your WLC or upload the older recovery image to your AP
c1130-rcvk9w8-tar.123-7.JX9.tar
Sent from Cisco Technical Support iPhone App
01-27-2014 10:35 PM
cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
WLC sh sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 4.2.205.0
RTOS Version..................................... 4.2.205.0
Bootloader Version............................... 4.2.205.0
Build Type....................................... DATA + WPS
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
adding to Above .
Manually add self-signed certificates (SSCs) to a Cisco Wireless LAN (WLAN) Controller (WLC).
you can manually add the SSC to the WLC.
these kind problems occure with Lightweight AP Protocol (LWAPP)-converted AP.
Via GUI:
Choose Security > AP Policies and click Enabled beside Accept Self Signed Certificate.
Select SSC from the Certificate Type drop-down menu.
Enter the MAC address of the AP and the hash key, and click Add.
Via CLI:
Enable Accept Self Signed Certificate on the WLC. The command is config auth-list ap-policy ssc enable.
(Cisco Controller) >config auth-list ap-policy ssc enable
Add the AP MAC address and hash key to the authorization list,The command is config auth-list add ssc AP_MAC AP_key .
(Cisco Controller) >config auth-list add ssc
More to check here:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml.
Also mention by Scott that this is very old version on WLC.Please upgrade it.
Hope ite helps.
REgards
Dont forget to rate helpful posts
01-30-2014 09:48 AM
Okay, so I've been trying some of what you've mentioned the past few days. The WLC is updated. The AP still can't connect. So I tried the the "config auth-list ap-policy ssc enable" & "config auth-list add ssc
Now then, where can I find or get the AP hash key? It doesn't show up on the debug pm pki enable output. Can I find it on the AP through gui or cli?
01-30-2014 09:54 AM
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
This information clearly shows that the controller time is outside the certificate validity interval of the LAP. Therefore, the LAP cannot register with the controller. Certificates installed in the LAP have a predefined validity interval. The controller time should be set in such a way that it is within the certificate validity interval of the LAP’s certificate.
If the time is not set correctly on the controller, choose Commands > Set Time in the controller GUI mode, or issue the config time command in the controller CLI in order to set the controller time.
also paste the output of this command:
AP#show crypto ca certificates
Regards
01-30-2014 11:53 PM
As per the logs it seesm to be the SSC certificate installation issue .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide