Expiring Certificates: How to Prevent Cisco 5508 WLC and AP Disruption

Does your organization have Cisco 5508 Wireless LAN Controllers (WLCs) deployed in its environment? If so, connectivity problems could be on the horizon. With the help of our Network and Security team, let’s explore the root cause of this issue. Then, we can turn to how to prevent it.

The basic rundown goes like this: Cisco APs and WLCs have Manufacturer-Installed Certificates (MICs) that are valid for 10 years. With the default configuration, if either MIC (AP or WLC) is not valid, the APs won’t be able to register to the controller. Care to take a guess when Cisco first began manufacturing the 5508 WLCs? Just a little over ten years ago, back in May 2009.

We actually covered the other side of this problem, involving expiring AP certificates, in a previous post on this blog. However, now it’s the WLCs’ turn. If your WLC MIC is expired, you may have a situation where your APs are working now, but if they were to reboot they wouldn’t be able to join the controller. In other words, they won’t work.

Cisco delivers a workaround: Will it work for you?

The good news is that Cisco has provided a workaround that will allow the AP to ignore the MIC expiration. To implement this workaround, issue the following command:

config ap cert-expiry-ignore mic enable

This allows your APs to join no matter which MIC is expired (AP or WLC). On the downside, there are some situations where this workaround will not be enough. For example:

1. You have AP models 1800/2800/3800, AND
2. You are running WLC code prior to 8.5, AND
3. Your 5508 WLC MIC is expired or about to expire.

In this specific case, the workaround will not work. Those APs require 8.5 code for the workaround. If this is your situation, then upgrade the WLC to 8.5.151.0. Note: As of the time of writing, this is the code we recommend. Once the upgrade is complete, you can configure the workaround. Refer to this Bug ID for more info: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb93909/.

If you have legacy APs, such as the 1142 model, in addition to meeting each of the three above conditions, you’re going to run into a different problem. It’s worth noting that 8.5 may not support legacy apps, forcing you to do one of two things:

1. Invest in new APs, or
2. Reach out to Cisco TAC and hope they can provide you with the fix in 8.3 code for your no-longer-supported APs.

Next Steps: Let Arraya help keep your Cisco 5508 APs running

There is one other question we need to address in this post: How can you tell when your WLC MIC will expire? This is a pretty easy one to address. Simply issue the command “show certificate all” and look for the Validity End date for the “Cisco SHA1 device cert.” This will provide you with the info you need to move forward.

If you have any questions about APs, WLCs, or any of the topics covered in this post, please reach out to your account manager at Arraya or visit us online at https://www.arrayasolutions.com//contact-us/. Arraya’s Network and Security team can help guide you through this process to make sure you don’t have any AP downtime due to this cert expiry.