08-03-2012 02:57 PM
Problem is not specific to AP70's but for any legacy AP without a factory cert.
appears a controller will not provide them a switchcert if they already have one in flash that differs from what is defined in the whitelist-db.
So I'm attempting to setup a master cluster to allieviate this issue - as I understand it all members of the cluster will use the same cert as the root of the master - so this should allow any ap to move between any controller in the cluster and have the installed cert match what is being synced in the whitelist-db among cluster members.
Has anyone done this?
I've been testing it today and if anything it makes moving AP70's around worse - they seem to get stuck in the certificate process and hang.
I am running 220.127.116.11 so perhaps its a code version issue - but I'm curious if anyone has done this or has gotten any other form of redundancy to work with AP70's with cpsec enabled.
09-18-2012 10:23 AM
Just FYI on my issue - I have been working with TAC and the cluster option is apparently broken in 6.x code - they are slotting a fix to be included in 6.2 code stream.
While it seems unliekly anyone else is using/attempting to use this option - just posting this so for any other poor soul searching about Master Clusters.
Current workaround - an expect script to monitor cpsec whitelist database and clear ap70's that get in the hold state
along with that we are in-process of swapping out all our aging ap70's