Showing results for 
Search instead for 
Did you mean: 

Cisco WLC AP-SSO Break


Hi All,

We have Cisco WLC 5508 pair, one is Active & another is HA Unit in AP-SSO mode.

We are deploying Guest Access with Web Authentication. Now, I have to  henerate CSR for Third-Party Certificates and upload the WLC to avoid Browser security warning messages.

As the WLCs are in HA AP-SSO, I am thinking that, we have to break them before installing the certificates on the WLC. Is it correct?

How to break the WLCs which are in HA AP-SSO mode?

If I issue the command config "redundancy mode sso disable" and reload the WLCs, can I access the HA unit with it's own Management interface IP Address?

After installaing certificates on both of them, how to bring the HA up?

Can it be done remotely or I should be at data center while breaking and



8 Replies 8

Scott Fella
Hall of Fame
Hall of Fame

You need to be on the console..... I would not be remote when doing this!!!!



*****Help out other by using the rating system and marking answered questions as "Answered"*****

*** Please rate helpful posts ***

Thanks Scott,

Once I break the HA between controllers using "redundancy mode sso disable" and uploading CSR certs in each WLC, how to build the HA back?

Do I need to connect the Redundant Ports again?

Is there a command that I need to enter to make them talk each other? Do I need to enter the command on both the WLCs?



You would bring them back up like if you were building it again. You would need to have the RP connected when bringing it back up.



*****Help out other by using the rating system and marking answered questions as "Answered"*****

*** Please rate helpful posts ***

Level 1
Level 1

Hi Jaganmohan,

The very first thing is that in AP-SSO all the configuration would be transfered in HA from the Active to Standby WLC.
For the cerstificated we need to individually install the certificates on both the Controllers.

As Scott said we should have the console access to the Controllers.

We can follow the following process:

1. On the Controller issue the following command:
   Controller>config redundancy mode disable

2. After this command the WLCs will reboot. Once the WLCs are back up, then upload the certificates individually on
   both the WLCs.

3. Again reboot the WLCs so that the WLCs have the certificates installed on them.

4.  Once the WLCs are back up then go ahead and reconfigure the HA AP-SSO on the Controller by issuing the following     command:
   Controller>config redundancy mode sso

5. After this the WLC will reboot and come back as Primary and Standby WLC again.

Thanks and regards,

Manas Pratap Singh.

Not applicable

Do I need to disconnect RP connection between the two controllers before break the SSO?

Do I need to apply "config redundancy mode disable" to both controllers, primary and seconday from the console connection?

Do I need to apply "config redundancy mode sso" to both controllers, primary and seconday from the console connection?





It would be possible to apply a different method to that described above?
For example:

1)install the certificate on the Active Controller (primary) & restart

2)wait for the Standby controller (secundary) takes control and be active, then install the certificate & restart

3)wait until WLC (primary) take the control again and be Active Controller

4)now both controllers will have the certificate installed.

Also, is there any relationship between the certificate installed and used in the authentication process CAPWAP tunnel between AP and WLC?

Thanks in advance.



could anyone advise if the step to install SSL certificate mentioned above without  breaking up the HA is possible?

Yes that method works, have been using it for years. Have not needed to break HA.

Review Cisco Networking for a $25 gift card