Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9035
Views
10
Helpful
5
Replies

unable to create trustpoint on 9800-cl

Go to solution
Peter Boerjesson
Level 1
Level 1

‎06-05-2020 11:27 AM - edited ‎07-05-2021 12:08 PM

So I've been trying to setup a 9800-CL a few times on my intel nuc here at home (only one NIC). I'm got it up and running on esxi 6.7 but I can't create a trustpoint and for this reason of course my access point can't connect. I have had nothing but problems with this platform. And based on a webinar about the 9800 WLC from Cisco they brought up just about all the problems/caveats I've had since I can't follow their recommendations based on the hardware I have available to play with. I don't have a vcentral and things like this which they all seem to assume you should have, anyway I'm getting off topic.

In the webinar they specified the following command

wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <pwd>

 Funny thing about that command, you have option to specify key-size 4096 but you can't use it cause it'll say invalid command, guess cause it's a tcl script expecting certain values.

Anyway, inputting this command gives me the following.


sedc01-wlc01#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 cisco1234
Configuring vWLC-SSC...

sedc01-wlc01#
*Jun 5 18:03:58.864: %HA_EM-6-LOG: Mandatory.crypto_pki_vwlc_ssc_config.tcl: ERROR: Command: 'ping 10.255.0.99',
Result:
% Authorization failed.

sedc01-wlc01#ping 10.255.0.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.0.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I don't understand why I would get an Authorization fail (especially since I can ping from cli on my own). only AAA config I have is this.

aaa new-model
!
!
aaa authentication login default local-case
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default local
aaa authorization commands 15 default local

 

That and a local account, besides ping works when I do it myself.

Anyone else had similar issue?

 

Oh and running 17.2.1 seems to be on a countdown timers for it to crash on the hardware I'm running this on

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Peter Boerjesson

‎06-05-2020 04:54 PM

In the first reference document, it has created after wireless management interface defined. Pls try that

 

Step 11

A certificate is needed for the AP to join the virtual C9800. This can be created automatically via the DAY 0 flow or manually using the following commands.

  • Specify the interface to be the wireless management interface

    C9800(config)#wireless management interface vlan 122

  • In exec mode, issue the following command:

    C9800(#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <pwd> 
Configuring vWLC-SSC…
Script is completed

    This is a script the automates the whole certificate creation:

  • Verifying Certificate Installation:

    C9800#show wireless management trustpoint
Trustpoint Name : ewlc-default-tp
Certificate Info : Available
Certificate Type : SSC
Certificate Hash : e55e61b683181ff0999ef317bb5ec7950ab86c9e
Private key Info : Available
Note 

You can skip the certificate/trustpoint configuration but if you do it, APs will not able to join. You would need to go to the GUI and configure it from there by importing the desired certificate.

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Go to solution
patrick.kofler
Level 1
Level 1

‎06-23-2020 02:12 AM

Had the same issue.

It is because you have set up AAA authorization and the EEM script is not authorized to execute the ping command because there is no user attached.

 

There are 2 options.

Either you disable AAA new-model (rather not recommended)

Configure

event manager session cli username <username>

where the username is someone who is authorized to do all configurations the script is going to do.

View solution in original post

5 Replies 5

Go to solution
Rasika Nayanajith
VIP
VIP

‎06-05-2020 01:55 PM

Have you defined your wireless management interface? If not configure it prior to trustpoint creation.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller_virtual_dg.html 

 

Here is a good reference for basic installations steps on a intel NUC

https://www.wifireference.com/2019/11/01/building-a-catalyst-9800-cl-lab-with-an-intel-nuc/

 

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Go to solution
Peter Boerjesson
Level 1
Level 1
In response to Rasika Nayanajith

‎06-05-2020 03:29 PM

Very good guide but no, it doesn't really help me as it does not cover the problem I'm having. I might make a new VM with the detailed step although I have one issue about trunking to the NUC. I get access issues to my NUC if I change the port on the switching side to trunk (even if I use native vlan) on the switch port I loose connectivity to the NUC and another windows machine I have running on the NUC. The windows machine (server 2016) can't do tagging. Might be able to solve that with vswitch (not good with that so I don't know and if I loose connectivity to the NUC (by changing management vlan to 2) it'll be pain in the ass since I don't have a monitor and keyboard that I can easily connect to the NUC.

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Peter Boerjesson

‎06-05-2020 04:54 PM

In the first reference document, it has created after wireless management interface defined. Pls try that

 

Step 11

A certificate is needed for the AP to join the virtual C9800. This can be created automatically via the DAY 0 flow or manually using the following commands.

  • Specify the interface to be the wireless management interface

    C9800(config)#wireless management interface vlan 122

  • In exec mode, issue the following command:

    C9800(#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <pwd> 
Configuring vWLC-SSC…
Script is completed

    This is a script the automates the whole certificate creation:

  • Verifying Certificate Installation:

    C9800#show wireless management trustpoint
Trustpoint Name : ewlc-default-tp
Certificate Info : Available
Certificate Type : SSC
Certificate Hash : e55e61b683181ff0999ef317bb5ec7950ab86c9e
Private key Info : Available
Note 

You can skip the certificate/trustpoint configuration but if you do it, APs will not able to join. You would need to go to the GUI and configure it from there by importing the desired certificate.

 

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
patrick.kofler
Level 1
Level 1

‎06-23-2020 02:12 AM

Had the same issue.

It is because you have set up AAA authorization and the EEM script is not authorized to execute the ping command because there is no user attached.

 

There are 2 options.

Either you disable AAA new-model (rather not recommended)

Configure

event manager session cli username <username>

where the username is someone who is authorized to do all configurations the script is going to do.

Go to solution
muraliccns
Level 1
Level 1

‎10-20-2020 07:42 AM

Hi,

I had faced the similar issue and removing AAA authorization commands make it work, you don't have to disabled AAA New-Model. Run the below command and then add the AAA authorization commands again.

wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <pwd>

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card