[Troubleshoot] AP無法Join controller debug方式 debug pm pki enable

#int vlan  ap網段

#ip helper-address controllerip

#ip forward-protocol udp 5246

#ip forward-protocol udp 5247

在Controller輸入SHA1 Key Hash
debug pm pki enable/disable

找到MAC和 SSC Key Hash後(00:11:93:00:04:2c /c27c7c2e7da64383108f19e83777121efe3619db )


在controller 介面  Security> AP Profile > 按下Add按鈕 後
在Add AP to Authorization List裡面Certificate Type選 SSC
填入 MAC 和 SHA1 Key Hash後,<<<就是上面那串紅字>>>
 即可完成

以下log會推算這MAC是這Hash key,是因為時間都相同,同一秒 所以猜測是同1個AP的資訊


(Cisco Controller) >Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: locking ca cert table
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: calling x509_alloc() for user cert
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: calling x509_decode()
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: <subject> L=San Jose, ST=California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1100-00119300042c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: <issuer>  L=San Jose, ST=California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1100-00119300042c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Mac Address in subject is 00:11:93:00:04:2c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
Wed Oct 29 03:18:46 2014: ssphmSsUserCertVerify: self-signed user cert verfied.
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (current): 2014/10/29/03:18:46
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (NotBefore): 2011/04/19/06:07:30
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (NotAfter): 2020/01/01/00:00:00
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: getting cisco ID cert handle...
Wed Oct 29 03:18:46 2014: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key Data
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  30820122 300d0609 2a864886 f70d0101
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  01050003 82010f00 3082010a 02820101
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  00e6bfcd 007d970b 5d463933 68080b5c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  e794736b 754139bf 9bfe8aaa 0eb234cb
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  d6bf98cc e420d854 ec25e1b8 8d1a3228
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  3b480b2e a45fbbce aaa4cd4e dea2f7dc
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  7ad33d55 108b6ea9 55407d1d ba2d5a7e
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  0c171a35 f195931a ec6ee725 d67a3339
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  e61a38e2 6ce68bcb ec55a58c 9aee34f9
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  26d161a7 cbb23b44 f560a008 e0deab82
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  3b64c01e 8955c326 0f368ac9 122c1a95
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  eb8e81cc fa3ecbea a9806d5e b147dcf5
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  f4459ef2 2a53f767 fd5ef31b 739c82cd
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  fa04ad8f d809c9f2 c2ec268b 24a7983b
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  92b2f554 16d75bff 5dc53e43 9ac4c3c8
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  5f0f64f4 b4f71b9f eaa0a5be d0ff7388
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  f0f59223 b01aed74 a167d102 44274178
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  429aaad6 c6cb87e8 c9dad1db 5fd71043
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  2f020301 0001
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: SSC Key Hash is c27c7c2e7da64383108f19e83777121efe3619dbWed Oct 29 03:18:46 2014: sshpmGetCertFromHandle: calling sshpmGetCertFromCID() with CID 0x1f7e88a7
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: called to get cert for CID 1f7e88a7
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
Wed Oct 29 03:18:48 2014: sshpmFreePublicKeyHandle: called with 0x159501ec
Wed Oct 29 03:18:48 2014: sshpmFreePublicKeyHandle: freeing public key
debug pm pki disable

AP join controller success log

*Oct 21 15:37:44.284: %CDP_PD-4-POWER_OK: Full power - INJECTOR_CONFIGURED_ON_SOURCE inline power source
*Oct 21 15:37:45.319: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 21 15:37:46.320: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 21 15:37:49.232: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
*Oct 21 15:37:58.233: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Oct 21 15:38:10.234: %CAPWAP-3-ERRORLOG: Selected MWAR 'WLC4404'(index 0).
*Oct 21 15:38:10.234: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 21 02:21:33.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.240.231.1 peer_port: 5246
*Oct 21 02:21:35.482: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.240.231.1 peer_port: 5246
*Oct 21 02:21:35.483: %CAPWAP-5-SENDJOIN: sending Join Request to 10.240.231.1perform archive download capwap:/c1130 tar file

RADIUS server 認證 switch 設定 802.1X authentication

To enable 802.1X authentication on a switch port, on the switch CLI, enter these commands:

Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# radius-server host ip_addr auth-port port acct-port port key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end

How to reset a Wireless LAN Controller (WLC) to factory defaults

Resolution

Complete these steps to reset the WLC to factory default settings using the CLI:

1. Enter reset system at the command prompt.
   
2. At the prompt that asks whether you need to save changes to the configuration, enter Y or N. The unit reboots.
   
3. When you are prompted for a username, enter recover-config to restore the factory default configuration.
   
   The WLC reboots and displays the  Welcome to the Cisco WLAN Solution Wizard Configuration Tool message.
   
4. Use the configuration wizard to enter configuration settings.

Note: Once the WLC is reset to defaults, you need a serial connection to the WLC in order to use the configuration wizard.

For more information on resetting the device to default settings using GUI, refer to the Resetting the Device to Default Settings section of Configuring Controller Settings.

 

source 

cisco 2504 controller web setting

command 改csico controller ip 

>wlan disable all 

>configure interface address managent IP-ADDRESS SUBNETMASK GATEWAY

>wlan enable all

show ap join stats summary all

show ap summary

在interface 編輯 DHCP server  

security>AAA>TACACS+>Local Net Users可以看建立哪些帳號

web認證  

security>Web Auth> Web Login Page> web authentication type(選internal)

management>Mgmt Via Wireless> Enable Controller ... Clients口 要打勾

這樣才能從底下AP連上來的client管理controller 

management>Local Management User >建立管理帳號

Lobbyadmin介紹:建立臨時帳號的管理者 

改Controller IP等資訊

Controller>Interfaces>Interface Name點進去

[Device] cisco controller setup final

Would you like to terminate autoinstall? [yes]:

System Name [Cisco_b8:71:c4] (31 characters max):
AUTO-INSTALL: process terminated -- no configuration loaded
2504
Enter Administrative User Name (24 characters max): cisco
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password                 : ********

Enable Link Aggregation (LAG) [yes][NO]: no

Management Interface IP Address: 192.168.45.200
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 192.168.45.254
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1 to 4]: 1
Management Interface DHCP Server IP Address: 172.16.41.1

Virtual Gateway IP Address: 1.1.1.1

Multicast IP Address: 239.0.0.1

Mobility/RF Group Name: poc

Network Name (SSID): poc

Configure DHCP Bridging Mode [yes][NO]:

Allow Static IP Addresses [YES][no]:

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]: TW

Enable 802.11b Network [YES][no]:
Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]:
Enter the NTP server's IP address: 211.22.103.158
Enter a polling interval between 3600 and 604800 secs: 3600

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Configuration saved!
Resetting system with new configuration...


Configuration saved!
Resetting system with new configuration...
Restarting system.

cisco ap >> ERROR!!! Command is disabled.

喔我好強XD

1. 刪除現有的ios,讓他回復到最初機器上面的
2. clear pre-config


ERROR!!! Command is disabled.

出現這訊息,就不用在ap上踹了,直接到controller的web介面
找到這台ap的mac 或hostname, 直接在上面修改 hostname or ip等資訊
收工~

若硬要console設定ap 下文說是需要給ap一組username/password
我沒試過..因為上面做完就收工了.

Q. When I enable some LWAPP commands on my LAP, I get an error that says the command is disabled. Why is this?

 
AccessPoint#clear lwapp ap controller ip address 
ERROR!!! Command is disabled.

A. Once your AP has successfully joined a controller, the LWAPP commands are disabled. In order to enable LWAPP commands again, you must set the username/password of the AP from the controller CLI with the config ap username <name> password <pwd> <cisco-ap>/all command. Once that is done, you can do a clear lwapp private-config in the AP CLI to allow you to manually re-issue the AP LWAPP configuration commands.
Note: If you are running WLC version 5.0 and later, use this command to set the username and password on the AP:

config ap mgmtuser add username AP_username 
password AP_password secret secret {all | Cisco_AP}

cisco ap ERROR!!! Command is disabled.