Guest

Preview Tool

Cisco Bug: CSCvu29360 - AP with SHA1 cert cannot join 9800 WLC running 16.12.2s

Last Modified

Aug 25, 2020

Products (1)

  • Cisco Catalyst 9800 Series Wireless Controllers

Known Affected Releases

16.12.2s

Description (partial)

Symptom:
Older 17/27/3700 APs with SHA1 only MIC cannot join C9800 running 16.12.2s. When AP attempts to join C9800, WLC continues to send SHA2 cert resulting in bad certificate error and dTLS teardown by AP.

On C9800, there is SHA1 MIC present. However, 9800 does not failover to using SHA1 MIC in response to AP using SHA1 MIC. This would be desirable behavior.

Further, as part of CSCvp34245, the config command to tie wireless management to CISCO_IDEVID_SUDI trustpoint was blocked. As a result, user cannot manually tie SHA1 trustpoint to wireless management interface.

WLC9800(config)#wireless management trustpoint CISCO_IDEVID_SUDI_LEGACY
% switch-1:dbm:wireless:Default Cisco SUDI trustpoint name is not allowed

Ask here: 9800 should switch to using SHA1 cert automatically. If intent is not to support SHA1 APs, then we need a customer facing doc stating the same.

Conditions:
SHA1 MIC APs (older 17/27/3700 APs)  trying to join C9800 running 16.12.2s
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.