Joining a Cisco LWAP to a vWLC

-

In this video, we take a look at what is required to join a Cisco Lightweight Access Point (LWAP) to a Cisco Virtual Wireless Controller (vWLC).

Devices in this video include:
  1. Cisco vWLC
  2. Cisco LWAP c1600 series
  3. Windows Server 2012 R2 
     

    Updated Notes: 28/09/2019


    Having worked with AP's and WLC's some more, I wanted to share some more notes from things observed in my lab.

    The output below is generated from a C1600 series AP that I have in my lab. The syslog output is generated when the AP attempts to join the WLC. While looking into this, I found a few workarounds and potential bugs associated with this.
     
     

*Sep 28 19:38:19.066: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Sep 28 19:38:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.101.2 peer_port: 5246

*Sep 28 19:38:23.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest

*Sep 28 19:38:23.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 192.168.101.2:5246

*Sep 28 19:38:24.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.101.2:5246

 

Field Notice: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63916.html
You can find some potential workarounds in the above field notice, however if the field notice doesn't provide you with a solution, you could try the following.

  • Configure the WLC to ignore expired certificates using the following command: 
     
     

config ap cert-expiry-ignore ssc enable

config ap cert-expiry-ignore mic enable

 

Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x ...
Read more

Remote Access VPN Authentication with Cisco ISE

-
Image
In this article I will walk through the steps that are required to configure the ASA for external authentication using Cisco ISE for remote access VPN users. This demonstration will use the following devices: Cisco ISE 2.4 Cisco ASA 9.8 Cisco AnyConnect 4.6 Test Laptop Server 2012 R2 Overview Cisco ISE can be used to authenticate remote access users terminating on a Cisco ASA. Before users gain access to the network, they are required to authenticate using a set of credentials, often certificate-based or by using a username and password. Based on the user authentication, Cisco ISE can be used to determine which tunnel-group the user should be placed within. Change of Authorization (CoA) is supported from ASA version 9.2.1, this allows for ISE to perform things such as posturing. Although not the main focus of this article, Cisco ISE can also be used to apply things such as Dynamic Access Control Lists (dACL’s) based on matched authorization policies. Demonstration Topology In this demo...
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you w...
Read more

Installing Cisco Context Directory Agent

-
Image
In this article we will take a look at how to install the Cisco Context Directory Agent (CDA) for use with Identity Based Firewalls. In this demonstration, we will be installing CDA using VMware ESXI. A few important things to note: VMXNET 2 & 3 Interfaces are not supported and E1000 types must be used Resource requirements will depend on the intended use of CDA. In this demonstration we are using the minimum recommended requirements which will be covered below. CDA must be able to communicate with Active Directory domain controllers, devices that are going to interact with CDA and any Syslog servers that will be used. CDA communicates with domain controllers on RPC 135 initially before domain controllers establish connectivity on higher ports dynamically. Resource specification used as per recommended minimum hardware requirements for VMware: 2 Virtual Processors 2GB RAM (We are using 4GB RAM for this demonstration) 120GB HD Space E1000 NIC Linux 64-Bit Other OS Once powered on se...
Read more

Installing Cisco Configuration Professional Express

-
Image
In this article we are going to take a look at how to install Cisco Configuration Professional Express. Prerequisites Ensure that you have compatible Cisco devices that support CCP Step 1. Download CCP from the  Cisco website  and unzip the folder (CCP Express is FREE) Step 2. Download a TFTP server of your choice – in my example I selected Solarwinds Step 3. Select the correct directory on the TFTP server and ensure the Cisco files downloaded previously are reachable from that directory Step 4. Configure your end device so that it is reachable from the Cisco device Step 5. Configure the Cisco device – the following configurations are taken from my lab example:   username wizkid privilege 15 secret algorytm-type scrypt  PASSWORD interface GigabitEthernet1 ip address 192.168.50.254 255.255.255.0 ip domain name cisco.com hostname R1 ip http server ip http authentication local ip http secure-server   You don’t have to generate RSA keys but if you choose to, the ...
Read more