Wildcard cert on WLC 4404 running 5.2

Hi all
I have a WLC with a cert on at the moment, it runs out in a few weeks.
I want to replace the current cert with a wildcard cert.
Will this be OK ?
is it a cas

Hi,
As per my exp.: yes it is supported.
However, it seems there is still a problem with wildcards certificates if they are chained :
Check this links:
http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
Third part cert:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
Regards
Dont forget to rate helpful posts

Similar Messages

Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate. This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD. The ISE policy is just to match on machine auth.
The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball. They were, the auth passed.
I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities. Retest and the client passes.
If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed. ISE reports that my Windows client rejected the server certificate. Which is odd as it just accepted it.
If I untick the validate the client passes, if i tick it again it will authenticate fine, once. The next connection it will fail again with the client rejecting ISE.
Anyone got any ideas?

I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

Install GoDaddy wildcard SSL on WLC 2504 conroller

I'm attempting to install a GoDaddy wildcard ssl certificate onto a WLC 2504 running version 7.4.100.0.
I am getting the error "#SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4055 Cannot PEM decode private key" when downloading the .pem file to the controller.
What I have attempted to do was to export the certificate from a Windows 2008 R2 server into a .pfx file. The file contained the private key and all possible root certficates (in this case a root and a intermediate cert). Now I took this .pfx file and attempted to create a .pem file with openssl using the following command: openssl pkcs12 -in myssl.pfx -out mynewssl.pem -passin pass:mypassword -passout pass:mypassword
Now I have opened the .pem file and verified it does contain the private key and the three certificates (wildcard, intermediate and root).

Seth,
I had a similar problem, and saw the solution in another post on this forum. I am cross-posting this to help anyone else out there who might be searching for this answer.
Kudos to Robert Wells for finding this:
"I have it fixed now. The problem was the cisco only supports openssl 0.9.8x. I was using 1.0.1c. I used 0.9.8x and it worked perfectly fine."
The Windows version of OpenSSL I used was the 0.9.8y Light version from:
http://slproweb.com/download/Win32OpenSSL_Light-0_9_8y.exe
I hope this helps someone out there with this problem.
- Ken

WLC 4404 %OSAPI-3-FILE_OPEN_FAILED

the WLC 4404 present this logs:
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/927/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'gccp_t'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/926/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'dot1dTimer'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/925/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'dot1dRecv'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/921/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'fdbTask'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/920/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'nPCSL_timer'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/916/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'tFrameReceive'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/913/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'tFrameReceive'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/917/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'tFrameSend'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'Gmac Link Task'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/905/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'tDapiTxTask'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/904/stat.(erno 24)
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-TASK_GETTIME_FAILED: osapi_task.c:3431 Failed to retrieve statistics (/proc/<pid>/stats) for task 'RMONTask'
*osapiReaper: Oct 02 14:55:11.152: %OSAPI-3-FILE_OPEN_FAILED: osapi_file.c:370 Failed to open the file : /proc/903/stat.(erno 24)
when present this loggs the device present those symptoms:
lost GUI session
Lost console conection
Lost SSH and Telnet conecction
the WLC 4404 not work is stopedd

Almost looks like it could be defect ID CSCtx02515. SHows that it's fixed in 7.2.110.0, but if you have a 4404, you can't run 7.2 code.
Symptom:
High CPU on webJavaTask
Alternatively: large number of TCP connections, leading to file descriptor problems like:
osapi_file.c:370 Failed to open the file : /proc/1054/stat.(erno 24)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx02515
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Wildcard Cert

Sun Java(tm) System Messaging Server 7.3-11.01 64bit (built Sep 1 2009)
libimta.so 7.3-11.01 64bit (built 19:44:36, Sep 1 2009)
Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
SunOS wpg-com1 5.10 Generic_141445-09 i86pc i386 i86pc
I have a wildcard cert that was generated for apache. How can I add this to COMs.

shjorth wrote:
karl.rossing wrote:
I have a wildcard cert that was generated for apache. How can I add this to COMs.The following URL may help (section prior to pull-config):
http://blogs.sun.com/nsegura/entry/migrating
Regards,
Shane.Thanks! That helped a lot
I was able to run openssl pkcs12 -export -out server.pk12 -in server.crt -inkey server.key -nodes -name "ALIAS" and then msgcert import-cert server.pk12
This would be usefull information on http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication . Should I add it myself?

