https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076094#M4507 <P>I have already enabled high-cipher on SSH, but for security compliance, I need evidence to show that the only version of SSH enabled on WLC is version 2 only.</P><P>&nbsp;</P><P>Is there a way to show this evidence?</P> Mon, 05 Jul 2021 18:59:51 GMT ejlbarcelon 2021-07-05T18:59:51Z https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076094#M4507 <P>I have already enabled high-cipher on SSH, but for security compliance, I need evidence to show that the only version of SSH enabled on WLC is version 2 only.</P><P>&nbsp;</P><P>Is there a way to show this evidence?</P> Mon, 05 Jul 2021 18:59:51 GMT https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076094#M4507 ejlbarcelon 2021-07-05T18:59:51Z https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076104#M4508 <P>Hi,</P> <P>&nbsp;</P> <P>As per cisco FAQ, WLC only support SSH version 2</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/118833-wlc-design-ftrs-faq.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/118833-wlc-design-ftrs-faq.html</A></P> <P>&nbsp;</P> <P>For verification you can sniff the packets.</P> <P>&nbsp;</P> <P>Regards</P> <P>Dont forget to rate helpful posts</P> Wed, 29 Apr 2020 06:34:48 GMT https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076104#M4508 Sandeep Choudhary 2020-04-29T06:34:48Z https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076126#M4509 <P>Adding to Sandeep's response.</P> <P>&nbsp;</P> <P>What version of AireOS are you running?</P> <P>If it is 8.6.x or above then when you enable high cipher option, then it uses sha2. Those ECDH key exchanges are supported only in SSHv2</P> <P>&nbsp;</P> <P><SPAN>"In Release 8.6, controllers are migrated from OpenSSH to libssh, and libssh does not support these key exchange (KEX) algorithms:&nbsp;</SPAN><EM class="ph i">ecdh-sha2-nistp384</EM><SPAN>&nbsp;and&nbsp;</SPAN><EM class="ph i">ecdh-sha2-nistp521</EM><SPAN>. <EM><STRONG>Only&nbsp;</STRONG></EM></SPAN><EM><STRONG>ecdh-sha2-nistp256</STRONG></EM><SPAN><EM><STRONG>&nbsp;is supported</STRONG></EM>."</SPAN></P> <P>&nbsp;</P> <P>There is no CLI command to verify form WLC end.</P> <P>&nbsp;</P> <P>HTH</P> <P>Rasika</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Apr 2020 07:14:49 GMT https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/4076126#M4509 Rasika Nayanajith 2020-04-29T07:14:49Z https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/5172480#M275304 <P>Hello Rasika, Thanks for your message, what if we are running lower version ie 8.6</P> Fri, 06 Sep 2024 14:29:47 GMT https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/5172480#M275304 schnkumar331 2024-09-06T14:29:47Z https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/5172490#M275306 <P>Take a look at the configuration guide for the version you are curious about.&nbsp; Then just search for the work cipher and see if that provides you with the information you need.&nbsp; You can also use NMAP and have that query your device to see what ciphers are allowed. If you have NMAP installed you can run the following command:</P> <LI-CODE lang="markup">nmap --script ssh2-enum-algos -sV -p 22 &lt;target_IP&gt;</LI-CODE> Fri, 06 Sep 2024 15:00:07 GMT https://community.cisco.com/t5/wireless/check-ssh-version-on-wlc/m-p/5172490#M275306 Scott Fella 2024-09-06T15:00:07Z