CSR on Autonomous APs – lessons learned

In this blog post i’ll share with you a resolution of an issue i was stumbling across, which cost me a full working day, hopefully this will spare you some troubleshooting time.

The Scenario 

While building a setup consist of a Cisco 3702 AP in Workgroup bridge (WGB) mode. The WGB need to connect to lightweight AP which already joined a controller and should authenticate to ISE using EAP-TLS (client certificate).

the certificate authority (CA) includes a Windows 2016 server PKI structure with 2 CA servers, the root CA called K3 and the subordinate intermediate CA called K4. the goal is generating the certificate signing request (CSR) on the AP itself without using any external tool like OpenSSL.

First try

Generated the CSR in the AP and signed it using a user template in the web enrollment tool of the CA.

wgb-01(config)#CRYpto pki enroll WGB-TLS
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=wgb-01
% The subject name in the certificate will include: wgb-01.lab.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FGL1864XD94
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no

 Issue 1

despite the fact in the CSR a CN=WGB-01 is defined in the subject name, after signing the certificate i found out it was signed to the administrator user, which the user used for login to the CA web enrolment tool. this for sure doesn’t fit the design.

Second try

reviewing the certificate template on the CA server revealed the source of this behavior. the template instruct the CA to use the AD user information.

immediately after finding my mistake, i replicated the user template, this time changing the way to choose the subject name for the certificate.

another important piece of information in this template is the encryption key size, which is set to 2048. taking this as granted had cost me the majority of time troubleshooting issue 2, and I’ll explain. 

 Issue 2

back to the beginign and repeating the same process and paste the hash key of the CSR was aquired earlier from the AP, this time the CA web enrollment tool rejected the file with error message:

Your Request Id is 21. The disposition message is "Denied by Policy Module".

oughhh what a nightmare, just when i though got it all! just to be clear i spend almost 5 hours trying to read Microsoft articles and blogs regarding this issue without finding a cure, just when i was really frustrated one blog article suggested to check the CRL and match the encryption key size on the machine that generated the CSR file. 

wait a minute, sure, this is a Cisco AP version 15.3(3)JD4 now can it be this AP generate a 1024bit key CSR by default? sure it is.


changing the CSR key size in Cisco AP is how was this issue fixed, commands:

wgb-01(config)#crypto pki trustpoint WGB-TLS
wgb-01(ca-trustpoint)#rsakeypair wgb-01 2048

i’m all hope this post will find it’s way to help someone and spare him a hassle of reading Microsoft server blogs 🙂

please help me to improve writing by feedback! 

Cisco Mobility Express

Finally, my lab setup is ready now, just right before start working on the CCIEW 3.1 labs. in this version of the exam, Cisco introduced the Mobility Express (ME) solutions. ME is a Controller-less design in which a capable AP will take the role of the wireless controller and allow other Lightweight (CAPWAP) APs to join it. this enables SMB to benefit from a controller-based wireless network without the need to buy a separate controller.

the so-called Primary AP is still serving the wireless clients, this is similar to the Aruba Instant APs if you’re familiar with. eventually, the Cisco Aironet ac wave 2 APs don’t have an autonomous software (IOS) image instead we got a COS image with the “smarter” Mobility Express on top, this allows the AP to provided the same functionality as an autonomous AP (W/O WGB) and at the same time serve lightweight APs to provide central management of the WLAN.

to summarize; ME AP has 2 roles/ personas, on one side it’s a lightweight (CAPWAP) AP which eventually will join its own second persona, a Wireless Lan Controller (WLC). ME AP can join any other WLC as well.

ME is supported on 3800, 2800, 1850 and 1830 APs, those APs can control other APs such as 1700, 2700, and 3700 Series.

Configuring Mobility Express

in my lab, I have an 1852 AP with CAPWAP image, the AP is connected to a wireless LAN controller running AirOS code 8.3.133, this AP didn’t have the right ME. to check the current AP you need to issue the “show version” command. now we are looking for the following

AP Running Image :
Primary Boot Image :
Backup Boot Image :

the highlighted green lines will appear only if you have a mobility express image, the required image can be downloaded from Cisco’s support site and transferred via tftp to the AP.

LAP2#ap-type mobility-express tftp://

after this process ends the AP will reboot and we’ll get 2 option to configure the ME

1- CLI – this is very similar to normal AireOs controllers initial setup, step by step wizard.

2- GUI – the ME will broadcast  a special SSID, connect to this on and open the browser to go through the setup wizard:

SSID: CiscoAirProvision Security: WP2/AES/PSK , PASSWORD: password

when configuring the controller we’ll log in automatically to the ME interface which is similar to the WLC CLI, to move to the AP role issue the command: apciscoshell

(Cisco Controller) >apciscoshell
!!Warning!!: You are entering ap shell. This will stop you from establishing new telnet/SSH/Web sessions to controller.
 Also the exsisting sessions will be suspended till you exit the ap shell.
 To exit the ap shell, use 'logout'

User Access Verification
Username: admin

going back to the controller interface issue the command: logout

LAP2>logout (Cisco Controller) >

to wrap everything up we need to keep in mind the following points when dealing with ME solution:

  • the ME might be a good choice for SMB customers or Branch offices where only several APs are needed.
  • ME supports only a Flexconnect deployment model, local mode APs are not supported.
  • management interface traffic is untagged, therefore if the switch port configured as a trunk port, the management VLAN should be configured as a native VLAN on this port.
  • because of the ME AP acts as a slim version of WLC it doesn’t have image files to support other APs join an image upgrade process. when a supported AP with a different version joins the ME controller it will try to download the image from the ME which should point on the TFTP folder contains the proper software.
  • all APs should reside on the same VLAN in order to be managed by the ME controller.

I’ll keep updating this post with more information on mobility express; the following link contains the Cisco documentation regarding Mobility Express



PuTTY – save your preferences.

if you used or still using secureCRT as your terminal client i guess you’ll find it hard to move to PuTTY. well if you have few $ to spend on SecureCRT or your employer is providing you this luxury be sure that you have one of the greatest tools. however if you don’t want to spend, you can find another grate tool “Putty”.

in my case the decision to use PuTTY is just because it’s used in the CCIE wireless lab exam, therefore and learning from past experience  i’m trying to use PuTTY as much as possible.

PuTTY has a fairly basic user interface, normally the default settings are enough to give a quick remote session start.


you may need to tweak and customize the usage of PuTTY, here i’m doing some changes that made my life easier. just to remember to save all changes to the “Default Settings”.



annoying sounds

Putty Bell

window, size and scrolling

Putty window

just remember to go back your session on the left window, then choose the Default settings and gain and save your work!

Putty save

How to export Putty sessions

in order to use the sessions you already saved on other computer, you can run the following command in Windows PowerShell:


reg export HKCU\Software\SimonTatham\PuTTY\Sessions ([Environment]::GetFolderPath("Desktop") + "\putty-sessions.reg")

for exporting the settings as well, use the following command:

reg export HKCU\Software\SimonTatham ([Environment]::GetFolderPath("Desktop") + "\putty.reg")

this will export the registry files to your desktop, copy those files and run them in the target computer after you installed PuTTY.