Problem Description
[Issue 1] Certificate import fail, related alarm message is shown below;
1. CA certificate import fail
[WX2860X]pki import domain pki-wapi pem ca filename ca.cer
Verify resuit:unable to get local issuer certificate
Failed to verify the certificates.
Failed to import certificates.
2. Local certificate import fail
[WX2860X]pki import domain wapi pem local filename ap.cer
No valid CA certificates found for verification of local certificates.
Failed to import certificates.
3. Peer certificate import fail
[WX2860X]pki import domain wapi pem peerfilename as.cer
No valid CA certificate found for verification of peer certificates.
Failed to import certificates.
[Issue 2] After importing certificates and completing configuration, terminal access fail, showing connecting for a long time and failing to obtain an IP address.
Process Analysis
Issue 1
1. Local certificate and peer certificate import fail: For WAPI authentication, the device must import the CA certificate before importing the local certificate and peer certificate. The customer performed the steps in the wrong order.
2. CA certificate import fail: The customer did not strictly follow the documentation by using either the CA certificate issued by the CA server or the AS certificate issued by the AS server as an alternative. Instead, they chose to use the client certificate issued by the AS server.
Issue 2
3. Terminal access fail, long-time display of connecting but unable to obtain address issue: Configure WAPI to use certificate authentication method - Configure the PK domain and certificate serial number for the certificate. In the command wapi certificate domain pki1 (pki domain name) serial, the entered serial number was incorrect, mistakenly using the binary digits of the CA certificates serial.
Solution
Issue 1
1. Import of local certificate and peer certificate fail: For WAPI authenticationThe device must import the CA certificate before importing the local certificate and peer certificate;
2. Import of CA certificate fail: Strictly follow the documentation to use the CA certificate issued by the CA server or use the AS certificate issued by the AS server as a substituteWhen using the AS certificate issued by the AS server as a substitute for the CA certificate the same CA certificate and AS certificate can be used
Issue 2
3. Terminal access fail long-time display of connecting unable to obtain address issueWhen configuring the PK domain and serial number for the certificate, the serial number should be directly filled in with the serial number displayed by the command display pki certificate domain wapi peeror fill in the hexadecimal serial number of the CA certificate.
In addition,Troubleshooting WAPI authentication issues generally follows these steps:
1. Is the WAPI-related configuration on the AC complete and correct?
2. Have the relevant CA, AS, and local certificates been successfully imported on the AC? Has the client imported the corresponding certificates? Check if the certificates have expired?
3. Can the AS/CA server be pinged?
4. If none of the above issues exist, contact the certificate issuance server service personnel to check the corresponding client authentication records on the server and collect logs of authentication fail reasons. Then collect debugging wlan wapi all and debugging wlan client mac.
5. Contact pubts@h3c.com