Calendar
QuicksearchArchivesCategoriesBlog AdministrationPowered byLizenz/LicenseDer Inhalt dieses Blogs ist © Copyright 2009 Ralf Ertzinger. Jegliche Reproduktion und Wiederverwertung nur mit schriftlicher Genehmigung des Autors. The content of this blog is © Copyright 2009 Ralf Ertzinger. |
Saturday, March 17. 2012Manually converting a Cisco AP to LAP modeSeveral of Cisco Systems Wireless Access Points can be used in two different deployment scenarios:
Each scenario requires special software on the AP. Converting a Thin AP to Thick is comparatively easy, as this can be done from the WLC the AP is managed by. Converting in the other direction (Thick to Thin) is a bit more complicated. It requires a so called LWAPP Upgrade and Recovery image to be installed on the AP, along with some configuration changes. Equipped with this image the AP will be able to find and associate with a WLC, which will then provide the AP with the "real" LAP IOS version and appropriate config. Getting the LWAPP Upgrade image onto the AP can be a bit tricky, though. Cisco offers a tool to help with the process (the Autonomous To Lightweight Mode Upgrade Tool), but this has several drawbacks.
The latter is, of course, entirely subjective. But there is not much magic in what this tool does, anyway. Converting a Thick AP to Thin mode can be done completly manually. The following is required:
Please note: Following this procedure the AP will reboot without a config. It's expected that the AP will be able to acquire an IP address on it's ethernet port via DHCP and establish a connection to a WLC. The AP will not be remotely manageable unless it is able to associate with a WLC. Keep this in mind before converting an AP in Australia from Europe. ConvertionThe convertion consists of three main steps:
Self signed certificateConnect to the AP and make sure you have the appropriate privileges: ap#sh privilege Current privilege level is 15 The self signed certificate will contain the MAC address of the ethernet interface, so this needs to be determined first. ap#show int F0 | include address Hardware is PowerPC405GP Ethernet, address is 0014.6a40.45ab (bia 0014.6a40.45ab) Next, some boot parameters need to be set, as well as the clock of the AP. This is necessary for the creation of the self signed certificate as well as acceptance of the root certificates to be installed later. ap# conf t ap(config)# no boot manual ap(config)# no boot enable-break ap(config)# no sntp broadcast client ap(config)# no timezone ap(config)# end ap# clock set 17:36:00 17 March 2012 Next, eventually existing versions of the self signed certificate (SSC) will be removed. These do not necessarily exist, so getting an error message here denoting this is not critical. Confirmation is required if the keys actually do exist. Afterwards, a new RSA keypair is generated, and a SSC based on this keypair. The common name (cn) entered in the certificate subject name consists of the AP family description (C1200 for a 1242AG, for example) and the MAC address of the ethernet interface as determined above. The other fields of the subject name are static. ap# conf t ap(config)# crypto key zeroize rsa CISCO_IOS_SSC_Keys % The specified RSA keypair does not exist (CISCO_IOS_SSC_Keys). ap(config)# no crypto ca trustpoint CISCO_IOS_SSC_Cert % CA trustpoint 'CISCO_IOS_SSC_Cert' is not known. ap(config)# crypto key generate rsa general-keys label CISCO_IOS_SSC_Keys modulus 2048 The name for the keys will be: CISCO_IOS_SSC_Keys % The key modulus size is 2048 bits % Generating 2048 bit RSA keys ...