Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
1
Helpful
3
Replies

9800-L-F WLC SSL Certificate Signed Using Weak Hashing Algorithm

Go to solution
lightda
Level 1
Level 1

‎12-11-2024 12:44 AM

Hi Comminity,

I have an issue here with WLC 9800-L-F.
I use Nessus to scan WLC, it found a High level issue: SSL Certificate Signed Using Weak Hashing Algorithm

lightda_0-1733906553992.png

It seems like I hit a bug of Sweet32: https://bst.cisco.com/quickview/bug/CSCvv09676
After checking, the SSL certificate which hit this issue was for Web-Admin use.

 

I've tried to search the way to fix it, but could not found, did anyone done this before?
Should I generate a new certificate with SHA-256?
no ip http secure-server is not in the options.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎12-12-2024 07:07 AM

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda 
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

 

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Renew Certificates for WebAuth & WebAdmin on Cisco 9800 WLC | Secure Wireless LAN Controller Setup
Renew Certificates for WebAuth & WebAdmin on Cisco 9800 WLC | Secure Wireless LAN Controller Setup
youtube.com/watch?v=BbVi9OYaBjU
In this video, learn how to renew certificates for WebAuth and WebAdmin on Cisco 9800 Series Wireless LAN Controllers (WLC). These certificates are critical for securing the web interfaces and ensuring that WebAuth and WebAdmin services remain operational and secure. This step-by-step guide will ...
0 Helpful
3 Replies 3

Go to solution
shambhu.kumar
Spotlight
Spotlight

‎12-11-2024 01:04 AM

Try this and re-scan, It will not detect vulnerability like, Deprecated SSH Cryptographic Settings or SSH Prefix Truncation Vulnerability (Terrapin)

ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp521
ip ssh server algorithm hostkey rsa-sha2-512 rsa-sha2-256
ip ssh server algorithm authentication keyboard

 

 

Regards

 

0 Helpful

Go to solution
Rich R
VIP
VIP

‎12-12-2024 07:07 AM

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda 
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

 

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Renew Certificates for WebAuth & WebAdmin on Cisco 9800 WLC | Secure Wireless LAN Controller Setup
Renew Certificates for WebAuth & WebAdmin on Cisco 9800 WLC | Secure Wireless LAN Controller Setup
youtube.com/watch?v=BbVi9OYaBjU
In this video, learn how to renew certificates for WebAuth and WebAdmin on Cisco 9800 Series Wireless LAN Controllers (WLC). These certificates are critical for securing the web interfaces and ensuring that WebAuth and WebAdmin services remain operational and secure. This step-by-step guide will ...
0 Helpful

Go to solution
lightda
Level 1
Level 1
In response to Rich R

‎12-15-2024 07:56 PM

Thanks for helping, it was useful,
My co-worker have open TAC Case to confirm the step, sharing step to otherelse:

#This will disable GUI access to the WLC – This will not affect anyone trying to authenticate to the SSID

no ip http server

no ip http secure-server

 

#This will create an RSA key called RSA-WLC-SSC

crypto key generate rsa label RSA-WLC-SSC modulus 2048

 

#This will create the trustpoint called WLC-SSC and give it the following configurations

  • Stronger Hash
  • Create it as a self signed certificate
  • Does not perform any revocation checks
  • Links the RSA key that we created above

crypto pki trustpoint WLC-SSC

hash sha256

enrollment selfsigned

revocation-check none

rsakeypair RSA-WLC-SSC

exit

 

#This will now apply the newly created trustpoint onto the WLC

crypto pki enroll WLC-SSC

yes

no

no

yes

 

#This will now configure the new trustpoint for web admin and enable GUI access

ip http secure-trustpoint WLC-SSC

ip http server

ip http secure-server

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card