Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
9
Helpful
10
Replies

Reloading 9800-CL after certificate renewal

CDSFDSDXC
Level 1
Level 1

‎11-06-2023 08:37 AM

Hi, I have a pair of 9800-CL's in HA (17.9.3). A certificate expired recently for one of the SSID's which I've renewed and uploaded to the WLC. However the new certificate hasn't taken effect yet and it seems I need to reboot the WLC's for the new certificate to take over.

How do I reload each WLC independently so we don't lose any service as the reload command looks like it reloads both WLC's?

Many thanks. 

0 Helpful
10 Replies 10

marce1000
VIP
VIP

‎11-06-2023 09:34 AM

 

 - CLI command  redundancy force-switchover  , will reboot the current controller (command executed on only)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

‎11-07-2023 07:34 AM - edited ‎11-07-2023 07:35 AM

There should not be any need to reload 9800-CL for certificate updates.  In fact a reload will not change the config so won't solve your problem.  What type of certificate did you change and what procedure did you follow?

Installing the certificate just creates a new PKI trustpoint.  After that you need to tell the service (eg web auth or web admin) to use the new trustpoint:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--466302648

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

ammahend
VIP
VIP

‎11-07-2023 07:39 AM

Since its for SSID, I assuming its for local webauth, you just need to restart the http service and select the new trustpoint for webauth, see section local web authentication here

-hope this helps-

CDSFDSDXC
Level 1
Level 1
In response to ammahend

‎11-09-2023 06:20 AM

Yes it's for WebAuth. I've tried running the below commands as per the guide:

9800(config)#no ip http server
9800(config)#ip http server

But the expiry dates haven't updated when I do a show crypto pki certificates .

Could the issue be that both the old and new certificates have the same name and it's getting confused between the two? Do I need to remove the expired cert before adding the new one?

0 Helpful

Rich R
VIP
VIP
In response to CDSFDSDXC

‎11-09-2023 08:18 AM - edited ‎11-09-2023 08:24 AM

It's think it's impossible to have 2 trustpoints with the same name - are you sure about that?
If you do have 2 with the same name then I guess it would be a good idea to delete the old one because it will probably just pick up the first one which may be the old one.
Did you configure the parameter map to use the new certificate trustpoint as per the guide?
You can delete the old cert/trustpoint after you've configured it to use the new one.

"But the expiry dates haven't updated when I do a show crypto pki certificates" - that sounds like you haven't even uploaded the new certificate.  Whether you're using it or not it should still be there.
Really though you should be using "show crypto pki trustpoints" because it's the trustpoint that you configure on the parameter map, not the certificate.

parameter-map type webauth global
type webauth
trustpoint <trustpoint-name>.p12

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

CDSFDSDXC
Level 1
Level 1

‎11-14-2023 07:24 AM

I've now updated the device certificate and I can see that it's in date. However there are two SSID's that use the certificate for Web Auth and only one has updated. When trying to log into these SSIDs from the users point of view one is still complaining about and expired certificate. The new certificate has been selected in Web Auth Global Parameter Map and the old certificate deleted from the Trustpoints list. Any ideas?

0 Helpful

marce1000
VIP
VIP
In response to CDSFDSDXC

‎11-14-2023 08:34 AM

 

 - Have a checkup of the 9800-CL controller configuration with the CLI command show tech wireless ; feed the output into :
                                                                                                                          Wireless Config Analyzer

 M
                            



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Rich R
VIP
VIP
In response to CDSFDSDXC

‎11-14-2023 09:23 AM

Does the other SSID use a custom parameter map that might be using the old trustpoint?
Or maybe you're extra an external web auth like ISE or 3rd party service?
If you deleted the old certificate then how could the WLC still be using the old cert?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

CDSFDSDXC
Level 1
Level 1

‎09-06-2024 07:39 AM

Apologies for the late reply, but it was because I hadn't installed the certificate on the guest anchor WLC!

Scott Fella
Hall of Fame
Hall of Fame
In response to CDSFDSDXC

‎09-06-2024 08:02 AM

Wow... that took a while:), but it's great to see folks post the answer as that will help others when they are searching for answers.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card