Power on the AP while holding down the Mode button until the LED turns red, then release. Wait for the “ap:” prompt. Then do this:
ap: delete flash:capwap-saved-config Are you sure you want to delete "flash:capwap-saved-config" (y/n)?y File "flash:capwap-saved-config" deleted ap: boot Rebooting system to reset DPAA...
And for good measure
AP#delete flash:config.txt Delete filename [config.txt]? Delete flash:/config.txt? [confirm] AP#reload Proceed with reload? [confirm]
Wanted to use an old 1242 AP in my garage, where 802.11n isn’t a concern. Unfortunately even after doing a factory reset, I could not get it to join the controller. Console logs showed this repeating every minute:
*Feb 2 18:13:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.11 peer_port: 5246 *Feb 2 18:13:54.001: %CAPWAP-5-CHANGED: CAPWAP changed state to *Feb 2 18:13:55.303: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.0.0.11 *Feb 2 18:13:55.303: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer. *Feb 2 18:13:55.304: %DTLS-5-PEER_DISCONNECT: Peer 10.0.0.11 has closed connection. *Feb 2 18:13:55.304: %DTLS-5-SEND_ALERT: Send FATAL : Close not
Googling the error messages pointed to the AP trying to join with an expired certificate. Sure enough, this was definitely the problem…by about 4 years.
AP0019.e832.0320#show crypto pki certificates CA Certificate Status: Available Certificate Serial Number: 00 Certificate Usage: General Purpose Issuer: ea=support@airespace.com cn=ca ou=none o=airespace Inc l=San Jose st=California c=US Subject: ea=support@airespace.com cn=ca ou=none o=airespace Inc l=San Jose st=California c=US Validity Date: start date: 23:38:55 UTC Feb 12 2003 end date: 23:38:55 UTC Nov 11 2012
The quick and dirty solution was to set the WLC (2106 w/ 7.0.252.0) to ignore this:
(Cisco Controller) >config ap lifetime-check mic enable (Cisco Controller) >config ap lifetime-check ssc enable
Last year I rolled out PEAP (Cisco 2504 WLC + Windows Server 2012 NPS) to get our wifi secured. One of the nagging problems is I could never eliminate the ‘untrusted certificate’ warning messages when new clients joined. Most of our clients are Macs, and are neither joined to the domain nor trust the internal Windows CA. Secondly, we have iPhones, iPads, and Android phones who fall in to the same boat. So, we’re in reality a BYOD environment. All the examples I could find were Enterprise scenarios that assumes Windows client are joined to the domain, and inherently trust the internal CA.
The original cert used by NPS was set to expire this week, so I figured it would be a good time to try buying one from an external CA. There was some question of which CAs would be trusted by Apple. Fortunately I found these two knowledge base articles:
GoDaddy was then selected as the CA. The first step was to generate a new 2048-bit private key and CSR (Certificate Signing Request). As usual, I use OpenSSL to do this:
$ openssl req -out wifi.mydomain.com.csr -new -newkey rsa:2048 -nodes -keyout wifi.mydomain.com.key
Note that the certificate must be a FQDN hostname as wildcard certs won’t work with Windows.
After submitting the CSR and waiting for their approval, I download the certificate in Apache or IIS format, and end up with a .crt file. Windows requires the cert and key to be bundled together in PKCS12 format, which I’m able to do via this OpenSSL command:
$ openssl pkcs12 -in wifi.mydomain.com.crt -inkey wifi.mydomain.com.key -export -out wifi.mydomain.com.pfx Enter Export Password: Verifying - Enter Export Password:
Now the next trick was to actually import this to NPS so it could be used. To to this, I have to go through the Certificate snap-in.
Finally, we’re now ready to have NPS use the new certificate
This is a setting you’ll want to make sure is checked on newer Cisco controllers in environments where clients may roam during voice/video sessions. Without it, some clients will drop 2-3 seconds with roaming between APs. It’s set at the WLAN level.
This is a very important non-default configuration setting to enable on Cisco Wireless Controllers hosting Mac clients. Without it, clients may fail to associate when changing to a different wifi network.
Find it in the GUI under Controller -> General.
iPad / iPhone SSID change issue
Layer 77 