Wlc 4404 strange behaviour

Hello,
I have to manage a wlc 4404. According to me he acts strange.
Only ports 1,2 and 3 are connected. The ap-manager and the management are linked at port 1. So far so good.
If I look at the wireless-tab I see all AP's are connected at port 3 !!
All the 3 ports are connected to the same switch and VLAN.
AP=Cisco Aironet 1130AG with a default config
Could someone explain me why all AP's are connected on port 3, while the ap-manager is linked at port 1.
Thanks in advance,
Carlo

The Cisco docs clearly state that you can only have 48 APs associated to each ap-manager interface. If you are not running LAG, and I can't think of a good reason not to, then you will need 3 physical interfaces to be configured with unique ap-manager ip addresses in order to register 100 APs. Since the APs point to the management ip (via DNS or DHCP) to get the ap-manager interface, they will automatically load balance.
Note that unless you are running VERY recent code, there are significant ARP bugs related to the additional ap-manager interfaces responding to ARP requests. The best-practice is to add a static ARP entry in the router/L3 switch that is the ap-manager's default-gateway. This is an artifact of the ap-manager interfaces not responding to any traffic accept LWAPP, including ARP. This has been a serious problem for a lot of enterprise customers because this impacts most CEF switching devices like the Catalyst 6500 since most IOS versions also have a CEF adjacency/ARP timeout bug.

ISE 1.2 and WildCard Cert

hello,
i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
but there is something that was not answered by his post.
Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
Any input would be appreciated

Basant,
I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
Tarik Admani
*Please rate helpful posts*

WLC 5508 running 7.4.110.0 unable to tftp upload config from controller

Hi,
Two WLC 5508 running identical code version. One is 50 license Primary, the second is HA. Identical config on both. HA WLC can upload its config to the TFTP or FTP server but Primary cannot. The operation fails for both CLI and GUI and for different protocols i.e. TFTP, FTP.
#### Primary Controller
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.110.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.95.16
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... PRODWC7309
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.1.30.210
Last Reset....................................... Power on reset
System Up Time................................... 18 days 18 hrs 51 mins 35 secs
System Timezone Location......................... (GMT+10:00) Sydney, Melbourne, Canberra
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... AU - Australia
Operating Environment............................ Commercial (0 to 40 C)
--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +34 C
External Temperature............................. +17 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 8
Number of Active Clients......................... 138
Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown
Burned-in MAC Address............................ 3C:08:F6:CA:52:20
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 50
(Cisco Controller) >debug transfer trace enable
(Cisco Controller) >transfer upload start
Mode............................................. TFTP
TFTP Server IP................................... 10.1.22.2
TFTP Path........................................ /
TFTP Filename.................................... PRODWC7309-tmp.cfg
Data Type........................................ Config File
Encryption....................................... Disabled
*** WARNING: Config File Encryption Disabled ***
Are you sure you want to start? (y/N) Y
*TransferTask: Jun 02 10:41:15.183: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 02 10:41:15.183: RESULT_STRING: TFTP Config transfer starting.
TFTP Config transfer starting.
*TransferTask: Jun 02 10:41:15.183: RESULT_CODE:1
*TransferTask: Jun 02 10:41:24.309: Locking tftp semaphore, pHost=10.1.22.2 pFilename=/PRODWC7309-tmp.cfg
*TransferTask: Jun 02 10:41:24.393: Semaphore locked, now unlocking, pHost=10.1.22.2 pFilename=/PRODWC7309-tmp.cfg
*TransferTask: Jun 02 10:41:24.393: Semaphore successfully unlocked, pHost=10.1.22.2 pFilename=/PRODWC7309-tmp.cfg
*TransferTask: Jun 02 10:41:24.394: tftp rc=-1, pHost=10.1.22.2 pFilename=/PRODWC7309-tmp.cfg
pLocalFilename=/mnt/application/xml/clis/clifile
*TransferTask: Jun 02 10:41:24.394: RESULT_STRING: % Error: Config file transfer failed - Unknown error - refer to log
*TransferTask: Jun 02 10:41:24.394: RESULT_CODE:12
*TransferTask: Jun 02 10:41:24.394: Memory overcommit policy restored from 1 to 0
% Error: Config file transfer failed - Unknown error - refer to log
(Cisco Controller) >show logging
*TransferTask: Jun 02 10:41:24.393: #UPDATE-3-FILE_OPEN_FAIL: updcode.c:4579 Failed to open file /mnt/application/xml/clis/clifile.
*sshpmReceiveTask: Jun 02 10:41:24.315: #OSAPI-3-MUTEX_FREE_INFO: osapi_sem.c:1087 Sema 0x2b32def8 time=142 ulk=1621944 lk=1621802 Locker(sshpmReceiveTask sshpmrecv.c:1662 pc=0x10b07938) unLocker(sshpmReceiveTask sshpmReceiveTaskEntry:1647 pc=0x10b07938)
-Traceback: 0x10af9500 0x1072517c 0x10b07938 0x12020250 0x12080bfc
*TransferTask: Jun 02 10:39:01.789: #UPDATE-3-FILE_OPEN_FAIL: updcode.c:4579 Failed to open file /mnt/application/xml/clis/clifile.
*sshpmReceiveTask: Jun 02 10:39:01.713: #OSAPI-3-MUTEX_FREE_INFO: osapi_sem.c:1087 Sema 0x2b32def8 time=5598 ulk=1621801 lk=1616203 Locker(sshpmReceiveTask sshpmrecv.c:1662 pc=0x10b07938) unLocker(sshpmReceiveTask sshpmReceiveTaskEntry:1647 pc=0x10b07938)
-Traceback: 0x10af9500 0x1072517c 0x10b07938 0x12020250 0x12080bfc
#### HA Controller
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.110.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.95.16
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... PRODWC7310
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.1.31.210
Last Reset....................................... Software reset
System Up Time................................... 18 days 19 hrs 1 mins 27 secs
System Timezone Location......................... (GMT+10:00) Sydney, Melbourne, Canberra
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... AU - Australia
Operating Environment............................ Commercial (0 to 40 C)
--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +34 C
External Temperature............................. +17 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 0
Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown
Burned-in MAC Address............................ 3C:08:F6:CA:53:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 500
(Cisco Controller) >debug transfer trace enable
(Cisco Controller) >transfer upload start
Mode............................................. FTP
FTP Server IP.................................... 10.1.22.2
FTP Server Port.................................. 21
FTP Path......................................... /
FTP Filename..................................... 10_1_31_210_140602_1050.cfg
FTP Username..................................... ftpuser
FTP Password..................................... *********
Data Type........................................ Config File
Encryption....................................... Disabled
*** WARNING: Config File Encryption Disabled ***
Are you sure you want to start? (y/N) y
*TransferTask: Jun 02 10:51:31.278: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 02 10:51:31.278: RESULT_STRING: FTP Config transfer starting.
FTP Config transfer starting.
*TransferTask: Jun 02 10:51:31.278: RESULT_CODE:1
*TransferTask: Jun 02 10:52:05.468: ftp operation returns 0
*TransferTask: Jun 02 10:52:05.477: RESULT_STRING: File transfer operation completed successfully.
*TransferTask: Jun 02 10:52:05.477: RESULT_CODE:11
File transfer operation completed successfully.
Not upgrading to 7.4.121.0 because of bug CSCuo63103. Have not restarted the controller yet.
Any one else had this issue ? Is there a workaround ?
Thanks,
Rick.

Thanks Stephen, In my deployments of 7.4.110.0 version I have not seen this issue so may be controller reboot will fix it (we do have HA to minimize the impact). I will keep the thread updated with findings and may request TAC for the special release 7.4.121.0 if the still not happy with 7.4.110.0
Rick.

Federation with wildcard cert

Hi,
We have multiple SIP domains, and I am trying to reduce the number of certificates needed.
I use a wildcard cert for one of the domains for the Edge and reverse proxy.
It works fine to connect from outside etc. But federation is not working.
In the DNS SRV record _sipfederationtls._tcp.domain2.com I have put the address sip.domain2.com as hostname, but it's actually pointing to a address that have the wildcard cert for *.mydomain1.com
Is there some way to make this work without buying many certs?

