Lsc-Related Commands - Cisco Mesh Access Points Deployment Manual

Connecting the Cisco 1500 Series Mesh Access Points to the Network

LSC-Related Commands

The following commands are related to LSCs:
• config certificate lsc {enable | disable}
• config certificate lsc ca-server url-path ip-address
Following is the example of the URL when using Microsoft 2003 server:
http:<ip address of CA>/sertsrv/mscep/mscep.dll
This command configures the URL to the CA server for getting the certificates. The URL contains either
the domain name or the IP address, port number (typically=80), and the CGI-PATH.
http://ipaddr:port/cgi-path
Only one CA server is allowed to be configured. The CA server has to be configured to provision an
LSC.
• config certificate lsc ca-server delete
This command deletes the CA server configured on the controller.
• config certificate lsc ca-cert {add | delete}
This command adds or deletes the LSC CA certificate into/from the controller's CA certificate database
as follows:
• config certificate lsc subject-params Country State City Orgn Dept Email
This command configures the parameters for the device certificate that will be created and installed on
the controller and the AP.
All of these strings have 64 bytes, except for the Country that has a maximum of 3 bytes. The Common
Name is automatically generated using its Ethernet MAC address. This should be given prior to the
creation of the controller device certificate request.
The above parameters are sent as an LWAPP payload to the AP, so that the AP can use these parameters
to generate the certReq. The CN is automatically generated on the AP using the current MIC/SSC
"Cxxxx-MacAddr" format, where xxxx is the product number.
• config certificate lsc other-params keysize
The default keysize value is 2048 bits.
• config certificate lsc ap-provision {enable | disable}
OL-27593-01
◦ enable—To enable an LSC on the system.
◦ disable—To disable an LSC on the system. Use this keyword to remove the LSC device certificate
and send a message to an AP, to do the same and disable an LSC, so that subsequent joins could
be made using the MIC/SSC. The removal of the LSC CA cert on the WLC should be done explicitly
by using the CLI to accommodate any AP that has not transitioned back to the MIC/SSC.
◦ add—Queries the configured CA server for a CA certificate using the SSCEP getca operation, and
gets into the WLC and installs it permanently into the WLC database. If installed, this CA certificate
is used to validate the incoming LSC device certificate from the AP.
◦ delete—Deletes the LSC CA certificate from the WLC database.
Locally Significant Certificates for Mesh APs
Cisco Mesh Access Points, Design and Deployment Guide, Release 7.3
189