Joining a Cisco LWAP to a vWLC

In this video, we take a look at what is required to join a Cisco Lightweight Access Point (LWAP) to a Cisco Virtual Wireless Controller (vWLC).

Devices in this video include:
  1. Cisco vWLC
  2. Cisco LWAP c1600 series
  3. Windows Server 2012 R2 




    Updated Notes: 28/09/2019
    Having worked with AP’s and WLC’s some more, I wanted to share some more notes from things observed in my lab.
    The output below is generated from a C1600 series AP that I have in my lab. The syslog output is generated when the AP attempts to join the WLC. While looking into this, I found a few workarounds and potential bugs associated with this.



*Sep 28 19:38:19.066: AP has SHA2 MIC certificate – Using SHA2 MIC certificate for DTLS.

*Sep 28 19:38:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246

*Sep 28 19:38:23.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest

*Sep 28 19:38:23.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to

*Sep 28 19:38:24.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to


You can find some potential workarounds in the above field notice, however if the field notice doesn’t provide you with a solution, you could try the following.
  • Configure the WLC to ignore expired certificates using the following command: 

config ap cert-expiry-ignore ssc enable

config ap cert-expiry-ignore mic enable



Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply