The first reason that you can have an AP Certificate failure is that the Cisco Certified Information Technology Specialist (CIS) certificate that you hold has become invalid because it was issued after Cisco established certain specifications for a recommended time period. For most companies this means the certificate expires. However, there are cases where companies only require that their employees have a minimum of a five-year basic Cisco experience before they can obtain the five-year CIS certification. These types of certificates are called WLC certificates and are only good for six months of work experience. After six months of work experience, a company has to request that the certificate be renewed. Most times this is not possible because the company would have to hire someone else to perform the entire certification process again.
Another reason that certificate expiration occurs is because of improper access points. Two of the most common ways that certificates are lost is through accidental deletion or improper configuration of access points. If certificates are improperly configured, then they can be removed from the database without any notification to the ITSP. With proper notification however, Cisco can perform investigations to determine if invalid configuration was done.
It is also common for a forgotten certificate to be placed on the database of the Certification authority. If an AP certificate with an expiration date is in the database, an authorized person can simply request it be deleted. The verification process itself does not prevent certificates from being forgotten. This is because the entire process only verifies that the configuration of the Cisco equipment is correct. The actual content of the certificate is not checked during this process. Certificate expiration dates do not have anything to do with preventing un-authorized access; rather, these dates are used as a means to notify the ITSP that a Cisco AP has been incorrectly configured and is no longer supported by Cisco.
If a certificate has been improperly configured and it is no longer supported by Cisco, then it is referred to as “expired”. An expired certificate remains in the database of Cisco until it is matched with a matching domain name or IP address. When the matching criterion is met, then it will be saved to the database and become “on hold”. The timeframe to get an expired Cisco AP certificate can take up to two weeks, even though some ITSPs claim that it can be processed in less than one hour. There is no option to manually check for an expired certificate. A request is sent to the Cisco AP system administrator who then manually checks the databases to identify an expired certificate.
If the ITSP cannot verify that a certificate is indeed from Cisco, then the error is referred to as a “cleared Default Configuration”. When a certificate is verified and found to be invalid, a request for re-issuance is made. This can only be done when the ITSP has obtained authorization through the use of the DNS server. Once authorization is obtained, the DNS server that was used to register the domain name that was listed on the certificate will return a list of all of the DNS servers that are registered. This list is considered a list of “SRV record” s which contain the IP addresses and other associated data. These data are then compared against the SRV records that are stored within the DNS server registry.
In some cases, a Cisco wLC certificate verification failed message can result from a failed activation. When this happens, it is the responsibility of the Cisco service provider to validate the certificate using either the automated process or a manual process. The manual process entails re-authenticating the user to determine whether the user is authorized to access the VPN. Manual testing can be done by following the steps outlined in the “Prerequisites” section earlier. The automated process involves resetting the firewall so that it can allow normal connectivity between the Cisco devices and the VPN.
There are different reasons why a Cisco ap certificate verification failed message may be displayed. It can be due to improper application of the Security appliance or the failure of some of the certificates that have been applied. Another reason can be attributed to the improperly selected configuration of certain devices used in the VPN. The other possible reasons include the improper configuration of the SIP trunks as well as the improper configuration of various routing protocols. As long as proper authentication and reporting are employed, the vendor can ensure that a Cisco-based application does not encounter problems when it tries to make an IP connection. This prevents unnecessary problems with the company’s networks and enables fast, safe and cost-effective IP networks for all its customers.