cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3701
Views
5
Helpful
6
Replies

How to Proactively Prevent SSC/MIC Certificate Expiration Problems

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/tac-p/4261080#M3213


I know the problem arises when the certificate of WLC/AP expires.

So, we want to prevent certificate problems in advance.

 

We using 5520 and 5508 WLC.

AP is using 1100 series and 2700,2800 series.

5520 version : 8.3.150

5508 version : 8.0.152

 

WLC's SHA1 device cert is valid for 22 years and 23 years.

Can certificate problems be prevented in advance by just using the "config ap cert-expiry-ignore {mic | ssc} enable" command??

6 Replies 6

I think Yes it ignore the expire check.

Typically AP licence is valid for 10 years and expiring of that one cause this issue. Once you issue that workaround command listed in below Field Notice, then it will ignore that check. 

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html 

HTH

Rasika

*** Pls rate all useful responses ***

We have hundreds of 3502i access points at one of our locations and have the same concern. I found this in the documentation-

config ap cert-expiry-ignore {mic|ssc} enable

 

Important note: IOS APs (i.e. 802.11n / 802.11ac Wave 1 APs), which were manufactured with SHA-2 certificates,
cannot ignore WLC certificate expiration prior to 8.5.160.0.
See CSCvs22835

We are currently at 8.5.151.0 sounds like we will need to upgrade the code as well?

Thanks 

Yes in this case you must upgrade. Please note, 8.5.171.0 was just released, with many important fixes. I'd upgrade to that one (which is probably the last version for 8.5).

Release notes: https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr7.html

 8.5.171.0 

Thank you Patoberli 

 

In the CSCvs22835 bug it shows 8.5(160.0) in the known fixed releases, does that include 8.5.160.6? I'm trying to understand if these are fixed in subsequent releases in the same 160 release; or are they specific meaning only fixed in 8.5.160.0 in this as an example?

Thank you in advance for you time. 

Dale

 

Yes, then it should also be fixed in 8.5.160.6 typically. In rare cases this isn't true, but that's only something that TAC can answer. 

Review Cisco Networking for a $25 gift card