∙The hash validation, which is an extra authorization step, will be performed only if the AP is joining a virtual controller. There will be a knob to turn on/off hash key validation.
∙By default, hash validation is enabled, which means that the AP needs to have the virtual controller hash key in its flash before it can successfully complete association with the virtual controller. If the knob is turned off, the AP will bypass the hash validation and move directly to the RUN state.
∙The hash key can be configured in the controller mobility configurations, which gets pushed to all the APs which are joined. The AP will save this configuration until it successfully associates to another controller. After which, it inherits the hash key configuration from the new controller.
∙Typically, APs can join a traditional controller, download the hash keys, and then join a virtual controller. However, if it is joined to a traditional controller, the hash validation knob can be turned off and it can join any virtual controller. The administrator can decide to keep the knob on or off
This information is captured in Cisco bug ID CSCua55382.
Exceptions:
∙If the AP does not have any hash key in its flash, it will bypass the hash validation, assuming that it is a first time installation.
♦In this case, the hash validation is bypassed irrespective of whether the hash validation knob is on/off.
♦Once it successfully joins the controller, it will inherit the mobility group member hash configuration (if configured in the controller). After which, it can join a virtual controller only if it has a hash key entry in its database.
∙Clearing the AP configuration from the controller or on the AP console will result in the erasing of all the hash keys. After which, the AP joins the virtual controller as if it is a first time installation.
♦AP> test capwap erase
♦AP> test capwap restart
Time is Incorrect
∙At initial install, it is possible that the time may be skewed or not properly synced. As a result, the AP may not be able to join properly. In this instance, check the SSC validity time stamp in order to ensure that it is correct. NTP is always recommended going forward.
(Cisco Controller) >show certificate ssc |
| |
SSC | Hash validation | Enabled. |
SSC | Device Certificate details: |
|
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE−vWLC−AIR−CTVM−K9−000C29085BB8, MAILTO=support@vwlc.com
Validity :
Start | : | 2012 | Jun | 8th, | 17:52:46 | GMT |
End | : | 2022 | Apr | 17th, | 17:52:46 | GMT |
Hashbd7bb60436202e830802be1e8931d539b67b2537key :
SSC Hash
∙The AP is a new AP with 7.3 and does NOT have hash can join virtual WLC readily:
ap#show capwap client config
