Arraya Insights | March 26, 2015
The clock may be ticking down on the functionality of some of your Cisco lightweight Access Points (APs). When it hits zero, affected devices won’t be able to access the Internet, sending a parade of upset users in IT’s direction. The good news? There’s still time left, so let’s take a look at what could cause this and what can be done to prevent it.
What’s the problem?
Cisco APs use either Manufacturing Installed Certificates (MICs) or Self-Signed Certificates (SSCs) to prove the legitimacy of a Lightweight AP during the connection process. These certificates are part of an authentication procedure that ensures only sanctioned devices connect to a network. Once a certificate expires, the AP isn’t permitted to make a connection without the necessary upgrade.
Typically, certificates expire in two years. However, the projected lifetime and protection needs of the hardware led Cisco to set the MICs to have a lifetime of ten years from date of manufacture. SSCs also last for ten years from the date when they were created.
Guess when the first APs containing MICs hit the market? Ten years ago.
What’s the scope?
Those first APs with MICs – the 1120, 1130, 1230, 1310 series – were built in July of 2005, putting their “expiration date” just a few short months away.
If you’re not 100% sure when an AP was manufactured, one way to find out is to look up its serial number. To do this, run the following command on the WLC: “>show ap inventory all inventory for (device name).”
The serial number of the AP’s chassis will appear in the first section of the output in the following format: “LLLYYWWSSSS.” In this figure, the first two numbers (or “YY”) together are the code for the year of manufacture and the second two together (or “WW”) are the code for the week of manufacture. Once you have that info, check it against Manufacturing Year and Week codes to determine when the chassis was built.
The Manufacturing Year Codes are:
The Manufacturing Week Codes are:
Say for example you see a serial number that reads: FCZ1128Q0PE. That has a year code of 11, meaning the AP was built in 2007. Its week code is 28, which means it was manufactured in July. This formula can help you easily determine whether or not you need to worry about expiring AP certificates quite yet or not.
What do you need to do?
If you believe your system may be affected, hold tight. Next month, Cisco will release rebuilds of AireOS 7.0 and 7.4. Then in June, it will post the rebuild of AireOS 8.0. Once in place, these new versions will give IT the option to disable the lifetime limit so APs with MICs or SSCs older than 10 years will still be able to connect to the network. If you need a repair and need it now, it’s possible to reach out to Cisco for an escalation code.
The expiring certificates does present IT with an interesting opportunity. While you’re making upgrades to your wireless infrastructure, it may be a good time to refresh your WLAN so you can start taking advantage of the speed, capacity, and reliability of the newest generation 802.11ac products and capabilities.
Arraya Solutions’ Cisco team has the depth of knowledge and experience needed to ensure network connectivity and guide you through any upgrades that may be required. Our engineers will work with you to develop forward-thinking solutions that will make a difference today and for the long haul.
To learn more about 802.11ac, namely, what it does, how it works, and why your organization needs it, check out the “The 802.11ac Standard- Network Design & Benefits” session at the Arraya Tech Summit, taking place on June 4th. It is a completely free event which will feature courses and presentations designed and presented by our leading team of engineers with one goal in mind: to help IT pros take their game to a whole new level. Learn more and register today at https://arrayasolutions-techsummit2015.eventbrite.com