Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 2 Nächste Version anzeigen »


Description:

During the setup of a WLC cluster the extensions critical, Digital Signature, Non Repudiation, Certificate Sign, and CRL Sign are not set for the Sub-CA on the Slave. As these extensions are required by LCOS LX, this means, that access points with LCOS LX cannot establish a connection with the Slave. Thus, when the Master fails a fallback to the Slave is not possible.

This article describes, how the certificate files can be deleted on the Slave and created anew, so that access points with LCOS LX can establish a connection to the Slave.


Requirements:

  • Configured and functional WLC cluster
  • SSH client for accessing the CLI (z.B. PuTTY)

Procedure:

Die Maßnahmen können alternativ auch per WEBconfig (LCOS-Menübaum) oder teilweise auch per LANconfig vorgenommen werden. Zur besseren Übersicht erfolgen die Anpassungen hier per Konsole.

Die folgenden Schritte müssen ausschließlich auf dem Slave ausgeführt werden. Die Konfiguration des Masters darf nicht angepasst werden!

1) Deactivating the WLAN-Controller and the certificate features:

1.1) Enter the command set /Setup/WLAN-Management/CAPWAP-Operating no to deactivate CAPWAP.

1.2) Enter the command set /Setup/Certificates/SCEP-CA/Operating no to deactivate the CA.

1.3) Enter the command set /Setup/Certificates/SCEP-Client/Scep-Operating no to deactivate the SCEP-Client.



2) Deleting the certificate files

Enter the command cd Status/File-System/Contents to change to the filesystem and successively delete the following certificate files with the command del <certificate file> (e.g. del scep_cert_list).

  • scep_cert_list
  • scep_crl
  • scep_cert_serial
  • scep_ca_pkcs12_int
  • scep_ra_pkcs12_int
  • controller_pkcs12_int 



3) Setting the extensions for the CA:

Enter the following command, to set the necessary extension critical, Digital Signature, Non Repudiation, Certificate Sign, and CRL Sign for new certificates:

set /Setup/Certificates/SCEP-CA/Sub-CA/Cert-Key-Usage "critical, Digital Signature, Non Repudiation, Certificate Sign, CRL Sign"

The command must include the quotation marks.



4) Activating the WLAN-Controllers and the certificate features:

4.1) Enter the command set /Setup/WLAN-Management/CAPWAP-Operating yes to activate CAPWAP.

4.2) Enter the command set /Setup/Certificates/SCEP-CA/Operating yes to activate the CA.

4.3) Enter the command set /Setup/Certificates/SCEP-Client/Scep-Operating yes to activate the SCEP-Client.

4.4) The certificates will then be created anew. 



5) Checking the new certificates (optional):

You can read out the CA with the command show scep capwap ca. In the section X509v3 extensions the extensions set in step 3 have to be present under X509v3 Key Usage.