Solved: WLC9800 has “Not Available” management trustpoint on WLC9800

JustTakeTheFirstStep · ‎03-06-2025

The AP fails to join.
There is a problem with the WLC trust point.

WLC-01#show wireless stats ap history | inc Disjoined
APC4D6.6693.3350             4800.b33a.ec40  Disjoined  03/06/25 21:58:37  03/06/25 22:18:39        DTLS cert-chain not available 13
APC4D6.6693.35C0             4800.b33a.f120  Disjoined  03/06/25 21:58:25  03/06/25 22:19:31        DTLS cert-chain not available 14
APC4D6.6693.36B0             4800.b33a.f300  Disjoined  03/06/25 21:58:28  03/06/25 22:19:14        DTLS cert-chain not available 13
APC4D6.6693.3A50             4800.b33a.fa40  Disjoined  03/06/25 21:58:33  03/06/25 22:18:40        DTLS cert-chain not available 13
APC4D6.6693.3D00             4800.b33a.ffa0  Disjoined  03/06/25 21:58:28  03/06/25 22:18:35        DTLS cert-chain not available 13

DTLS cert-chain not available

WLC-01#show wireless management trustpoint 
Trustpoint Name  : 
Certificate Info : Not Available
Private key Info : Not Available
FIPS suitability : Not Applicable

WLC-01#show crypto pki trustpoints 
Trustpoint DNAC-CA:
    Subject Name: 
    ou=Cisco DNA Center
    o=Cisco Systems
    cn=207efc7d-15e0-93ba-7a60-63aa8ff267a2
          Serial Number (hex): XXXXX
    Certificate configured.

Trustpoint sdn-network-infra-iwan:
    Subject Name: 
    cn=sdn-network-infra-ca
          Serial Number (hex): XXXXX
    Certificate configured.
    SCEP URL: http://XXXXX:80/ejbca/publicweb/apply/scep/sdnscep

Trustpoint SLA-TrustPoint:
    Subject Name: 
    cn=Cisco Licensing Root CA
    o=Cisco
          Serial Number (hex): 01
    Certificate configured.

Trustpoint CISCO_IDEVID_SUDI:
    Subject Name: 
    o=Cisco
    cn=High Assurance SUDI CA
          Serial Number (hex): XXXXX
    Certificate configured.

Trustpoint CISCO_IDEVID_SUDI0:
    Subject Name: 
    cn=Cisco Root CA 2099
    o=Cisco
          Serial Number (hex): XXXXX
    Certificate configured.


WLC-01#show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: General Purpose
  Issuer: 
    o=Cisco
    cn=High Assurance SUDI CA
  Subject:
    Name: C9800-L-F-K9
    Serial Number: PID:C9800-L-F-K9 SN:XXXXX
    cn=C9800-L-F-K9
    ou=ACT-2 Lite SUDI
    o=Cisco
    serialNumber=PID:C9800-L-F-K9 SN:XXXXX
  Validity Date: 
    start date: 15:26:27 JST Dec 14 2024
    end   date: 05:58:26 JST Aug 10 2099
  Associated Trustpoints: CISCO_IDEVID_SUDI 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2099
    o=Cisco
  Subject: 
    o=Cisco
    cn=High Assurance SUDI CA
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crca2099.crl
  Validity Date: 
    start date: 05:28:08 JST Aug 12 2016
    end   date: 05:58:27 JST Aug 10 2099
  Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2099
    o=Cisco
  Subject: 
    cn=Cisco Root CA 2099
    o=Cisco
  Validity Date: 
    start date: 05:58:28 JST Aug 10 2016
    end   date: 05:58:28 JST Aug 10 2099
  Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool 

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Licensing Root CA
    o=Cisco
  Subject: 
    cn=Cisco Licensing Root CA
    o=Cisco
  Validity Date: 
    start date: 04:48:47 JST May 31 2013
    end   date: 04:48:47 JST May 31 2038
  Associated Trustpoints: Trustpool SLA-TrustPoint 
  Storage: nvram:CiscoLicensi#1CA.cer

Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: General Purpose
  Issuer: 
    cn=sdn-network-infra-ca
  Subject:
    Name: WLC-01
    cn=C9800-L-F-K9_FCL284700CC_sdn-network-infra-iwan
    hostname=WLC-01
  Validity Date: 
    start date: 19:57:15 JST Mar 5 2025
    end   date: 19:57:15 JST Mar 5 2026
    renew date: 19:57:15 JST Dec 22 2025
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#76D3.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: Signature
  Issuer: 
    cn=sdn-network-infra-ca
  Subject: 
    cn=sdn-network-infra-ca
  Validity Date: 
    start date: 13:00:54 JST Feb 13 2025
    end   date: 13:00:53 JST Feb 13 2045
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#94A5CA.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): XXXXX
  Certificate Usage: General Purpose
  Issuer: 
    ou=Cisco DNA Center
    o=Cisco Systems
    cn=XXXXX
  Subject: 
    ou=Cisco DNA Center
    o=Cisco Systems
    cn=XXXXX
  Validity Date: 
    start date: 11:05:44 JST Feb 13 2025
    end   date: 11:05:44 JST Nov 10 2027
  Associated Trustpoints: DNAC-CA 
  Storage: nvram:CiscoDNACent#6723CA.cer

WLC-01# wireless config vwlc-ssc
                                         ^
% Invalid input detected at '^' marker.

