topic inquiries for WLC 3504 in Wireless

inquiries for WLC 3504

Ahmed Tarek — Tue, 05 Dec 2023 08:51:45 GMT

hi all,

i have some inquiries for WLC 3504

- how can i get current TLS version applied on WLC ?

- how can i get current SSL version applied on WLC ?

- what is recommended version for SSL now and TLS ?

- when i access WLC GUI i need to install certificate ( self sign ) how can i install it from CA?

- after apply new TLS and SSL versions, it mean old versions is off ? or i have to disable them manually ?

thanks in advance

Re: inquiries for WLC 3504

Mark Elsen — Tue, 05 Dec 2023 08:56:58 GMT

- FYI : % nmap --script ssh2-enum-algos controller-hostname
% nmap --script ssl-enum-ciphers -p 443 controller-hostname

In general , if you are worried about security issues concerning TLS/SSL then upgrade the controller according to :
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
and review the situation again ,

Re: inquiries for WLC 3504

Ahmed Tarek — Tue, 05 Dec 2023 09:17:30 GMT

hi @Mark Elsen

what are these

% nmap --script ssh2-enum-algos controller-hostname
% nmap --script ssl-enum-ciphers -p 443 controller-hostname

are they command i need to type in CLI ?

sorry but i need to understand

Re: inquiries for WLC 3504

Mark Elsen — Tue, 05 Dec 2023 10:35:31 GMT

- nmap is hacking tool ; you can download it from https://nmap.org/ but for your purposes you can consider yourself being an ethical hacker ! (You can install nmap on a windows on linux host ; the commands must then be executed from where nmap was installed)

Re: inquiries for WLC 3504

Rich R — Wed, 06 Dec 2023 18:27:24 GMT

- Upgrade software to 8.10.190.0 (or later as per TAC recommended link below)

- Ensure WLC is configured for maximum security options as per the config guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#ID520
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#hsts_policy

- Update the certificate as per the guides:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

Re: inquiries for WLC 3504

Ahmed Tarek — Thu, 07 Dec 2023 07:06:28 GMT

thanks @Rich R for your links,

but is there any command i can check current TLS version from CLI or GUI for WLC 3504 ?

all commands i found related to other WLCs

Re: inquiries for WLC 3504

Rich R — Thu, 07 Dec 2023 12:03:36 GMT

Not specifically - refer to Marce's answer for how to check that.

On the WLC you can use:
grep include "Secure Web" "show network summary"
to check the configured settings but that won't show you TLS versions explicitly.

Re: inquiries for WLC 3504

Ahmed Tarek — Thu, 07 Dec 2023 12:16:35 GMT

thanks @Rich R,

show network summary show the following

Secure Web Mode............................. Enable

it mean what ? which TLS version is applied ? 1.1 or 1.2 or 1.3 ?

Re: inquiries for WLC 3504

Rich R — Thu, 07 Dec 2023 12:38:55 GMT

As I already explained it does not tell you the TLS version(s).
Refer to Marce's earlier answer for how to check TLS versions!
That line just tells you that https is enabled.
The lines you're more interested in are "Secure Web Mode Cipher-Option High" which should be Enable and "Secure Web Mode SSL Protocol" which should be Disable.

Re: inquiries for WLC 3504

Ahmed Tarek — Thu, 07 Dec 2023 13:08:58 GMT

i can not use his commands, is not allowed to use this in my environment.

i hope now you can get what i mean

Re: inquiries for WLC 3504

Rich R — Thu, 07 Dec 2023 13:46:26 GMT

Then it is impossible to do what you want.