Wanted to use an old 1242 AP in my garage, where 802.11n isn’t a concern. Unfortunately even after doing a factory reset, I could not get it to join the controller. Console logs showed this repeating every minute:
*Feb 2 18:13:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.11 peer_port: 5246 *Feb 2 18:13:54.001: %CAPWAP-5-CHANGED: CAPWAP changed state to *Feb 2 18:13:55.303: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.0.0.11 *Feb 2 18:13:55.303: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer. *Feb 2 18:13:55.304: %DTLS-5-PEER_DISCONNECT: Peer 10.0.0.11 has closed connection. *Feb 2 18:13:55.304: %DTLS-5-SEND_ALERT: Send FATAL : Close not
Googling the error messages pointed to the AP trying to join with an expired certificate. Sure enough, this was definitely the problem…by about 4 years.
AP0019.e832.0320#show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 00 Certificate Usage: General Purpose Issuer: firstname.lastname@example.org cn=ca ou=none o=airespace Inc l=San Jose st=California c=US Subject: email@example.com cn=ca ou=none o=airespace Inc l=San Jose st=California c=US Validity Date: start date: 23:38:55 UTC Feb 12 2003 end date: 23:38:55 UTC Nov 11 2012
The quick and dirty solution was to set the WLC (2106 w/ 220.127.116.11) to ignore this:
(Cisco Controller) >config ap lifetime-check mic enable (Cisco Controller) >config ap lifetime-check ssc enable