Lab 4-4: Joining APs to JRI.WLC.02
Topology
Task 1: Modifying DHCP Server Option 43 at JRI.EDGE
This lab is just to verify that the four APs in the topology can successfully join the JRI.WLC.02.
To accomplish this, we will temporarily modify the option 43 handed to the APs, adding the JRI.WLC.02 IP to the mix:
We currently have the following:
That option 43 only points to JRI.WLC.01 IP. The hex string must include both WLCs:
- Primary WLC: 172.20.10.3 → AC 14 0A 03
-
Secondary WLC: 172.30.10.3 → AC 1E 0A 03
-
Length = 2 controllers × 4 bytes = 8 → 08
- Type = F1
Resulting option 43: F1 08 AC140A03 AC1E0A03 -> f108ac140a03ac1e0a03
Task 2: LAN.LE.01-AP2 Console Bootup Output
For reference, here is the startup process of the LAN.LE.01-AP2 as seen from the console:
LAN.LE.01-AP2 BOOTUP OUTPUT (CONSOLE)
Secondary Bootloader - Starting system.
Antigua Lite Board P2
40MB format
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 77 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 22050304
flashfs[0]: Bytes available: 19108352
flashfs[0]: flashfs fsck took 14 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 0 seconds.
Base Ethernet MAC address: 00:f6:63:85:f5:20
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.ap_85mr8_ircm.202212141456/ap3g2-k9w8-xx.ap_85mr8_ircm.202212141456;flash:/ap3g2 -k9w8-mx.ap_85mr8_ircm.202212141456/ap3g2-k9w8-xx.ap_85mr8_ircm.202212141456'
Loading "flash:/ap3g2-k9w8-mx.ap_85mr8_ircm.202212141456/ap3g2-k9w8-xx.ap_85mr8_ircm.202212141456"...################# ################################
File "flash:/ap3g2-k9w8-mx.ap_85mr8_ircm.202212141456/ap3g2-k9w8-xx.ap_85mr8_ircm.202212141456" uncompressed and insta lled, entry point: 0x1003000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1700 Software (AP3G2-K9W8-M), Experimental Version 15.3(20221214:174109) [EZCommit 239]
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 14-Dec-22 17:44 by aut
Antigua Lite Board P2
40MB format
Tide XL MB - 40MB of flash
Initializing flashfs...
flashfs[2]: 77 files, 9 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 40900608
flashfs[2]: Bytes used: 22050304
flashfs[2]: Bytes available: 18850304
flashfs[2]: flashfs fsck took 14 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCCCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...C
Uncompressing radio files...
...done Initializing flashfs.
Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 586 entries (20 legacy/160 11n/406 11ac)
POWER TABLE FILENAME = ram:/U2.bin
Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/U5.bin
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco AIR-CAP1702I-E-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID FCW2028P5YU
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.5.182.109
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:F6:63:85:F5:20
Part Number : 73-16776-01
PCB Serial Number : FOC20283F7U
Top Assembly Part Number : 068-100665-01
Top Assembly Serial Number : FCW2028P5YU
Top Revision Number : A0
Product/Model Number : AIR-CAP1702I-E-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:18.959: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:19.419: Registering HW DTLS
*Mar 1 00:00:20.279: Starting Ethernet promiscuous mode
*Mar 1 00:00:22.595: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:22.595: %LINK-6-UPDOWN: Interface GigabitEthernet1, changed state to up
*Mar 1 00:00:25.103: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:25.215: loading Power Tables from ram:/U2.bin. Class = E
*Mar 1 00:00:25.219: record size of 3ss: 1168 read_ptr: 5D0D0EE
*Mar 1 00:00:30.411: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:30.459: loading Power Tables from ram:/U5.bin. Class = E
*Mar 1 00:00:30.491: record size of vht: 2904 read_ptr: 5D0D0EE
APAVC Registering AVC licences on the AP to make sure we enable advanced PP
*Mar 1 00:00:31.895: SCHED: Ethernet Bridge Process: install watched boolean System Initialized(5CF532C), os:1 ah:0APAVC Protocol list already initialized.
*Mar 1 00:00:31.895: Start STILE Activation
APAVC: Succeeded to activate all the STILE protocols.
APAVC: Registering with CFT
*Mar 1 00:00:32.143: APAVC: CFT registration of delete callback succeeded
APAVC: Reattaching Original Buffer pool for system use
*Mar 1 00:00:33.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:33.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
*Jun 1 11:05:07.131: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 39
*Jun 1 11:05:07.131: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 39
*Jun 1 11:05:07.139: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1700 Software (AP3G2-K9W8-M), Experimental Version 15.3(20221214:174109) [EZCommit 239]
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 14-Dec-22 17:44 by aut
*Jun 1 11:05:07.139: %SNMP-5-COLDSTART: SNMP agent on host LAN.LE.01-AP2 is undergoing a cold start
*Jun 1 11:05:07.211: SCHED: Ethernet Bridge Process: remove watched boolean System Initialized(5CF532C)
*Jun 1 11:05:07.211: SCHED: Ethernet Bridge Process: install watched queue Soap BVI input queue(CC88370), os:0 ah:0
*Jun 1 11:05:08.207: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - EASY_ADMIN is not set, turn off easy admin service!
