mini鵝的天地

【Cisco】AP Certificate 失效

AP 出廠設置證書時間為10年，超過時間後無法與WLC建立連接，導致無法正常運行。

WLC输出如下：
     ...  ...
Jul 14 14:00:37.031: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:617 Failed to complete DTLS handshake with peer 10.120.55.152
Jul 14 14:00:37.031: %DTLS-4-BAD_CERT: openssl_dtls.c:1050 Certificate verification failed. Peer IP: 10.120.55.152
Jul 14 14:00:37.030: %SSHPM-4-AP_CERT_EXPIRED: sshpmPkiApi.c:2448 AP certificate time 2008/05/02/06:11:38 - 2018/05/02/06:21:38 is not valid. 

解決方法：
WLC開啟AP證書過期忽略功能

1.SH 至WLC設備

2.以版本，若版本不符，請先昇版
 For Version 7.0.252.0, use this command:
    (WLC)>config ap lifetime-check {mic|ssc} enable 
 
 For Versions 7.4.140.0 and later, use this command: 
    (WLC)>config ap cert-expiry-ignore {mic|ssc} enable 

3.檢查狀態
(Cisco Controller) >show certificate summary

Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... LocallyGenerated
Certificate compatibility mode:.................. off
Lifetime Check for MIC..........................     Enable
Lifetime Check for SSC..........................    Enable

cisco思科官網說明如下：

Cisco Lightweight Access Points that were manufactured over 10 years ago may fail to create a CAPWAP or LWAPP connection due to certificate expiration. 
You may allow the Access Points with Manufactured Installed Certificates (MICs) or Self-signed Certificates (SSCs) beyond their expiration date to associate with Cisco WLC.