I tried to create a trustpoint manually, but the command is not supported.

JustTakeTheFirstStep · ‎03-06-2025

@Scott Fella @marce1000

WLC-01-stby#show crypto pki certificates 
.
.
.
Certificate
  Status: Available
  Certificate Serial Number (hex): xxxxx
  Certificate Usage: General Purpose
  Issuer: 
    cn=Cisco Manufacturing CA III
    o=Cisco
  Subject:
    Name: SWSUDI
    Serial Number: PID:C9800-L-F-K9 SN:xxxxx
    serialNumber=PID:C9800-L-F-K9 SN:xxxxx
    cn=SWSUDI
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/cmca3.crl
  Validity Date: 
    start date: 15:30:53 JST Dec 14 2024
    end   date: 04:19:27 JST May 27 2099
  Associated Trustpoints: CISCO_IDEVID_CMCA3_SUDI

WLC-01#reload slot 1

WLC-01#show chassis 
Chassis/Stack Mac Address : f8c6.5022.4300 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
                                             H/W   Current
Chassis#   Role    Mac Address     Priority Version  State                 IP
-------------------------------------------------------------------------------------
 1       Standby  f8c6.5022.4300     2      V02     Ready                169.254.1.250  
*2       Active   f8c6.5022.4380     1      V02     Ready                169.254.1.253  

WLC-01(config)#wireless management trustpoint CISCO_IDEVID_CMCA3_SUDI

WLC-01#show wireless management trustpoint
Trustpoint Name  : CISCO_IDEVID_CMCA3_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : cad50797657de9ed82bb495f8fe713aa5b952106
Private key Info : Available
FIPS suitability : Not Applicable

WLC1 does not have a Cisco Manufacturing CA certificate.
However, we found a Cisco Manufacturing CA III certificate for WLC2.
We will contact the TAC for the WLC1 controller.

View solution in original post

marce1000 · ‎03-06-2025

- If this is a virtual 9800-CL controller then you need to generate the WMI's trustpoint manually using the command :
wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0
Referenced in : https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2024/pdf/BRKEWN-2094.pdf
Start reading from : Uplink IP and Wireless Management Interface (WMI)
(don't forget to configure the WMI neither)

If you get this on another controller (a physical box) ; then checkout it's configuration first
using the CLI command show tech wireless and feed the output from that into Wireless Config Analyzer
Look for related advisories ; (use the full command denoted in green do not use show tech-support
for this procedure)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JustTakeTheFirstStep · ‎03-06-2025

It's not 9800CL, it's 9800-L-F

17.12.4 ver

WLC-01# wireless config vwlc-ssc

^

% Invalid input detected at '^' marker.

Scott Fella · ‎03-06-2025

Take a look at this guide. You can always use an existing trustpoint or just create a new one. Under Configuration > Interface > Wireless, you can choose a different one that is existing.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/trustpoints/b-configuring-trustpoints-on-cisco-catalyst-9800-series-controllers/m-overview-of-trustpoints-on-catalyst-9800.html

-Scott
*** Please rate helpful posts ***

JustTakeTheFirstStep · ‎03-06-2025

Scott Fella · ‎03-06-2025

Do you not have another SUDI trustpoint you can use?

-Scott
*** Please rate helpful posts ***

JustTakeTheFirstStep · ‎03-06-2025

HYS-MPO-ITR-SDA-WLC-(config)#wireless management trustpoint CISCO_IDEVID_SUDI
% node-2:dbm:wireless:Default Cisco SUDI trustpoint name is not allowed

SUDI is not allowed for trust pont and SUDI0 has no effect.

marce1000 · ‎03-06-2025

- @JustTakeTheFirstStep >...It's not 9800CL, it's 9800-L-F
Normally not needed on these boxes ; use the WirelessAnalyzer procedure too as I explained in my first reply and look at the info's from @Scott Fella too.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JustTakeTheFirstStep · ‎03-06-2025

