cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1323
Views
1
Helpful
3
Replies

9800-L-F WLC SSL Certificate Signed Using Weak Hashing Algorithm

lightda
Level 1
Level 1

Hi Comminity,

I have an issue here with WLC 9800-L-F.
I use Nessus to scan WLC, it found a High level issue: SSL Certificate Signed Using Weak Hashing Algorithm

lightda_0-1733906553992.png

It seems like I hit a bug of Sweet32: https://bst.cisco.com/quickview/bug/CSCvv09676
After checking, the SSL certificate which hit this issue was for Web-Admin use.

 

I've tried to search the way to fix it, but could not found, did anyone done this before?
Should I generate a new certificate with SHA-256?
no ip http secure-server is not in the options.

1 Accepted Solution

Accepted Solutions

Rich R
VIP
VIP

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda 
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

 

 

View solution in original post

In this video, learn how to renew certificates for WebAuth and WebAdmin on Cisco 9800 Series Wireless LAN Controllers (WLC). These certificates are critical for securing the web interfaces and ensuring that WebAuth and WebAdmin services remain operational and secure. This step-by-step guide will ...
3 Replies 3

shambhu.kumar
Spotlight
Spotlight

Try this and re-scan, It will not detect vulnerability like, Deprecated SSH Cryptographic Settings or SSH Prefix Truncation Vulnerability (Terrapin)

ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp521
ip ssh server algorithm hostkey rsa-sha2-512 rsa-sha2-256
ip ssh server algorithm authentication keyboard

 

 

Regards

 

Rich R
VIP
VIP

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda 
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

 

 

In this video, learn how to renew certificates for WebAuth and WebAdmin on Cisco 9800 Series Wireless LAN Controllers (WLC). These certificates are critical for securing the web interfaces and ensuring that WebAuth and WebAdmin services remain operational and secure. This step-by-step guide will ...

Thanks for helping, it was useful,
My co-worker have open TAC Case to confirm the step, sharing step to otherelse:

#This will disable GUI access to the WLC – This will not affect anyone trying to authenticate to the SSID

no ip http server

no ip http secure-server

 

#This will create an RSA key called RSA-WLC-SSC

crypto key generate rsa label RSA-WLC-SSC modulus 2048

 

#This will create the trustpoint called WLC-SSC and give it the following configurations

  • Stronger Hash
  • Create it as a self signed certificate
  • Does not perform any revocation checks
  • Links the RSA key that we created above

crypto pki trustpoint WLC-SSC

hash sha256

enrollment selfsigned

revocation-check none

rsakeypair RSA-WLC-SSC

exit

 

#This will now apply the newly created trustpoint onto the WLC

crypto pki enroll WLC-SSC

yes

no

no

yes

 

#This will now configure the new trustpoint for web admin and enable GUI access

ip http secure-trustpoint WLC-SSC

ip http server

ip http secure-server

Review Cisco Networking for a $25 gift card