Solved: Re: Expiring Certificate on Cisco 3700i - Cisco Community

922

Views

1

Helpful

7

Replies

I have a Cisco 5520 WLC running 8.10.190 with a mix of of access points connected. I am in the process of replacing all the Cisco 3702i access points due to EOL and the expiring mic certificate. Unfortunately, it takes time to order and receive new 9100 series access points. I had previously done the NTP and set the date time back on the controller and that fixed the issue initially allowed the APs to join the controller at that time.

I am now seeing numerous 3072i access points showing up as "disassociated" in Cisco Prime. A workaround that I have seen is to run the following on the WLC: : WLC> config ap cert-expiry-ignore mic enable.

Will this command allow those APs that are disassociated due to an expiring cert to reconnect to the controller until I can replace AP with 9130 and will it prevent future 3700I APs with expiring certs in the future from not associating to controller ?

2 Accepted Solutions

Accepted Solutions

- Yes ,but use both commands (for cert and mic)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

- Negative , the controller just 'honors their certificate'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

7 Replies 7

(correction) - For certificate expiration also add config ap cert-expiry-ignore ssc enable.
To verify , scrutinize the boot process of an AP afterwards ,

(edited/added) You can also find the mentioned commands in
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

- More an item for 'just knowledge' : https://community.cisco.com/t5/wireless-mobility-knowledge-base/mic-and-ssc-certificates-expired-on-cisco-ap/ta-p/4720040

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

So the short answer is I can use the command to allow the APs to associate to the controller by configuring the controller to bypass any mic cert expiration while I replace all the 3700i access points?

- Yes ,but use both commands (for cert and mic)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

This will not impact the existing APs that do not have the certificate issue will it?

- Negative , the controller just 'honors their certificate'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Also update your software version as per the TAC recommended link below to eliminate any other known bugs which have been fixed - currently recommended version is 8.10.196.0.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card