Last week in my lab, I had an issue arise with one of my older network testbeds. When I came into the lab in the morning, none of my access points were connected to my older Cisco 5508 controller. A little troubleshooting and I quickly discovered that there was a certificate issue on my access points and controllers. Here, I’ll share what the issue was, the fix, and what impact it will have on your business.
All manufacturer-installed certificates (MIC) installed by Cisco on access points and controllers have a lifetime of 10 years. Since my 5508 controller was built in 2009, the certificate had expired. There are a lot of older controllers out there that were built in 2009 and beyond, Cisco 8500s, 2100s, etc.
If you have one of these controllers, here are some error codes you might see:
- Jul 10 16:13:52.443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload - AP 00:11:22:33:44:55
- 443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload
The only solution is to move to a higher version of the code. If you have wireless LAN controller (WLC) 8.5 code (the first version that this command is supported), you can enter a command-line command of “config ap cert-expiry-ignore mic enable” and get access points to join. If however, and this is usually the case, you have older access points that require code before 8.5, like 1100 or 1200 series, and you’re running 8.3, you are in a pickle. If you upgrade the controller to 8.5 your access points won’t work. There is no fix other than to buy new access points and upgrade your code to allow you to ignore the certificate requirement.
However, if you ignore the certificate requirement, as mentioned above, and you have compliance requirements, you will violate those compliance regulations, as covered in the Cisco Field Notice FN-63942. The only fix is a temporary solution that could put you at risk of exposure during a compliance audit or worse, an actual attempt at breaching your WLAN. This is something you will want to have a plan for how to get ahead of it.
To ensure your WLAN remains operational and in compliance, our IE Team is available to assist and answer any questions you have. You can reach them by scheduling a meeting or reaching out to your IE Account Manager directly.