Filter
Top Products
The hash validation, which is an extra authorization step, will be performed only if the AP is joining a
virtual controller. There will be a knob to turn on/off hash key validation.
•
By default, hash validation is enabled, which means that the AP needs to have the virtual controller
hash key in its flash before it can successfully complete association with the virtual controller. If the
knob is turned off, the AP will bypass the hash validation and move directly to the RUN state.
•
The hash key can be configured in the controller mobility configurations, which gets pushed to all the
APs which are joined. The AP will save this configuration until it successfully associates to another
controller. After which, it inherits the hash key configuration from the new controller.
•
Typically, APs can join a traditional controller, download the hash keys, and then join a virtual
controller. However, if it is joined to a traditional controller, the hash validation knob can be turned
off and it can join any virtual controller. The administrator can decide to keep the knob on or off
•
This information is captured in Cisco bug ID CSCua55382.
Exceptions:
If the AP does not have any hash key in its flash, it will bypass the hash validation, assuming that it is
a first time installation.
In this case, the hash validation is bypassed irrespective of whether the hash validation knob
is on/off.
♦
Once it successfully joins the controller, it will inherit the mobility group member hash
configuration (if configured in the controller). After which, it can join a virtual controller only
if it has a hash key entry in its database.
♦
•
Clearing the AP configuration from the controller or on the AP console will result in the erasing of all
the hash keys. After which, the AP joins the virtual controller as if it is a first time installation.
AP> test capwap erase♦
AP> test capwap restart♦
•
Time is Incorrect
At initial install, it is possible that the time may be skewed or not properly synced. As a result, the AP
may not be able to join properly. In this instance, check the SSC validity time stamp in order to ensure
that it is correct. NTP is always recommended going forward.
(Cisco Controller) >show certificate ssc
SSC Hash validation.............................. Enabled.
SSC Device Certificate details:
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE−vWLC−AIR−CTVM−K9−000C29085BB8, MAILTO=support@vwlc.com
Validity :
Start : 2012 Jun 8th, 17:52:46 GMT
End : 2022 Apr 17th, 17:52:46 GMT
Hash key : bd7bb60436202e830802be1e8931d539b67b2537
•
SSC Hash
The AP is a new AP with 7.3 and does NOT have hash can join virtual WLC readily:
ap#show capwap client config
•