Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
5
Helpful
3
Replies

certificates in a Mesh network

gnijs
Level 4
Level 4

‎06-24-2022 12:23 AM - edited ‎06-24-2022 12:28 AM

Hello all,

 

Could it be that MIC certificate expiration could break a mesh network ?

For example:

A mesh network with older APs has been running fine but then just stops working when the APs were power cycled.

 

We have applied the "config ap cert-expiry-ignore mic enable" on the WLC and when i connect a mesh AP via the LAN, it joins the WLC controller perfectly. However, when i disconnect the AP again and it tries to join via the RAP, it does not work (it does not join the controller). I have configured mesh before and i believe all settings are correct (mac is added, it did work before and no settings were changed)

On the WLC however, i am seeing the following error message:

 

*EAP_Framework_0: Jun 23 13:05:47.475: %IOS-3-PEER_CERT_VER_FAIL: ios_pki_shim.c:1793 LOCAL-AUTH: Peer cert (user 'unknown') failed 'Cert date' check

 

I don't know from which AP it comes (it is not mentioned), but could it be coming from the RAP ?

The mesh security is set to EAP. Could it be that the MAP can join the controller when connected via the LAN becuase of the "MIC ignore" setting, BUT that when the MAP boots, scans the backhaul and tries to setup an encrypted session with the RAP via wireless, the RAP refuses the certificate ? In the end, the RAP does not have the "MIC ignore" setting.

 

One fact that might prove this thesis, is the fact that when i set back the clock on the WLC, it works !

The time from the WLC is propagated to the RAP and then the RAP accepts the certificate again ?

 

This would mean that all MIC certificates in a mesh network need to be valid, even if the "ignore MIC" is set on the controller !!

is this correct ?

And what can be done about it to fix it ?

 

A) if we change the security mode for the mesh network from EAP to PSK, then even when the certificates are expired, it will work ?

 

B) is there any other method to fix it permanently without setting back the clock on the controller ?

I believe upgrading the firmware on the controller won't help, since this won't change the MIC on the RAP ? Or will it ?

Can we re-generate a new MIC for all APs in the mesh network ?

Or is the only solution, hardware change ?

fyi

the RAP is an AIR-CAP3602E-E-K9

the MAP that refuses to join via wifi, but works via lan is a AIR-LAP1262N-E-K9

 

regards,

GN

 

Labels:
0 Helpful
3 Replies 3

jonathga94
Level 1
Level 1

‎06-24-2022 07:25 AM

it seems that the certificates on your APs are expired and thats breaking the mesh authentiaction between the APs thus the mesh link is not created. The command "config ap cert-expiry-ignore mic enable" is for the WLC to ignore the certificate of the AP during AP join authentication, it doesnt apply to mesh authentication.

You can change the mesh security to PSK so the certificate wont be used for mesh authentication after that configuration change, that would fix the mesh link issue you are facing.

An upgrade to the WLC is not needed because it doesnt update the certificates of the wireless infrastructure and the MIC cant be regenerated so you need to change the mehs authentication to PSK and keep using the cet expiry-ignore command on the WLC to keep the mesh connection and the APs connection to the WLC.

gnijs
Level 4
Level 4
In response to jonathga94

‎06-30-2022 04:27 AM - edited ‎06-30-2022 04:28 AM

Just to be clear: even if i change my mesh authentication to PSK, this is only for MAP-MAP MAP-RAP links, it is NOT PSK to the controller. For AP join to the controller, it will always stay MIC based , so therefore , i would still need the "mic-ignore" command on the WLC. BUT in this case, i don't need to set back the time on my controller always in order for the mesh authentication to work. Correct ?

0 Helpful

Rich R
VIP
VIP

‎07-20-2022 04:35 PM

Correct - and check all the bug IDs on the field notice to make sure your software version (which you did not mention) has all the relevant fixes because there were 3 different fixes for IOS APs.
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card