- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2024 12:44 AM
Hi Comminity,
I have an issue here with WLC 9800-L-F.
I use Nessus to scan WLC, it found a High level issue: SSL Certificate Signed Using Weak Hashing Algorithm
It seems like I hit a bug of Sweet32: https://bst.cisco.com/quickview/bug/CSCvv09676
After checking, the SSL certificate which hit this issue was for Web-Admin use.
I've tried to search the way to fix it, but could not found, did anyone done this before?
Should I generate a new certificate with SHA-256?
no ip http secure-server is not in the options.
Solved! Go to Solution.
- Labels:
-
Wireless LAN Controller
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2024 07:07 AM
@shambhu.kumar that config is for SSH not HTTPS!
What version of software are you using @lightda
Refer to the TAC recommended code versions link below.
See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2024 01:04 AM
Try this and re-scan, It will not detect vulnerability like, Deprecated SSH Cryptographic Settings or SSH Prefix Truncation Vulnerability (Terrapin)
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp521
ip ssh server algorithm hostkey rsa-sha2-512 rsa-sha2-256
ip ssh server algorithm authentication keyboard
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2024 07:07 AM
@shambhu.kumar that config is for SSH not HTTPS!
What version of software are you using @lightda
Refer to the TAC recommended code versions link below.
See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2024 07:56 PM
Thanks for helping, it was useful,
My co-worker have open TAC Case to confirm the step, sharing step to otherelse:
#This will disable GUI access to the WLC – This will not affect anyone trying to authenticate to the SSID
no ip http server
no ip http secure-server
#This will create an RSA key called RSA-WLC-SSC
crypto key generate rsa label RSA-WLC-SSC modulus 2048
#This will create the trustpoint called WLC-SSC and give it the following configurations
- Stronger Hash
- Create it as a self signed certificate
- Does not perform any revocation checks
- Links the RSA key that we created above
crypto pki trustpoint WLC-SSC
hash sha256
enrollment selfsigned
revocation-check none
rsakeypair RSA-WLC-SSC
exit
#This will now apply the newly created trustpoint onto the WLC
crypto pki enroll WLC-SSC
yes
no
no
yes
#This will now configure the new trustpoint for web admin and enable GUI access
ip http secure-trustpoint WLC-SSC
ip http server
ip http secure-server
