Certificate conversion for Cisco ISE

Posted on


Thank to Mark Bilman for the above article.  Read the article or copy from here if  just need the syntax

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

My often used Cisco Antennas

Posted on


Stadion antenna

Ca. 30*30 grader i begge bånd



HD kontor antenne

Ca 60*60 grader i begge bånd


Single deployment DHCP option 43 config in Infoblox

Posted on

Use this guide to configure you InfoBlox to provide the Wireless LAN Controller address via DHCP option 43 to ANY device. If you need to provide the option only to Cisco APs or different option per AP type – This is not the guide!


  • Select DHCP–>Networks–>Select your subnet (alternatively can do this per DHCP Scope)
  • Click “Modify” and under IPv4 DHCP Options click Plus(+)
  • Select “vendor-ecapsulated-options (43) string”

For your value, you’ll need to enter the IP in HEX preceeded by the number of WLC’s you want to include in your DHCPOFFER (also in HEX).
That last one warrants some further explanation.

First convert your IP address to HEX. Here’s a handy site to do that for you: http://www.kloth.net/services/iplocate.php
Precede that HEX value with F1:04 for a single WLC, f1:08 for two WLC’s, f1:12 for 3 WLC’s etc. etc. (in my example I’m using a single WLC).

Your final IPv4 DHCP Options (per subnet) should look something like this:

Note the last DHCP Option:, in HEX is 0AFC0114 and that is preceded with F1:04.

Bridging a VMware guest on Cisco Wireless

Posted on
On a default Cisco Unified Wireless LAN setup a client can only have one MAC address. If a wireless user runs VMware desktop or another virtual setup where the clients hosts more that one interface it will not work.
Follow these step to allow multiple hosts on one wireless client
On the CLI of the WLC
config network ip-mac-binding disable


Enable passive client for the WLAN

  • WLANs > WLAN ID > Advanced tab > enable check box for passive Client
To activate passive clients remember to enable global multicast.
  • – Controller > Multicast > hit the check box for Global multicast mode

Fix missing ciphers in OS X

Posted on


Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes256-cbc,aes128-cbc


sudo vi /etc/ssh/ssh_config

Find the string:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Uncomment it and your ssh will work as usual.

Error enabling fastlane in 8.3.133

Posted on

This week I had an experience where a 8540 was unable to enable fastlane for SSID. Another SSID was already fastlane-enabled and another exact matching WLC had no problem.

It failed the command “config qos average-realtime-rate platinum per-ssid downstream 0” but doing so by hand was no problem. Turn out the reloading the WLC solved the issue

Configuring Flexible Radio Assignment from CLI

Posted on

Marking an Interface “Redundant” Exercising FRA

FRA Sensitivity – designed to be VERY conservative – and That’s good!
The opposite of conservative is a coverage hole!
Defaults – should be safe for a customer environment
Low (100%), Medium (95%), High (90%)
Hidden levels – Be very very careful – these are persistent commands –
• higher (85%), evenhigher (80%), superhigh (75%), crazyhigh (70%), areyoukidingme (50%)

(Cisco Controller) >config advanced fra sensitivity <value>

Where is the CPI template for DCA Channel list?

Posted on

Maybe you like me have been clicking like a mad man in CPI to find a template for DCA Channel List. Well turns out that is not there!

A possible work around is to set is from a CLI template


network config 802.11a disable network
config advanced 802.11a channel delete 36
config advanced 802.11a channel add 36
config advanced 802.11a channel delete 36
config 802.11a enable network