topic Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello in Wireless

Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

eglinsky2012 — Fri, 22 Dec 2023 16:12:00 GMT

I have a maintenance window next week for patching our 9800 WLCs. They are on 17.9.4 with no SMU or APSP. My plan was to install the 17.9.4 SMU for the HTTP vulnerability and then APSP8. However, version 17.9.4a specifically has an SMU available for CSCwh68219.

We don't use EAP-TLS currently, but are going to implement it sometime in January, so that bug is concerning. I was wondering if anyone knows anything else about this and if those of you who are using EAP-TLS have experienced it. Does it only affect local mode and not FlexConect or vice versa? Is PEAP also affected?

I ask because I'm on 17.9.4 and have a planned maintenance window for the HTTPS SMU and APSP, but the SMU for this bug is not available yet for 17.9.4 (TAC says there will be one), and upgrading to 17.9.4a first would require more time for maintenance.

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

Mark Elsen — Fri, 22 Dec 2023 19:18:19 GMT

>... 17.9.4a first would require more time for maintenance.
- I would go for 17.9.4a anyway because of the HTTP bugfix and the EAP-TLS bugfix included ,

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

eglinsky2012 — Fri, 22 Dec 2023 19:35:47 GMT

Yeah, I've thought about it more and that's what I'll do. I've received approval to extend the maintenance window.

I performed the upgrade on our lab controllers, and oddly, only two of six APs actually predownloaded software. I couldn't figure out how to verify for sure, but I suspect it was the 1815W and the 9105W. I know there was an early APSP specifically for 9105W, so maybe that update was included in 17.9.4a, whereas the other models (2700, 2800, 1562, 9166) had no updates built in?

Of note is that the version the APs were running after the upgrade was still 17.9.4.27, same as on 17.9.4 (non-a), even on the 1815W and 9105W. After the APSP, all are on 17.9.4.208 except the 2700 (the APSP only applies to COS APs, not IOS).

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

Mark Elsen — Fri, 22 Dec 2023 20:10:27 GMT

- I don't have much details on those AP(SP) versioning issues , but what I can advice is to run WirelessAnalyzer (again after and or always upon an upgrade too) : Procedure CLI : show tech wireless and feed the output into Wireless Config Analyzer

Also follow up on the performance of all APs using : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc4

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

Leo Laohoo — Sat, 23 Dec 2023 23:59:12 GMT

IMPORTANT:

Since the controller is on 17.9.4, do not use "Hitless AP Upgrade". Wireless TAC in Sydney (Australia), has confirmed and was able to successfully replicate the unexpected behaviour (five times out of five attempts) when we performed a disastrous "Hitless AP Upgrade" from 17.9.4.

Instead of "hitless", 17.9.4 will violently move the APs to the secondary unit by rebooting all of them at the same time.

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

Leo Laohoo — Sat, 23 Dec 2023 00:00:25 GMT

@eglinsky2012 wrote:
We don't use EAP-TLS currently, but are going to implement it sometime in January, so that bug is concerning. I was wondering if anyone knows anything else about this and if those of you who are using EAP-TLS have experienced it. Does it only affect local mode and not FlexConect or vice versa? Is PEAP also affected?

17.9.5 scheduled for February 2024. It is best to reach out to your Cisco Account Manager, Wireless SE or Wireless PSS &/or TAC developer &/or WNBU because the developers have time to put this bug fix into 17.9.5.

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

eglinsky2012 — Sat, 23 Dec 2023 02:21:58 GMT

Thanks for the heads-up on the hitless upgrade. I had an issue with ISSU as well. Between that and previous comments from you, Rich, and others, I stick with an old fashioned upgrade with predownload. I have 3 WLC pairs in a mobility group and all are configured with secondary and tertiary WLCs, so when the primary goes down, they just move to the next one on the list then back once the primary comes back up. Perfectly acceptable for a maintenance window. ISSU would be great if it were reliable, especially once we move the res halls to the 9800s, but I digress.

I suspect that if it’s fixed in the SMU for 17.9.4a it will be for 17.9.5 also.

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

Rich R — Sat, 23 Dec 2023 14:54:53 GMT

> I suspect that if it’s fixed in the SMU for 17.9.4a it will be for 17.9.5 also.
Agreed but ask TAC to confirm for you.

Regarding AP image versions - use "show ap image file summary" to see what version each AP image is (base and SP).

Having messed up with the AP image version on 17.9.4a APSP6 (17.9.4.201) they've gone back to normal convention (17.9.4.208) with APSP8.

Re: Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

eglinsky2012 — Fri, 02 Feb 2024 14:33:47 GMT

Forgot to follow up. I ended up doing the 17.9.4a upgrade and APSP8 upgrade in one maintenance window.