Please be aware that certain Cisco Access Point (AP) models will be expiring starting in July due to their manufacturer inserted certificates which are valid for 10 years.
CAPWAP utilizes DTLS to encrypt communication between the Lightweight AP and Wireless LAN Controller (WLC). The manufacturer installed certificates (MIC) or Self-Signed Certificates (SSC) are used to authenticate Lightweight AP to WLC during DTLS session establishment.
Once the certificate expires, the CAPWAP/DTLS connection cannot be established and the wireless access points will fail to connect to the Wireless LAN Controller.
MICs were incorporated into Cisco wireless products as a way to provide authentication and protect the network from uncontrolled devices. The oldest APs (1130, 1230 series) with MICs were manufactured in July 2005, so those APs will be unable to join AireOS controllers starting in July 2015.
At the time of the join failure, the WLC's msglog may show messages similar to the following:
Jul 10 16:13:52.443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload - AP 00:11:22:33:44:55
Here's How You Can Prepare:
Contact Annese to discuss upgrading and reconfiguring your current Wireless LAN Controller to continue supporting these expiring APs for now and ask us about the Just Switch It promotion.
- Consider moving to new access points that provide a better wireless client experience. We would recommend looking at the 2700 and 3700 series.