Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
5
Helpful
4
Replies

AP fail to join WCL9800 with LSC Certificate

Go to solution
hansruedi.spycher1
Level 1
Level 1

‎10-25-2025 09:01 AM

Hi,
In my lab enviroment, I have a wlc9800m with ios xe 17.17.1 and a view ap's like 9136 and 9176 and a windows server as a CA.  The idea of the lab is, that ap's has to join the controller via certificates.
For the lab setup I used the following guide:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9100-access-points/221127-configure-locally-significant-certificat.html

For the first run the setup works fine for 3 ap's.
Then I tried to join another ap to the existend ap's, but this one is not able to join the controller.

Any idea, why the last ap isn't able to join the controller.

Thank you very much for every hint.

regards

Hans

Preview file
9 KB
1 Accepted Solution

Accepted Solutions

Go to solution
hansruedi.spycher1
Level 1
Level 1

‎10-28-2025 08:20 AM

Hi Mark,

sorry for the delay.

I try to share me thoughts. First I tryed to understand how the AP join process is working without LSC.

Then I configured the setup with LSC and the external CA on a windows server. During this time where 3 AP's on the controller. Immediately after I configured the wireless management trustpoint with the new trustpoint, the AP's rebooted. After a while they get the correct Certifacte. This was also visible on the CA server, and also on the AP's aswell.

As next I tried the same procedure with new AP's out of the box. Unfortunately they were not able to join the controller. The point is, the new AP's need "default certificate" like certificat type MIC.
Then I configured in the GUI from the controller under the Menu access-point the AP Certificate Policy the Certificate Typ MIC.

Since then AP out of the Box are able to join the controller and can load the LSC certificat.

This are my thoughts in a short summary and maybe not the correct deep understanding of the whole process.

Maybe you have a diagramm or flowchart how this process exactly works.

Thanky you for your support, this gave me the right hints to fix the problem

regards

Hans

View solution in original post

4 Replies 4

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎10-25-2025 10:01 AM

 

  - @hansruedi.spycher1   You can get a more readable output from that debugTrace when entering it into 
                                         https://cway.cisco.com/wireless-debug-analyzer/
                                                        And above check the flags Show Original and Show All
                                         Actually it's not design for this, it's for client debugging but it converts the debugTrace file to
                                         more readable output.

                                         For the particular AP can you also engage in troubleshooting according to:
                                         https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9100-access-points/221127-configure-locally-significant-certificat.html#toc-hId--1277986097

                                         You can also use additional instructions from : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin


    Appendix : always validate the complete configuration of a 9800 controller using the CLI command
                     show tech wireless and feed the output from that into Wireless Config Analyzer
                              Use the full command as outlined in green it does not work with show tech-support

  M.                                          



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
hansruedi.spycher1
Level 1
Level 1

‎10-28-2025 01:24 AM

I have gained new insights from your information.

 

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to hansruedi.spycher1

‎10-28-2025 01:34 AM

   

    - @hansruedi.spycher1   Would you mind sharing those : always useful for others.

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
hansruedi.spycher1
Level 1
Level 1

‎10-28-2025 08:20 AM

Hi Mark,

sorry for the delay.

I try to share me thoughts. First I tryed to understand how the AP join process is working without LSC.

Then I configured the setup with LSC and the external CA on a windows server. During this time where 3 AP's on the controller. Immediately after I configured the wireless management trustpoint with the new trustpoint, the AP's rebooted. After a while they get the correct Certifacte. This was also visible on the CA server, and also on the AP's aswell.

As next I tried the same procedure with new AP's out of the box. Unfortunately they were not able to join the controller. The point is, the new AP's need "default certificate" like certificat type MIC.
Then I configured in the GUI from the controller under the Menu access-point the AP Certificate Policy the Certificate Typ MIC.

Since then AP out of the Box are able to join the controller and can load the LSC certificat.

This are my thoughts in a short summary and maybe not the correct deep understanding of the whole process.

Maybe you have a diagramm or flowchart how this process exactly works.

Thanky you for your support, this gave me the right hints to fix the problem

regards

Hans

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card