[OK] ap(config)# crypto ca trustpoint CISCO_IOS_SSC_Cert ap(ca-trustpoint)#enrollment selfsigned ap(ca-trustpoint)#serial-number none ap(ca-trustpoint)#fqdn none ap(ca-trustpoint)#ip-address none ap(ca-trustpoint)#subject-name cn=C1200-00146a4045ab, ea=support@cisco.com, o=Cisco Systems, C=US, ST=California, L=San Jose ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#rsakeypair CISCO_IOS_SSC_Keys ap(ca-trustpoint)#exit ap(config)#crypto ca enroll CISCO_IOS_SSC_Cert % The fully-qualified domain name will not be included in the certificate Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Root certificatesSome root and intermediate certificates need to be installed on the AP. There are several of these, owing to the history of the WLC. Again, an error during certificate removal stating that the certificate does not exist is not fatal. Confirm the removal if prompted so. ap# conf t ap(config)#no crypto ca trustpoint airespace-new-root-cert % CA trustpoint 'airespace-new-root-cert' is not known. ap(config)#no crypto ca trustpoint airespace-device-root-cert % CA trustpoint 'airespace-device-root-cert' is not known. ap(config)#no crypto ca trustpoint airespace-old-root-cert % CA trustpoint 'airespace-old-root-cert' is not known. ap(config)#no crypto ca trustpoint cisco-root-cert % CA trustpoint 'cisco-root-cert' is not known. ap(config)#no crypto ca trustpoint cisco-mfg-root-cert % CA trustpoint 'cisco-mfg-root-cert' is not known. ap(config)#crypto ca profile enrollment Cisco_IOS_profile ap(ca-profile-enroll)#authentication terminal ap(ca-profile-enroll)#enrollment terminal ap(ca-profile-enroll)#exit ap(config)#crypto ca trustpoint airespace-new-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint airespace-device-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint airespace-old-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint cisco-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint cisco-mfg-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit Next, import the certificates. airespace-new-root-cert: ap(config)#crypto ca authen airespace-new-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEWjCCA4OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRcwFQYDVQQK Ew5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxGjAYBgNVBAMT EUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVz cGFjZS5jb20wHhcNMDMwNzMxMTM0MTIyWhcNMTMwNDI5MTM0MTIyWjCBpjELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcx GjAYBgNVBAMTEUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBw b3J0QGFpcmVzcGFjZS5jb20wgd8wDQYJKoZIhvcNAQEBBQADgc0AMIHJAoHBAMyg +SMwvUnpR6Q/oqzzpIJ/Zne7ZvRrFja6hO8JZpzK4OrKbx0PupD++li4UCwQ/Hjc ydEm2I8q0Fmoppv+kDJL1kVTztkTG5mwKCpz2YZV769epUCWIuVLn8QliYh48aUf 9HsW8gwKN6NSYDpasNxFM7DAt8gC3yXwWF3/X0P9rh9Io0vf+ArCfjC+kxvTSQre yB/2+ZdPFAhVyIE/0zTxuKGJKwoQ2YpEfb8hPmRSDSDnjpMi2hHKekas60FGqwID AQABo4IBFDCCARAwHQYDVR0OBBYEFFONg2BHjcIPgGYyMunhcHBVKxfqMIHTBgNV HSMEgcswgciAFFONg2BHjcIPgGYyMunhcHBVKxfqoYGspIGpMIGmMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFzAV BgNVBAoTDkFpcmVzcGFjZSBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEaMBgG A1UEAxMRQWlyZXNwYWNlIFJvb3QgQ0ExJDAiBgkqhkiG9w0BCQEWFXN1cHBvcnRA YWlyZXNwYWNlLmNvbYIBADAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQQFAAOBwQAG42U9Sxn6oMO5jq4jxaMwXkJFIqlhvhtbiFbtLlrkL3rA JqooBZgkCA0VEhabROQoRy67pXMp8HDbVgEce+nzokA5mjVXpQOE7KA1Pc9J6OwB lAR0aQvBIHknZIc9JZQ9zWapcm9KeetAHHxol06SXYAjE8EmH2BHY6nZrB/fAJL2 V98atJuQTiLOVRXNRPaKAE4ryGH7wVQNwfOma4zdwcJ8RCAn5iQRmLDgAt6eBtZP DVOJh5bBwNsSsPWBb+0= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: C2176703 8D42BF7F 5240CAD3 F59930A9 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported airespace-device-root-cert: ap(config)#crypto ca authen airespace-device-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEfzCCA6igAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRcwFQYDVQQK