cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3405
Views
26
Helpful
2
Replies

MIC and SSC certificates expired on Cisco AP

gmukesh
Cisco Employee
Cisco Employee

During the cases in which certificates (MIC/ SSC) of either WLC or AP get expired, all APs are not able to join WLC. So we use below commands on WLC. These commands just magically let all the APs to join the WLC (after checking licenses of APs on WLC and ports 5246/ 5247 should not be blocked between WLC and AP)

WLC> config ap cert-expiry-ignore mic enable
WLC> config ap cert-expiry-ignore ssc enable

So the next question asked by Customer is below:

Does "config ap cert-expiry-ignore mic enable" / "config ap cert-expiry-ignore ssc enable" can cause any security threat as it is bypassing one of the step of CAPWAP process???!!!

We used to say “No, it will not impact” to Customer and most of the Customers agree. But there are some Customers who need solid evidence to show it to their Security Team or the high Management.

 

So in this week, I replicated the issue in lab and took debug logs from WLC by using below commands one an AP was trying to join:

debug mac addr <MAC-address of AP>

debug capwap events enable

debug capwap errors enable

debug pm pki enable

debug dtls all enable

debug capwap dtls-keepalive enable

debug capwap error enable

 

Below is my observation:
It will not simply bypass the certificate check or ignore the certificates. What it will do is that it will ignore the expiry date of certificate during certificate verification. Below are the example logs on WLC that how it happens:
*spamApTask4: Nov 09 01:54:34.525: sshpmGetCID: called to evaluate <cscoDefaultNewRootCaCert> /////// Evaluation start-1
*spamApTask4: Nov 09 01:54:34.525: sshpmGetCID: Found matching CA cert cscoDefaultNewRootCaCert in row 4
*spamApTask4: Nov 09 01:54:34.525: Found CID 2bd185bc for certname cscoDefaultNewRootCaCert
*spamApTask4: Nov 09 01:54:34.525: CACertTable: Found matching CID cscoDefaultNewRootCaCert in row 4 x509 0x2cc7c6ac
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: X509 Cert Verification return code: 0
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: X509 Cert Verification result text: certificate has expired
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: Error in X509 Cert Verification at 0 depth: certificate has expired
*spamApTask4: Nov 09 01:54:34.527: Verify User Certificate: Warning: Certificate has expired, but allowed & continuing

*spamApTask4: Nov 09 01:54:34.861: sshpmGetCID: called to evaluate <cscoDefaultNewRootCaCert> /////// Evaluation start-2
*spamApTask4: Nov 09 01:54:34.861: sshpmGetCID: Found matching CA cert cscoDefaultNewRootCaCert in row 4
*spamApTask4: Nov 09 01:54:34.861: Found CID 2bd185bc for certname cscoDefaultNewRootCaCert
*spamApTask4: Nov 09 01:54:34.861: CACertTable: Found matching CID cscoDefaultNewRootCaCert in row 4 x509 0x2cc7c6ac
*spamApTask4: Nov 09 01:54:34.863: Verify User Certificate: X509 Cert Verification return code: 1
*spamApTask4: Nov 09 01:54:34.863: Verify User Certificate: X509 Cert Verification result text: ok

*spamApTask4: Nov 09 01:54:34.863: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert> /////// Evaluation start-3
*spamApTask4: Nov 09 01:54:34.863: sshpmGetCID: Found matching CA cert cscoDefaultMfgCaCert in row 5
*spamApTask4: Nov 09 01:54:34.864: Verify User Certificate: OPENSSL X509_Verify: AP Cert Verfied Using >cscoDefaultMfgCaCert<
*spamApTask4: Nov 09 01:54:34.864: OpenSSL Get Issuer Handles: Check cert validity times (allow expired YES)

So here we can conclude that it is not skipping the certificate check, but it is ignoring the expiry date of certificate. For example:
1. In Evaluation-1, WLC tried to evaluate <cscoDefaultNewRootCaCert> certificate and WLC found this certificate coming in CAPWAP packet of AP. Then in Evaluation-1, WLC found that certificate is expired but is still continuing evaluation as we have run expiry-ignore commands.
2. Then in Evaluation-2, same <cscoDefaultNewRootCaCert> got evaluated with verification return code: 1

So even the certificates are expired, WLC will complete expired certificates evaluation. Now coming to answer of below question:

Does "config ap cert-expiry-ignore mic enable" / "config ap cert-expiry-ignore ssc enable" can cause any security threat as it is bypassing one of the step of CAPWAP process???!!!

 

So the answer is that evaluation is still getting completed even if the certificates are expired. Let us say if an AP is not having any certificate and it is trying to join the WLC. WLC will not let it join even with “config ap cert-expiry-ignore mic enable” command.

 

So we can share above information to Customer so that he will share this information to higher Management or Security team.

2 Replies 2

Haydn Andrews
VIP Alumni
VIP Alumni

Effectively what doing this does is it still validates the certificate but doesn't care if its expired. Its not a ignore the certificate.

I have never seen anything offical from Cisco to confirm the above.

If the customer is so consurned about this then simple solution is to upgrade their legacy equipment.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Dear Haydn,

 

Thanks for adding your views on it.

 

Also please refer below field notice and search for "9800" in the document:

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

You will come to know that latest all 9800 WLCs have their MIC expiry date in 2099.

 

Thanks

 

Review Cisco Networking for a $25 gift card