Cisco 2702i Lightweight AP Factory Reset when Controller not available

Power on the AP while holding down the Mode button until the LED turns red, then release.  Wait for the “ap:” prompt.  Then do this:

ap: delete flash:capwap-saved-config
Are you sure you want to delete "flash:capwap-saved-config" (y/n)?y
File "flash:capwap-saved-config" deleted
ap: boot
Rebooting system to reset DPAA...

And for good measure

AP#delete flash:config.txt
Delete filename [config.txt]? 
Delete flash:/config.txt? [confirm]
AP#reload
Proceed with reload? [confirm]

 

Advertisement

Wireless AP with Expired Certificate

 

Wanted to use an old 1242 AP in my garage, where 802.11n isn’t a concern.  Unfortunately even after doing a factory reset, I could not get it to join the controller.  Console logs showed this repeating every minute:

*Feb 2 18:13:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.11 peer_port: 5246
*Feb 2 18:13:54.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*Feb 2 18:13:55.303: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.0.0.11
*Feb 2 18:13:55.303: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Feb 2 18:13:55.304: %DTLS-5-PEER_DISCONNECT: Peer 10.0.0.11 has closed connection.
*Feb 2 18:13:55.304: %DTLS-5-SEND_ALERT: Send FATAL : Close not

Googling the error messages pointed to the AP trying to join with an expired certificate.  Sure enough, this was definitely the problem…by about 4 years.

AP0019.e832.0320#show crypto pki certificates 
CA Certificate
 Status: Available
 Certificate Serial Number: 00
 Certificate Usage: General Purpose
 Issuer: 
 ea=support@airespace.com
 cn=ca
 ou=none
 o=airespace Inc
 l=San Jose
 st=California
 c=US
 Subject: 
 ea=support@airespace.com
 cn=ca
 ou=none
 o=airespace Inc
 l=San Jose
 st=California
 c=US
 Validity Date: 
 start date: 23:38:55 UTC Feb 12 2003
 end date: 23:38:55 UTC Nov 11 2012

The quick and dirty solution was to set the WLC (2106 w/ 7.0.252.0) to ignore this:

(Cisco Controller) >config ap lifetime-check mic enable
(Cisco Controller) >config ap lifetime-check ssc enable

Removing Warning Messages for BYOD PEAP clients with NPS

Last year I rolled out PEAP (Cisco 2504 WLC + Windows Server 2012 NPS) to get our wifi secured.  One of the nagging problems is I could never eliminate the ‘untrusted certificate’ warning messages when new clients joined.  Most of our clients are Macs, and are neither joined to the domain nor trust the internal Windows CA.  Secondly, we have iPhones, iPads, and Android phones who fall in to the same boat.  So, we’re in reality a BYOD environment.  All the examples I could find were Enterprise scenarios that assumes Windows client are joined to the domain, and inherently trust the internal CA.

The original cert used by NPS was set to expire this week, so I figured it would be a good time to try buying one from an external CA.  There was some question of which CAs would be trusted by Apple.  Fortunately I found these two knowledge base articles:

GoDaddy was then selected as the CA.  The first step was to generate a new 2048-bit private key and CSR (Certificate Signing Request).  As usual, I use OpenSSL to do this:

$ openssl req -out wifi.mydomain.com.csr -new -newkey rsa:2048 -nodes -keyout wifi.mydomain.com.key

Note that the certificate must be a FQDN hostname as wildcard certs won’t work with Windows.

After submitting the CSR and waiting for their approval, I download the certificate in Apache or IIS format, and end up with a .crt file.  Windows requires the cert and key to be bundled together in PKCS12 format, which I’m able to do via this OpenSSL command:

$ openssl pkcs12 -in wifi.mydomain.com.crt -inkey wifi.mydomain.com.key -export -out wifi.mydomain.com.pfx
Enter Export Password:
Verifying - Enter Export Password:

Now the next trick was to actually import this to NPS so it could be used.  To to this, I have to go through the Certificate snap-in.

  1. Remote Desktop to the NPS server
  2. Copy the .pfx file to C:\Users\Administrator\Documents (I simply used FTP)
  3. Type MMC at the command prompt
  4. File -> Add/Remove Snap-ins, Certificates, Add, “Computer account”, Finish
  5. Under Personal tree, All tasks -> Import.  Select the .pfx file that was created

import_certificate

Finally, we’re now ready to have NPS use the new certificate

  1. Administrative Tools -> Network Policy Server
  2. Policies -> Network Policies -> Wireless Authentication
  3. Constraints -> Authentication Methods -> Microsoft: Protected EAP (PEAP) -> Edit
  4. The new cert should show in the top drop-down menu.  Select it and click OK

eap_certificate.png