Ew5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxGjAYBgNVBAMT EUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVz cGFjZS5jb20wHhcNMDUwNDI4MjIzNzEzWhcNMTUwMTI2MjIzNzEzWjCBqDELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcx HDAaBgNVBAMTE0FpcmVzcGFjZSBEZXZpY2UgQ0ExJDAiBgkqhkiG9w0BCQEWFXN1 cHBvcnRAYWlyZXNwYWNlLmNvbTCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEA qTwBWOcoTnX/hqV6iGrKN0ML7PB1gvVr22rFFFVPsG6qMns+zjyTkQPJO6QMCvky pstdo/HDxShTv04ZLBv8SEZ+vZMGtJdKEnO/NYrYVA8mHmEromc7aNI5yH4enpZ7 JlTShUW7f3hfTp1Le4ABqi9FXP9FUuzbVmfj/OcJPgaPrjU9Qii0jYtBXZv0ljQt wUWZh7ab+ktR+2e0oMIef8YmmjlH6x1IXoOxKYsHnl4e2rWgvl4d4BCf8L1HUOMr AgMBAAGjggE3MIIBMzAMBgNVHRMEBTADAQH/MC4GCWCGSAGG+EIBDQQhFh9BaXJl c3BhY2UgRGV2aWNlIENBIENlcnRpZmljYXRlMB0GA1UdDgQWBBQKUjuxJXBSO5zq dH+yrT2Pleo/zDCB0wYDVR0jBIHLMIHIgBRTjYNgR43CD4BmMjLp4XBwVSsX6qGB rKSBqTCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNV BAcTCFNhbiBKb3NlMRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxML RW5naW5lZXJpbmcxGjAYBgNVBAMTEUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZI hvcNAQkBFhVzdXBwb3J0QGFpcmVzcGFjZS5jb22CAQAwDQYJKoZIhvcNAQEEBQAD gcEAoOjVnZvanu0MlgRd/qNwhOxZtcPTcWlNsHBmTgyAYNae42boH588z2iKsEmO zPpspyhU8tgEZpDJj+yE7y9/DwjJD3GdwPTBJc7RtSVt2T5Rd3vV6H8dx5/MUC3C AkLAXRaC3uPfdUG4xVtDPBDf4r/S6ALn2SMymiOiB2+GvMBI1Wmzg1msiXmX8CxV b4/jGHVPYFxDzafIGEewhR2t8NbNYsjeqG5uEkp83L+m/MfhhSodsVKdY7NogwX2 e9Jf -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: B5B0E363 7834493B DD640D72 122B19AC Certificate validated - Signed by existing trustpoint CA certificate. Trustpoint CA certificate accepted. % Certificate successfully imported airespace-old-root-cert: ap(config)#crypto ca authen airespace-old-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEBjCCAy+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQK Ew1haXJlc3BhY2UgSW5jMQ0wCwYDVQQLEwRub25lMQswCQYDVQQDEwJjYTEkMCIG CSqGSIb3DQEJARYVc3VwcG9ydEBhaXJlc3BhY2UuY29tMB4XDTAzMDIxMjIzMzg1 NVoXDTEyMTExMTIzMzg1NVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNYWlyZXNwYWNlIElu YzENMAsGA1UECxMEbm9uZTELMAkGA1UEAxMCY2ExJDAiBgkqhkiG9w0BCQEWFXN1 cHBvcnRAYWlyZXNwYWNlLmNvbTCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEA 2505ATAFndEFyyeTm5kH+B/1f6kkBlv3Glhl+LnPzLNnk1TUabq4RxyjJ67qAGqs kEecncI7Z976zA0oMsYQP6WcQeLotCULTSkD61JimpnWGLdHxKlBURq5lbsUkFQE X0oLn/OH80bV86JJKu0baj3WOdhJJDZqEjTdLbE81Il+LqEBY7zMgi96bQszq1cF PHhKbaPdHluWz1TGz01ZvBv9bLbnL8spiNy+bU12+4Mfr1aD5OIIIgCp6y477w35 AgMBAAGjge8wgewwHQYDVR0OBBYEFJRX330Ugi0xuyh3LomWGIbaRoS6MIG8BgNV HSMEgbQwgbGAFJRX330Ugi0xuyh3LomWGIbaRoS6oYGVpIGSMIGPMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFjAU BgNVBAoTDWFpcmVzcGFjZSBJbmMxDTALBgNVBAsTBG5vbmUxCzAJBgNVBAMTAmNh MSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVzcGFjZS5jb22CAQAwDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBwQCusDSdwPkqqjpXdbOnnFQhqdAVOJJh lcA0eQTagdQSD1j64imSI761SpBtcPf3IZLvr6Sw9IhgTjCUu8x3o2CogSkISbh7 XKGqFyGSKlVraODTGtxyZMTE1rIzNFyGJU5JiAlmRc1A8Sdhi8N+cdrZFnclMiNh cdh6Fvkq98FRy4iSRDvGZlm+pHuYXohmaKHr1Ii79uepSf34dxHVGKgOID2hK+vc aWPtp7dgeaMiOAyWDLjTJMrdlJ3qOeDvAz0= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: 61FD1452 D2803ADC BC4D069C 5FC3C92E % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported cisco-mfg-root-cert: ap(config)#crypto ca authen cisco-mfg-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3 8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq 1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf 2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1 cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3 OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08 S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6 YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO +nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf -----END CERTIFICATE----- quit Trustpoint 'cisco-mfg-root-cert' is a subordinate CA and holds a non self signed cert Certificate has the following attributes: Fingerprint: 6EA241F5 AC9A1148 CC8B4B43 C7C13025 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported cisco-root-cert: ap(config)# crypto ca authen cisco-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1 MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4 CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: BE395ABE 078AB112 1725CC1D 46343CB2 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported Image transferThe LWAPP Upgrade image is transferred to the AP. This will overwrite any existing images, thus this is the point of no return, in a way. Enter the appropriate data for your environment (IP address, image name) in the TFTP server section. ap# arch down /over /create-space tftp://10.200.254.4/images/c1200-rcvk9w8-tar.123-7.JX9.tar examining image... Loading images/c1200-rcvk9w8-tar.123-7.JX9.tar from 10.200.254.4 (via BVI1): ! extracting info (273 bytes) Image info: Version Suffix: rcvk9w8- Image Name: c1200-rcvk9w8-mx Version Directory: c1200-rcvk9w8-mx Ios Image Size: 1751552 Total Image Size: 1751552 Image Feature: WIRELESS LAN|LWAPP|RECOVERY Image Family: C1200 Wireless Switch Management Version: 3.0.51.0 Extracting files... c1200-rcvk9w8-mx/ (directory) 0 (bytes) extracting c1200-rcvk9w8-mx/c1200-rcvk9w8-mx (1741240 bytes)!!!!!!!!! extracting c1200-rcvk9w8-mx/info (273 bytes) extracting info.ver (273 bytes)!! [OK - 1751040 bytes] Deleting current version... Deleting flash:/c1200-k9w7-mx.123-8.JA2...done. New software image installed in flash:/c1200-rcvk9w8-mx Configuring system to use new image...done.archive download: takes 67 seconds ap#show archive status SUCCESS: Upgrade complete. Now there is only one thing left to do: remove the startup-config, and reload the AP. On reload the AP will come up with the LAP software and start searching for a WLC to join. ap# wr erase Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] ap# reload Proceed with reload? [confirm] Monday, January 18. 2010Cisco VPN debugging by crystal ballIn the hope that google picks this up: The problem space is a Cisco PIX terminating an IPSec VPN tunnel with a Checkpoint firewall on the other end. The tunnel does not work (the phase 2 setup fails). The Cisco logs the following debug messages: ISAKMP (0): processing SA payload. message ID = 1911693629 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: authenticator is HMAC-SHA ISAKMP: encaps is 1 ISAKMP (0): atts are acceptable. ISAKMP : Checking IPSec proposal 1 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS The log message above was created by an incoming proposal (the remote end proposed a connection to the Cisco PIX). This is useless and confusing at the same time. An IPSec proposal contains a list of parameters, sent by one end of the connection, specifying the parameters it is willing to use to establish a secure connection. This proposal specifies 3DES as the encryption algorithm, SHA as a hash function, and a lifetime for the connection of 3600 seconds (after which the connection has to be renegotiated). As can be seen, the PIX accepts this proposal (as it should), since these parameters match those configured on the PIX for this connection. It then goes on to check the same proposal again, just to reject it this time. The completely non-obvious solution to this is to disable compression (which the PIX does not support) on the Checkpoint. Why the PIX is unable to even give me a hexdump of the offending parameter in the proposal I'll probably never know.
(Page 1 of 1, totaling 2 entries)
|