@Scott Fella @marce1000

WLC-01-stby#show crypto pki certificates 
.
.
.
Certificate
  Status: Available
  Certificate Serial Number (hex): xxxxx
  Certificate Usage: General Purpose
  Issuer: 
    cn=Cisco Manufacturing CA III
    o=Cisco
  Subject:
    Name: SWSUDI
    Serial Number: PID:C9800-L-F-K9 SN:xxxxx
    serialNumber=PID:C9800-L-F-K9 SN:xxxxx
    cn=SWSUDI
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/cmca3.crl
  Validity Date: 
    start date: 15:30:53 JST Dec 14 2024
    end   date: 04:19:27 JST May 27 2099
  Associated Trustpoints: CISCO_IDEVID_CMCA3_SUDI

WLC-01#reload slot 1

WLC-01#show chassis 
Chassis/Stack Mac Address : f8c6.5022.4300 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
                                             H/W   Current
Chassis#   Role    Mac Address     Priority Version  State                 IP
-------------------------------------------------------------------------------------
 1       Standby  f8c6.5022.4300     2      V02     Ready                169.254.1.250  
*2       Active   f8c6.5022.4380     1      V02     Ready                169.254.1.253  

WLC-01(config)#wireless management trustpoint CISCO_IDEVID_CMCA3_SUDI

WLC-01#show wireless management trustpoint
Trustpoint Name  : CISCO_IDEVID_CMCA3_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : cad50797657de9ed82bb495f8fe713aa5b952106
Private key Info : Available
FIPS suitability : Not Applicable

WLC1 does not have a Cisco Manufacturing CA certificate.
However, we found a Cisco Manufacturing CA III certificate for WLC2.
We will contact the TAC for the WLC1 controller.

Rich R · ‎03-09-2025

1. Always mention the specific model of WLC and version of software which it is running!

2. The correct trustpoint for latest versions of software on hardware appliance WLCs (not 9800-CL) is CISCO_IDEVID_CMCA3_SUDI:
9800#sh wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_CMCA3_SUDI

9800#sh crypto pki trustpoints | beg CISCO_IDEVID_CMCA3_SUDI
Trustpoint CISCO_IDEVID_CMCA3_SUDI:
Subject Name:
cn=Cisco Manufacturing CA III
o=Cisco

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JustTakeTheFirstStep · ‎03-09-2025

WLC-01#sh ver
Cisco IOS XE Software, Version 17.12.04

WLC-01#sh inven
NAME: "Chassis 1", DESCR: "Cisco C9800-L-F-K9 Chassis"
PID: C9800-L-F-K9      , VID: 03   , SN:

Check out “sh crypto pki certificates” in the main body
The CISCO_IDEVID_CMCA3_SUDI certificate for WLC1 is not provided.

Rich R · ‎03-10-2025

Ok - from https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html

Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates

From Cisco IOS XE Dublin 17.12.1 onwards, the following changes have been introduced for trustpoints:
    Trustpoint names for existing SUDI certificates
    If your device supports Cisco Manufacturing CA III certificate and is not disabled, the trustpoint names are as follows:
        For Cisco Manufacturing CA III certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA3_SUDI
        For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA2_SUDI

    If your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled using no platform sudi cmca3 command, the trustpoint names are as follows:

        For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA2_SUDI

        For Cisco Manufacturing CA certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA_SUDI

    Hardware SUDI certificates

        If your device supports High Assurance SUDI CA certificate, this certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

        If your device does not support High Assurance SUDI CA certificate, ACT2 SUDI CA certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

    show wireless management trustpoint command output

    If Cisco Catalyst 9300 Series Switch is used with a Cisco Catalyst 9800 Series Wireless Controller for wireless deployments, the trustpoint name in the output of show wireless management trustpoint command is updated to the modified trustpoint name as mentioned previously.

    The following example shows a sample output of show wireless management trustpoint command. Note that if your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled, the Trustpoint Name in the following output displays CISCO_IDEVID_CMCA2_SUDI.

    Device# show wireless management trustpoint
    Trustpoint Name  : CISCO_IDEVID_CMCA3_SUDI
    Certificate Info : Available
    Certificate Type : MIC
    Certificate Hash : <SHA1 - hash>
    Private key Info : Available
    FIPS suitability : Not Applicable

    show ip http server status command output

    If you configure the trustpoint for the HTTP server as CISCO_IDEVID_SUDI, the output of show ip http server status command displays the operating trustpoint along with the configured trustpoint.

    The following example shows a sample output of show ip http server status command with both the configured and the operating trustpoint names. Note that if your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled, the operating trustpoint in the following output displays CISCO_IDEVID_CMCA2_SUDI.


    Device# show ip http server status
    …
    HTTP secure server trustpoint: CISCO_IDEVID_SUDI
    HTTP secure server operating trustpoint: CISCO_IDEVID_CMCA3_SUDI

So check that you don't have "no platform sudi cmca3" configured? The certificate comes from the software so it doesn't make sense that it should be missing from hardware.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390