Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
6
Replies

Cisco Prime 3.9 TFTP Repository

Go to solution
RoadRunner4k
Level 1
Level 1

‎03-14-2023 03:28 AM

Hi all. 

 

Hope someone can help to answer this question. I need to update a webauth cert on our Aireos 5520, which seems only to support TFTP for transfer. 

Since we are in strict enviroment only place we got a TFTP service is on our Prime 3.9.

They webauth cert is uploaded in 


Directory of disk:/defaultRepo
3348480 Mar 11 2022 20:12:07 20220308-bundle.tar
2250385850 May 31 2021 13:28:45 PI-Upgrade-37x_38x_to_3.9.0.0.219.tar.gz
7751 Mar 14 2023 08:19:48 cert.pem

From the WLC can i directly get it from here? or do i need to transfer it to disk:/tftp ?

RoadRunner4k_0-1678789606159.png

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎03-14-2023 06:06 AM - edited ‎03-14-2023 06:13 AM

If you really want to use Prime this answer suggests it is possible: https://community.cisco.com/t5/network-management/using-cisco-prime-as-a-scp-sftp-ftp-tftp-server-from-router/m-p/4175003/highlight/true#M136895 and explains where to put the files - in /localdisk/tftp

Remember that files need to be world readable to be accessed by TFTP clients because there's no authentication - chmod 444 cert.pem (readable - more secure) or chmod 666 cert.pem (read/write - not secure).

Using secure in the same sentence as TFTP is an oxymoron though because TFTP is inherently insecure - it was never designed to be secure in any way.  Ludicrous that AireOS doesn't support http transfer for all files but that's the way they did it and it won't change now - network/WLC security apparently wasn't high on their list of priorities.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎03-14-2023 03:46 AM

cant you directly transfer the webauth cert from your laptop(TFTP software must be installed here) ?

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
RoadRunner4k
Level 1
Level 1

‎03-14-2023 03:58 AM

Would be the easiest way, but we don’t have that possibility   I know it should be possible to use Prime for it.

0 Helpful

Go to solution
Rich R
VIP
VIP

‎03-14-2023 06:01 AM

Don't you have a Cisco router or switch (which the WLC is connected to) which you can copy the cert to and then use that as a TFTP server?  That's what we've done since we disabled TFTP server on our network for security reasons.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
RoadRunner4k
Level 1
Level 1

‎03-14-2023 06:05 AM

we cant enable it on them either since its not allowed in our company, but i know that my previcous colleague have used prime for this, as its in the same subnet as our WLC.

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to RoadRunner4k

‎03-14-2023 06:42 AM

Ok that is probably your best option then.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
Rich R
VIP
VIP

‎03-14-2023 06:06 AM - edited ‎03-14-2023 06:13 AM

If you really want to use Prime this answer suggests it is possible: https://community.cisco.com/t5/network-management/using-cisco-prime-as-a-scp-sftp-ftp-tftp-server-from-router/m-p/4175003/highlight/true#M136895 and explains where to put the files - in /localdisk/tftp

Remember that files need to be world readable to be accessed by TFTP clients because there's no authentication - chmod 444 cert.pem (readable - more secure) or chmod 666 cert.pem (read/write - not secure).

Using secure in the same sentence as TFTP is an oxymoron though because TFTP is inherently insecure - it was never designed to be secure in any way.  Ludicrous that AireOS doesn't support http transfer for all files but that's the way they did it and it won't change now - network/WLC security apparently wasn't high on their list of priorities.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card