*Jun 1 11:05:08.207: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - Easy Admin is not enabled, turn it off!
*Jun 1 11:05:08.223: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 39
*Jun 1 11:05:08.223: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 39
*Jun 1 11:05:08.223: [m102x_set_lanport_config] Cannot enable AUX port while POE, connect AC or Inj source
*Jun 1 11:05:08.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Jun 1 11:05:08.887: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Jun 1 11:05:08.891: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jun 1 11:05:09.091: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 10lwapp_crypto_init: MIC Present and Parsed Successfully
*Jun 1 11:05:09.259: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Jun 1 11:05:09.259: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jun 1 11:05:10.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jun 1 11:05:10.787: %LINK-5-CHANGED: Interface GigabitEthernet1, changed state to administratively down
*Jun 1 11:05:10.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jun 1 11:05:16.303: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Jun 1 11:05:16.303: DPAA Initialization Complete
*Jun 1 11:05:16.303: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Jun 1 11:05:17.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Jun 1 11:05:19.967: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.30.20.134, mask 255.255.255.0, hostname LAN.LE.01-AP2
*Jun 1 11:05:25.527: Currently running a Non-Release Image
*Jun 1 11:05:25.551: Using SHA-2 signed certificate for image signing validation.
%Default route without gateway, if not a point-to-point interface, may impact performance
*Jun 1 11:05:37.887: AP image integrity check PASSED
*Jun 1 11:05:37.895: Non-recovery image. PNP Not required.
*Jun 1 11:05:37.907: Cert ISSUER (39): cn=Cisco Manufacturing CA SHA2,o=Cisco
*Jun 1 11:05:37.931: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jun 1 11:05:37.931: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jun 1 11:05:48.035: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered
*Jun 1 11:05:49.035: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated%No matching route to delete
Translating "CISCO-CAPWAP-CONTROLLER.jri.net"...domain server (8.8.8.8) [OK]
*Jun 1 11:05:59.047: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.20.10.3 obtained through DHCP
*Jun 1 11:05:59.047: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.30.10.3 obtained through DHCP
*Jun 1 11:06:02.571: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Jun 1 11:06:02.571: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 10
*Jun 1 11:06:02.571: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jun 1 11:06:03.679: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jun 1 11:06:04.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jun 1 11:06:04.915: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jun 1 11:06:05.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jun 1 11:06:09.115: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Oct 3 18:04:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.10.3 peer_port: 5246
*Oct 3 18:04:18.443: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.30.10.3 peer_port: 5246
*Oct 3 18:04:18.443: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.10.3
*Oct 3 18:04:18.607: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 56
*Oct 3 18:04:18.615: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 3 18:04:18.623: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 3 18:04:19.239: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 56
*Oct 3 18:04:19.239: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Oct 3 18:04:19.247: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller JRI.WLC.02
*Oct 3 18:04:19.303: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 3 18:04:19.331: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Oct 3 18:04:19.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 3 18:04:19.651: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Oct 3 18:04:19.659: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Oct 3 18:04:20.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Oct 3 18:04:20.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Oct 3 18:04:20.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 3 18:04:20.691: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5500 MHz for 60 seconds.
*Oct 3 18:04:20.695: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Oct 3 18:04:20.703: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 3 18:04:20.711: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 3 18:04:21.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Oct 3 18:04:21.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 3 18:04:21.731: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 3 18:04:22.731: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 3 18:04:41.779: %CLEANAIR-6-STATE: Slot 0 disabled
*Oct 3 18:04:41.779: %CLEANAIR-6-STATE: Slot 1 disabled
*Oct 3 18:05:11.463: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Oct 3 18:05:21.735: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency 5500 MHz
We can see at the GUI both LAN.LE.01-AP1 and LAN.LE.01-AP2 joined succesfully:
Task 3: Joining the Madrid APs
Just to complete the picture, at this moment I will also bootup the two Madrid APs, and see how the successfully join JRI.WLC.02:
[*10/03/2025 18:16:41.0000] CAPWAP State: DTLS Setup
[*10/03/2025 18:16:41.3819] Certificate is expired
[*10/03/2025 18:16:41.3820] Certificate Start Date: Sep 30 09:32:42 2014 GMT
[*10/03/2025 18:16:41.3820] Certificate End Date: Sep 30 09:42:42 2024 GMT
[*10/03/2025 18:16:41.3820] display_verify_cert_status: Verify Cert: FAILED at 0 depth: certificate has expired
[*10/03/2025 18:16:41.3820] X509 OpenSSL Errors...
[*10/03/2025 18:16:41.3820]
[*10/03/2025 18:16:41.3820] NONE
[*10/03/2025 18:16:41.3820]
[*10/03/2025 18:16:41.3820]
[*10/03/2025 18:16:41.3837] dtls_verify_con_cert: Controller certificate verification error
[*10/03/2025 18:16:41.3837] dtls_process_packet: Controller certificate verification failed
[*10/03/2025 18:16:41.3841] sendPacketToDtls: DTLS: Closing connection 0xfe0c00.We had no luck with the Madrid APs (3802i), since they are throwing DTLS error when joining the WLC due to expired cert in 2024.
What will do to fix this is similar at what we did on JRI.WLC.01, tell the WLC to skip MIC expiry checks so APs will join despite the expired certificates.
