cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
3
Helpful
9
Replies

C9800-40 trustpoint for wireless management question

Clem58
Level 3
Level 3

Hello,

I have configured bunch of C9800-CL WLCs, it seems the trustpoint mechanism is slighlty different with a physical WLC.

I associated the wireless management with one of the embedded certificates that was already existing in the trustpoints list. Because I was not able to have any AP joining with a self cert trustpoint for enrolling APs. Using this cert worked and AP are joining successfully.

Clem58_0-1704907808718.png

I just need to know if I did the right config, would you mind confirming ?

Thanks by advance

1 Accepted Solution

Accepted Solutions

So according to the error message we don't need to define a trustpoint on a physical WLC for wireless management.

So I have removed the trustpoint using "no wireless management trustpoint" and removed also the wireless management interface to have something clean.

After adding back the management interface to VLAN 8, I can see by default there is a configured trustpoint on the embedded cert.

Clem58_1-1704914585733.png

But doing again the show tech wireless with wireless analyzer, the error is gone.

So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.

Thanks for your help, I think this one is cleared

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

high leve that should be ok- check what interface it tied up your management

All the AP not joining or only one or few AP having issue, check the NTP, region, License.

what WLC Code running ? what AP model and version of AP you trying to join

its worth connect console cable and post complete boot log of AP to check what is wrong ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji, thanks for your response.

WLC code is 17.13.1 and AP is a 3802i.

But the AP is joining successfully the WLC, but only if I select this CISCO_IDEVID_CMCA3_SUDI trustpoint, if I try to create a custom Trustpoint it won't join with error "unknow CA".

So I just wanted to know if I did a correct config.

marce1000
VIP
VIP

 

                       >...I just need to know if I did the right config, would you mind confirming ?
  - You can always have a checkup of the C9800-40 controller configuration with the CLI command show  tech wireless and feed the output into : Wireless Config Analyzer
   This procedure is strongly advised in many circumstances , such as setup (trying before production use) ; after new configuration changes , after upgrades...
                                                  This is so good
                                  

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks Marce,

I have this error :

Clem58_0-1704910243895.png

So looks like it's not good, but using a trustpoint generated manually is not working with "unknown CA"

 

                            >...So looks like it's not good,
  - Indeed , all red flagged items must be corrected , check if the intended certificate has a valid chain and or the CA is recognized by the controller , 
                                  This for instance may provide inspiration :
         https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217348-configure-troubleshoot-catalyst-9800-w.html#toc-hId-1511890830
          (look at ...decent certificate....)

 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

So according to the error message we don't need to define a trustpoint on a physical WLC for wireless management.

So I have removed the trustpoint using "no wireless management trustpoint" and removed also the wireless management interface to have something clean.

After adding back the management interface to VLAN 8, I can see by default there is a configured trustpoint on the embedded cert.

Clem58_1-1704914585733.png

But doing again the show tech wireless with wireless analyzer, the error is gone.

So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.

Thanks for your help, I think this one is cleared

 

  >...So I would say by default the wireless management interface is using a default cert for trustpoint, and no need to set anything via CLI like on virtual ones.
  - Completely true the physical boxes have that built-in , 
                      Keep using WirelessAnalyzer for future developments!!

 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews
VIP Alumni
VIP Alumni

Did you run this command when setting up the 9800-CL:

wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <Password>
*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Clem58
Level 3
Level 3

Thanks Marce for the advice ! Wifi analyzer is a great tool.

Haydn, the issue is concerning a 9800-40 no a CL, I did not have any issue with virtual controller.

Review Cisco Networking for a $25 gift card