cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27088
Views
41
Helpful
12
Replies

How do you disable TLS Version 1.0 on Cisco WLC

DanDeg
Level 1
Level 1

How do you disable TLS Version 1.0 on Cisco WLC?

12 Replies 12

Try below command

 

(WLC) >config network secureweb cipher-option high ?

disable Don't require TLSv1.2 for web admin and web auth.
enable Require TLSv1.2 for web admin and web auth.

(WLC) >config network secureweb cipher-option high enable

 

Once you enable, it should use only TLSv1.2

 

HTH

Rasika

*** Pls rate all useful responses ***

Hi,

I have run the command

 

(WLC) >config network secureweb cipher-option high enable

 This did not disable TLSv1.0

JQuery 1.x < 1.12.0 / 2.x < 2.2.0 XSS

SSL / TLS Versions Supported

This port supports TLSv1.0/TLSv1.1/TLSv1.2

 

Regards

Raj

 

After enable it, have you reloaded the WLC ?

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_011.html

 

Enable or disable secure web mode with increased security by entering this command:

config network secureweb cipher-option high {enable | disable}

This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.

 

HTH

Rasika

Hi,

Yes I did reload the controller after applying the command.

Cisco Tac mentioned its a bug in 8.3.143 code and will need to update to 8.5.

 

Regards

Raj

Do you have the BUG ID?

You are searching for CSCvk07479. Based on the bug details, there is no recent 8.3 (engineering) code available in which this issue is fixed. The 8.5 code-train is going to be the next "stable" and depending on your platform it might also be the latest supported code-train as well. My recommendation is to check if your hardware is still supported in 8.5. If this is still the case, I would start preparing for an upgrade. Please regular check this page as well.

 

In the meantime you might consider to restrict network access towards the management interface of the WLC with a firewall or with a CPU ACL on the controller itself.

Please rate useful post... :-)

Hi,

¿What would be the order to restart a couple of WLC in the HA envionment?

@jsuarez_  - You can start restarting your primary WLC, so your secondary will become Active.

 

Then you can proceed to restart your secondary (Active) WLC, so your primary will become Active just like before.

 

 

 

Regards,

Team - Can anyone please confirm if there is a bug ID associated to the WLC not taking the command to disable tlsv1.0?

 

Kind Regards,

I have the same issue here, even though my WLC is running a "Fixed Version" of the software per the Bug report found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk07479

 

Product Name..................................... Cisco Controller
Product Version.................................. 8.3.150.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 20.0

Our device is showing security vulnerabilities for running TLS1.0 but I have already run the command and reloaded, and while this resolved the problem on one of my controllers, it is not on another. They are all running the same version.

 

I need to be able to address the vulnerability, but is the fixed version info accurate if I am still having the issue running a "fixed version"?

 

Please open a TAC and post the solution here if you get one.

Done and here it is:

 

Thanks for your update, In order to disable TLSv1 with this command, WLC will need to be upgraded to 8.5 version on which it'll have the effect of disabling TLSv1.0 as well:

 

From 8.3 release notes:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_011.html

Step 4              Enable or disable secure web mode with increased security by entering this command:

config network secureweb cipher-option high {enable | disable}

This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.

 

 

From 8.5 release notes:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/administration_of_cisco_wlc.html

Step 4 

Enable or disable secure web mode with increased security by entering this command:

config network secureweb cipher-option high {enable | disable }

This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.

 

When high ciphers is enabled, SHA1, SHA256, SHA384 keys continue to be listed and TLS 1.0 is disabled. This is applicable to webauth and webadmin but not for NMSP.

 

In order to solve the issue, please upgradethe  WLC to 8.5.140 version:

The AP models you are using are compatible with this code, Please find below the download link:

 

https://software.cisco.com/download/home/283848165/type/280926587/release/8.5.140.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: