Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2402
Views
1
Helpful
0
Comments

TLS versions enable and disable on 8500 & 9800 series WLC

Gaurav Kansal
Level 1
Level 1

on ‎10-20-2023 10:22 AM - edited on ‎10-22-2023 03:32 AM by VIP

TLS versions enable and disable commands for 8500 series and 9800 series Wireless LAN Controllers (WLCs)

  A very warm welcome to all, I am writing this article for those who are looking to disable TLSv1.0 and TLSv1.1 on their controllers as over the past several years, internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1, due to a variety of security issues. I tested this on 8500 series and 9800 series controllers on software version 8.5.151.0 and 17.06.04 respectively. Please see bellow commands to configure your WLCs according to your needs.

TLS versions enable and disable on AirOS 8500 series WLC:

Show command to check running versions of TLS on controller
>show network summary
Output: 1.jpg

If secure web mode cipher-option high shows “Disable”, this means all supported TLSv1.0, TLSv1.1 and TLSv1.2 versions are allowed on this controller. Now you can disable TLSv1.0 and TLSv1.1 by enabling this secure web mode cipher-option high by placing bellow mentioned command:

(config)#config network secureweb cipher-option high enable

This will disable TLSv1.0 and TLSv1.1 and only TLSv1.2 will be left enabled on controller for webauth and webadmin. You can verify it from show command.

TLS versions enable and disable on IOS-XE 9800 series WLC:

Show command to check running versions of TLS on controller
> show ip http server secure status

Output 17.6.4:  2.jpg
Output 17.9.4:  RichR_1-1697969945651.png
Note that this is the default configuration in 17.9 so there is no need to make any change unless you want to disable TLSv1.2 or TLSv1.3.

Search for this above information, it will display running TLS versions on your controller. Now you can disable TLSv1.1 by placing bellow mentioned command:

(config)# ip http tls-version TLSv1.2

This will disable TLSv1.0 and TLSv1.1 and only TLSv1.2 will be left enabled on controller for webauth and webadmin.

  Conclusion: It is highly recommended to disable TLSv1.0 and TLSv1.1 on the network devices. By following above procedure you may secure your controller.  Check the existing settings before making any changes as the defaults change with each new release.

I wrote this article to share my knowledge and if you have any query, suggestions or want any discussion please leave comments.

To keep your WLC secure you should always use the latest TAC recommended code version as per:
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html and
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

Edited by Rich R to include info for latest IOS-XE versions and links to recommended code versions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents