topic Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled. in Wireless

CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Thu, 13 Jun 2024 10:35:02 GMT

Hello

I face this issue that is indicated as not reproductible.

What can I do to help ?

Joel

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Mark Elsen — Fri, 14 Jun 2024 11:38:37 GMT

- Ref : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx84736
Workaround: None at the moment. To rejoin APs FIPS needs to be disabled on controller side.

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Rich R — Mon, 17 Jun 2024 00:05:09 GMT

What version of software are you running?

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Mon, 17 Jun 2024 07:11:25 GMT

@Mark Elsen this is not acceptable solution, I need FIPS to be enabled!

@Rich R software version is 17.03.08a.

Thanks for the help on this.

Joel

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Mon, 17 Jun 2024 07:12:18 GMT

Note: I can provide logs or anything else so that I can maybe help on solving this issue CSCvx84736

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Mark Elsen — Mon, 17 Jun 2024 08:30:34 GMT

>.. .I need FIPS to be enabled!
>... I can provide logs or anything
- The bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx84736 ) report is rather clear :
>...Workaround: None at the moment. To rejoin APs FIPS needs to be disabled on controller side.

- That means that if this is a strong business concern for you ; then you need to contact Cisco (TAC)

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Rich R — Mon, 17 Jun 2024 10:36:46 GMT

IOS-XE 17.3 is effectively end of life: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html and had a lot of issues!
It has already long passed the End of Vulnerability/Security Support date September 30, 2023!
This means that even if you find it's a bug it will never be fixed in 17.3.
There have been hundreds (maybe thousands) of bug fixes since then!

Refer to the TAC recommended codes link below - you should be running at least 17.9.5 or 17.12.3 now.

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Rich R — Mon, 17 Jun 2024 10:39:48 GMT

No new bugs will be investigated or fixed in 17.3 code now.
If you want to pursue a fix then first upgrade to a currently supported release like 17.9.5 or 17.12.3 and then if you still see the issue open a TAC case for Cisco to investigate further.

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Mon, 17 Jun 2024 12:09:40 GMT

Ok, thanks I understand. This is a real issue since the FIPS approval from the NIST is only valid on 17.3, except if you indicate me a newer version is FIPS validated ? I have C9120AXE hardware.

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Rich R — Mon, 17 Jun 2024 13:42:21 GMT

It looks to me like FIPS is certified in 17.6 and 17.9. All certificate details at https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html There we see:

Embedded Wireless Controllers on C9100 AP IOS XE 17.9

2022-08-01

17.12 is certified on regular 9800 series WLCs:

Cisco C9800 Wireless Controllers IOS XE 17.12

2023-11-23

and 17.12 on 9100 series APs:

Catalyst 9100, Wave 2 and IoT Wireless Access Point IOS XE 17.12

2024-03-06

So as far as I can see you could move to 17.9.5 straight away and I suggest you fire off a query to certteam@cisco.com about EWC on 17.12 in preparation for the fact that 17.12 will soon become the recommended release train. You can also ask why NIST only lists 17.3.

Also see: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKEWN-2339.pdf page 14:

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Mon, 17 Jun 2024 14:35:14 GMT

@Rich R thanks so much for this details, this is good news for me.

I will move to 17.9.5 as you suggested.

Latest question on this topic please: I previously asked for a good guide to enable FIPS on the AP but didn't get any answer: https://community.cisco.com/t5/cisco-software-discussions/activation-of-fips-mode-on-c9120ax-access-point/td-p/5106171

Can you indicate a good reference ?

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

Rich R — Mon, 17 Jun 2024 15:10:01 GMT

Just replied with config guide links but one thing in the 17.9 guide caught my attention:
- While configuring WLAN ensure that the PSK length must be minimum of 15 characters. If not, the APs will not be able to join the controller after changing tags.
Don't suppose you had any WLANs with PSK < 15 characters when you enabled FIPS?

Re: CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet — Mon, 17 Jun 2024 15:21:48 GMT

Thanks a lot @Rich R !! Got the link to the documentation

The PSK was less than 15 characters 😞

So probably this is the origin of the issue.

I will reset the AP now. You can consider this ticket solved and closed.

Again thanks for your support.

Joel