Power on the AP while holding down the Mode button until the LED turns red, then release. Wait for the “ap:” prompt. Then do this:
ap: delete flash:capwap-saved-config
Are you sure you want to delete "flash:capwap-saved-config" (y/n)?y
File "flash:capwap-saved-config" deleted
Rebooting system to reset DPAA...
And for good measure
Delete filename [config.txt]?
Delete flash:/config.txt? [confirm]
Proceed with reload? [confirm]
Wanted to use an old 1242 AP in my garage, where 802.11n isn’t a concern. Unfortunately even after doing a factory reset, I could not get it to join the controller. Console logs showed this repeating every minute:
*Feb 2 18:13:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.11 peer_port: 5246
*Feb 2 18:13:54.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 2 18:13:55.303: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.0.0.11
*Feb 2 18:13:55.303: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Feb 2 18:13:55.304: %DTLS-5-PEER_DISCONNECT: Peer 10.0.0.11 has closed connection.
*Feb 2 18:13:55.304: %DTLS-5-SEND_ALERT: Send FATAL : Close not
Googling the error messages pointed to the AP trying to join with an expired certificate. Sure enough, this was definitely the problem…by about 4 years.
AP0019.e832.0320#show crypto pki certificates
Certificate Serial Number: 00
Certificate Usage: General Purpose
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
The quick and dirty solution was to set the WLC (2106 w/ 188.8.131.52) to ignore this:
(Cisco Controller) >config ap lifetime-check mic enable
(Cisco Controller) >config ap lifetime-check ssc enable
Last year I rolled out PEAP (Cisco 2504 WLC + Windows Server 2012 NPS) to get our wifi secured. One of the nagging problems is I could never eliminate the ‘untrusted certificate’ warning messages when new clients joined. Most of our clients are Macs, and are neither joined to the domain nor trust the internal Windows CA. Secondly, we have iPhones, iPads, and Android phones who fall in to the same boat. So, we’re in reality a BYOD environment. All the examples I could find were Enterprise scenarios that assumes Windows client are joined to the domain, and inherently trust the internal CA.
The original cert used by NPS was set to expire this week, so I figured it would be a good time to try buying one from an external CA. There was some question of which CAs would be trusted by Apple. Fortunately I found these two knowledge base articles:
GoDaddy was then selected as the CA. The first step was to generate a new 2048-bit private key and CSR (Certificate Signing Request). As usual, I use OpenSSL to do this:
$ openssl req -out wifi.mydomain.com.csr -new -newkey rsa:2048 -nodes -keyout wifi.mydomain.com.key
Note that the certificate must be a FQDN hostname as wildcard certs won’t work with Windows.
After submitting the CSR and waiting for their approval, I download the certificate in Apache or IIS format, and end up with a .crt file. Windows requires the cert and key to be bundled together in PKCS12 format, which I’m able to do via this OpenSSL command:
$ openssl pkcs12 -in wifi.mydomain.com.crt -inkey wifi.mydomain.com.key -export -out wifi.mydomain.com.pfx
Enter Export Password:
Verifying - Enter Export Password:
Now the next trick was to actually import this to NPS so it could be used. To to this, I have to go through the Certificate snap-in.
- Remote Desktop to the NPS server
- Copy the .pfx file to C:\Users\Administrator\Documents (I simply used FTP)
- Type MMC at the command prompt
- File -> Add/Remove Snap-ins, Certificates, Add, “Computer account”, Finish
- Under Personal tree, All tasks -> Import. Select the .pfx file that was created
Finally, we’re now ready to have NPS use the new certificate
- Administrative Tools -> Network Policy Server
- Policies -> Network Policies -> Wireless Authentication
- Constraints -> Authentication Methods -> Microsoft: Protected EAP (PEAP) -> Edit
- The new cert should show in the top drop-down menu. Select it and click OK
This is a setting you’ll want to make sure is checked on newer Cisco controllers in environments where clients may roam during voice/video sessions. Without it, some clients will drop 2-3 seconds with roaming between APs. It’s set at the WLAN level.
Wireless Fast Transition Option
This is a very important non-default configuration setting to enable on Cisco Wireless Controllers hosting Mac clients. Without it, clients may fail to associate when changing to a different wifi network.
Find it in the GUI under Controller -> General.
iPad / iPhone SSID change issue