Cisco issues each access point it manufactures with a X.509 certificate which is used for identifying infrastructure using different cryptographic procedures.  For access points that were manufactured prior to 2017, these certificates expire after 10 years.  Once a certificate on an access point expires, it will be unable to form secure communication with the Wireless LAN Controller and is unable to establish the CAPWAP tunnel.

More information on this topic can be found in this field notice:

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

At a high level, the following steps are suggested to prevent outages:

  • Implement automation to detect access points approaching 10 years of age and identify those who do not have the temporary fix implemented on the Wireless LAN Controller.
  • Build an obsolescence strategy to include refreshing sites at risk of expiring AP certificates.
  • Refresh sites with the newer Catalyst series access points which have certificates with longer expiration dates

The certificate will expire on any access point manufactured between July 18 2005, and mid-2017 after 10 years.  It is possible to calculate the year and week an access point was manufactured via the serial number and this table.  The table refers to this serial number convention:

access points Serial Number to Year table

This convention does not apply to the AIR-CT7510 series

Temporary Remediation

By adding 1996 to any of these years from the serial number, we can calculate the expiration of the certificate.

Whilst sites remain at risk and hardware refresh is planned, a temporary workaround can be implemented.

  1. Disable MIC certificate checks on the Wireless LAN Controller through the command:

config ap cert-expiry-ignore mic enable

  • In the scenario where the above command does not resolve the immediate issue, you can attempt to disable NTP and set the clock back a number of years.

These fixes cannot be permanent, and any site receiving them should be flagged for a refresh immediately.

Programmatically flagging access points at risk

We have been able to produce a proof of concept style script using a monitoring platform API and python.  This script will follow the following steps:

  1. Connect to the monitoring platform API and retrieve a list of WLC inside of the company
  • Connect to each WLC and retrieve the Serial Number of each Access Point
  • Check the configuration of the controller to determine if the temporary remediation has already been performed on the WLC for certificate expiration.
  • Calculate if an AP already has an expired certificate, or is approaching the expiration date, flag it in a file.
  • If the AP is at risk, and the temporary remediation is not already performed on the WLC, flag it in a file.

The script has been tested on AireOS 2504, 3504, 5508, and 5520 platforms.

The results from the script appear as below

JSON extracts per access points

Script Available Here: https://github.com/benea11/cisco-ap-certificate-check

Explore more Wi-Fi articles here! 802.11 is developed and maintained by IEEE

Categorized in: