01-10-2024 09:31 AM - edited 01-10-2024 09:32 AM
Hello,
I have configured bunch of C9800-CL WLCs, it seems the trustpoint mechanism is slighlty different with a physical WLC.
I associated the wireless management with one of the embedded certificates that was already existing in the trustpoints list. Because I was not able to have any AP joining with a self cert trustpoint for enrolling APs. Using this cert worked and AP are joining successfully.
I just need to know if I did the right config, would you mind confirming ?
Thanks by advance
Solved! Go to Solution.
01-10-2024 11:22 AM - edited 01-10-2024 11:23 AM
So according to the error message we don't need to define a trustpoint on a physical WLC for wireless management.
So I have removed the trustpoint using "no wireless management trustpoint" and removed also the wireless management interface to have something clean.
After adding back the management interface to VLAN 8, I can see by default there is a configured trustpoint on the embedded cert.
But doing again the show tech wireless with wireless analyzer, the error is gone.
So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.
Thanks for your help, I think this one is cleared
01-10-2024 09:52 AM
high leve that should be ok- check what interface it tied up your management
All the AP not joining or only one or few AP having issue, check the NTP, region, License.
what WLC Code running ? what AP model and version of AP you trying to join
its worth connect console cable and post complete boot log of AP to check what is wrong ?
01-10-2024 09:58 AM
Hi Balaji, thanks for your response.
WLC code is 17.13.1 and AP is a 3802i.
But the AP is joining successfully the WLC, but only if I select this CISCO_IDEVID_CMCA3_SUDI trustpoint, if I try to create a custom Trustpoint it won't join with error "unknow CA".
So I just wanted to know if I did a correct config.
01-10-2024 09:59 AM
>...I just need to know if I did the right config, would you mind confirming ?
- You can always have a checkup of the C9800-40 controller configuration with the CLI command show tech wireless and feed the output into : Wireless Config Analyzer
This procedure is strongly advised in many circumstances , such as setup (trying before production use) ; after new configuration changes , after upgrades...
This is so good
M.
01-10-2024 10:11 AM
Thanks Marce,
I have this error :
So looks like it's not good, but using a trustpoint generated manually is not working with "unknown CA"
01-10-2024 10:31 AM
>...So looks like it's not good,
- Indeed , all red flagged items must be corrected , check if the intended certificate has a valid chain and or the CA is recognized by the controller ,
This for instance may provide inspiration :
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217348-configure-troubleshoot-catalyst-9800-w.html#toc-hId-1511890830
(look at ...decent certificate....)
M.
01-10-2024 11:22 AM - edited 01-10-2024 11:23 AM
So according to the error message we don't need to define a trustpoint on a physical WLC for wireless management.
So I have removed the trustpoint using "no wireless management trustpoint" and removed also the wireless management interface to have something clean.
After adding back the management interface to VLAN 8, I can see by default there is a configured trustpoint on the embedded cert.
But doing again the show tech wireless with wireless analyzer, the error is gone.
So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.
Thanks for your help, I think this one is cleared
01-10-2024 11:54 AM
>...So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.
- Completely true the physical boxes have that built-in ,
Keep using WirelessAnalyzer for future developments!!
M.
01-10-2024 01:09 PM
Did you run this command when setting up the 9800-CL:
wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <Password>
01-12-2024 12:17 AM
Thanks Marce for the advice ! Wifi analyzer is a great tool.
Haydn, the issue is concerning a 9800-40 no a CL, I did not have any issue with virtual controller.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide