Troubleshooting guide: Access points with LCOS LX in a WLC cluster cannot establish a connection to the Slave

Description:

During the setup of a WLC cluster the extensions critical, Digital Signature, Non Repudiation, Certificate Sign, and CRL Sign are not set for the Sub-CA on the Slave. As these extensions are required by LCOS LX, this means, that access points with LCOS LX cannot establish a connection with the Slave. Thus, when the Master fails a fallback to the Slave is not possible.

This article describes how the certificate files can be deleted on the Slave and created anew, so that access points with LCOS LX can establish a connection to the Slave.

Requirements:

• Configured and functional WLC cluster
• SSH client for accessing the CLI (z.B. PuTTY)

Procedure:

1) Deactivating the WLAN-Controller and the certificate features:

1.1) Enter the command set /Setup/WLAN-Management/CAPWAP-Operating no to deactivate CAPWAP.

Image of a technical configuration screen displaying options to manage WLAN settings and CAPWAP operations.

1.2) Enter the command set /Setup/Certificates/SCEP-CA/Operating no to deactivate the CA.

Screenshot showing a technical configuration interface with options for root QWL CS Slaves, setup certificates SCEPCA, and setting operational values marked as 'No'.

1.3) Enter the command set /Setup/Certificates/SCEP-Client/Scep-Operating no to deactivate the SCEP-Client.

Screenshot of a technical configuration interface showing options related to SCEP client and certificate setup.

2) Deleting the certificate files

Enter the command cd Status/File-System/Contents to change to the filesystem and successively delete the following certificate files with the command del <certificate file> (e.g. del scep_cert_list).

• scep_cert_list
• scep_crl
• scep_cert_serial
• scep_ca_pkcs12_int
• scep_ra_pkcs12_int
• controller_pkcs12_int 

A screenshot displaying technical terms and menu options related to system status and file system contents on a user interface.

3) Setting the extensions for the CA:

Enter the following command, to set the necessary extensions critical, Digital Signature, Non Repudiation, Certificate Sign, and CRL Sign for new certificates:

set /Setup/Certificates/SCEP-CA/Sub-CA/Cert-Key-Usage "critical, Digital Signature, Non Repudiation, Certificate Sign, CRL Sign"

Image showing a technical configuration interface with detailed settings for certificate key usage including options for digital signature, non-repudiation, certificate signing, and CRL signing highlighted as critical.

4) Activating the WLAN-Controllers and the certificate features:

4.1) Enter the command set /Setup/WLAN-Management/CAPWAP-Operating yes to activate CAPWAP.

Screenshot of a technical configuration interface showing system statuses and settings including file system contents and certificate setups.

4.2) Enter the command set /Setup/Certificates/SCEP-CA/Operating yes to activate the CA.

Screen capture of a technical configuration interface displaying options for file system status and SCEP client setup with toggle set to 'Yes'.

4.3) Enter the command set /Setup/Certificates/SCEP-Client/Scep-Operating yes to activate the SCEP-Client.

Image displaying a technical configuration interface with options for setting up WLAN management and checking the status of the CAPWAP operating status, which is set to 'Yes'.

4.4) The certificates will then be created anew. 

5) Checking the new certificates (optional):

You can read out the CA with the command show scep capwap ca. In the section X509v3 extensions the extensions set in step 3 have to be present under X509v3 Key Usage.

Generischer Alt-Text für Bild