MAC VENDOR LOOKUP CISCO WLC 5520 VERIFICATION
At the time of writing this article, the earliest manufactured models of the WLC 5508 controller have been starting to run into this issue as of May 2018.Ĭonnecting to the console port of an AP also shows this problem, the error message could look a bit different depending on if you using an AP running the older IOS software (pre-1800/2800/3800 series APs) or newer AP-COS software (1800/2800/3800 and forward).įor old IOS-based access points the error could look like this: Cert Verification FAILED with error 10 (certificate has expired) at 0 depth. The second issue presents itself when you have a newer access point that is trying to connect to an older WLC, whose own device certificate has reached 10 years of age and therefore expired.
The error message is pretty clear, the AP itself is alerting us that its certificate has expired.
Validity period ended on 19:56:24 UTC *Sep 13 18:26:24.099: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed *Sep 13 18:26:24.099: %CAPWAP-3-ERRORLOG: Certificate verification failed! The certificate (SN: 3C1E27950000000CAAAA) has expired. 10.10.66.250 is the IP address of the WLC. Your AP will not be disconnected from the WLC immediately on the certificate’s expiration date but in case of a restart of either the AP or the WLC where a new CAPWAP-tunnel must to established between the two, the connection will not be completed.Ĭonnecting to the console port of an AP is the easiest method to see this problem in action and it looks something like this. At the time of writing this article, these access points are usually of the models AP-1131 and AP-1142. The first issue shows up when you have an old access point that has hit that 10-year mark and its device certificate has finally hit the expiration date. Newer access point does not want to join an older WLC Older access point does not want to join any WLC I myself have run into two problems related to device certificates: Even if the CAPWAP/DTLS-connection is not successfully established, the AP will still get the time from the WLC. Time is an important factor for the certification validity means that the time/date of your WLC and connecting APs is important.ĪPs get their time from the WLC as soon as they try to connect. Without this mutual authentication, the WLC and AP won’t be able to establish a secure DTLS-tunnel between them for encrypting CAPWAP control traffic, which means your APs won’t be able to join the WLC.ĭevice certificates for both WLCs and APs have a valid time of 10 years from the manufacturing date.
This certificate is used to perform authentication between the WLC and an AP wanting to join the WLC. Some quick facts about device certificates in terms of Cisco WLCs and APs:ĭuring manufacture, a device certificate is installed in all WLCs and APs leaving the factory. This could be due to a problem related to the digital certificates of the devices in your network.Īs an administrator, you very rarely have to deal with the certificates used for authentication between the WLC and the AP because most of the time it just… works. If you are using older Cisco WLAN Controllers (“WLC”) or access points in your network you might find your access points simply disappearing from your WLC one day and not being able to rejoin it.
0 kommentar(er)