Hi,
It is not supported to use wildcard certificate for Edge Server external interface. You need a public SAN certificate to support federation. You can use wildcard certificate for Reverse Proxy.
For more Server Roles which wildcard certificate can be used in Lync Server environment, you can refer to the link below:
https://technet.microsoft.com/en-us/library/hh202161.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

What settings need to be set for the fastest roaming on my wlc 4404

Hi all
I notice that on my WLC 4404 when walking around with my laptop, I am dropping pings when it roams to another access point, Is there anything on the controller I need to check, and can I optimize these settings for roaming?
cheers
carl

Hello Carl,
to have romaing working fine you need to be sure of following:
1) RF designed correctly , and enough overlapping is availble between the AP's.
in addition for environment to be free from external noise..
this can be confirmed with spectrum expert site survey
2) what authentication and encryption used ( WEP , or WPA-PSK no need to check this point ->> skip :-) )
if you are using any authentication like 802.1x ->> then enable CCKM on the WLAN to make more seamless roaming.
3) if more than one WLC availble on site , configure mobility group between them,
so if client roam from one AP in WLC 1 to AP on WLC 2 ->> no disocnnection observed....
Kind regards
Talal
===========
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

Does Convergence + messaging server 6.3 support wildcard cert ?

Hi all,
We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
what if we are using wildcard cert, do it work in this case ?
Cheer
ubd

ubd wrote:
So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
Regards,
Shane.

WLC 4404 Wireless users getting disabled

Currently Being Moderated
Wireless users getting disabled
Hi,
I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
*Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
After seeing one of the cisco forum, I have disabled RLDP for that particular APs
so above messages are rectified.
But right now we are not able to identify Rogue IP and it is not contained.
So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
Thanks & Regards
Gaurav Pandya

Hi Scott,
You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
Regards
Gaurav

ISE 1.3 public wildcard cert

Is it a good idea and common practice to just use public CA for wildcard certificate on each ISE node to avoid any certificate warnings on non-corporate devices?
is it ok then to use it also for EAP-TLS authentication? Clients will still have internal CA certs.
Or should we have a separate internal wildcard cert just for EAP-TLS. In this case, will ISE 1.3 allow me to have to wildcard certs with the same SAN (*.domain.com), one is public, the other is internal. The public one would apply to Web portals, and internal one would apply to EAP-TLS/

Hi Trevor-
The use of Wildcard cert is perfectly acceptable for the guest portals. As you said, this will ensure that guest users don't get the certificate trust error.
However, for the EAP side of the house, you will need to get a non-wildcard certificate. Many supplicants (including Windows) will NOT accept a wildcard certificate when building an EAP tunnel.
I hope this helps!
Thank you for rating helpful posts!

Wireless clients load balancing on the APs on WLC 4404

Hi Experts,
I'm just wondering if the WLC 4404 with firmware 4.2.207.0 can load balance the wireless clients on different WAPs. Let's say that an AP is already handling 15 Wireless devices. When the 16th is trying to join, the controller somehow puts it on another nearby AP, even the signal from this AP is weaker. I heard the similar feature on other Wireless solution vendors. I'm just wondering if Cisco has the similar feature or not.
Thanks!

Yes it is known as aggressive load balancing sending a code 17 making the wireless client to loook at another nearby AP.
here it is the documentation:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809c2fc3.shtml

Ironport email appliance : can i use a wildcard cert for TLS ?

Hi all,
We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it :
1/ Is it possible to use wildcard certificat on ironport ?
2/ Is there any known problem with wildcard certificat for TLS use ?
I found 2 (old) post about that :
https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
Does someone has experience about it ?
Thanks.

My experience is that it works fine.
If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
eg. something like this:
mx domain1.com smtp.domain2.com
mx domain2.com smtp.domain2.com
a smtp.domain2.com x.x.x.x

Wildcard cert on WLC 4404 running 5.2

Similar Messages

Maybe you are looking for