Check SSH version on WLC

ejlbarcelon · ‎04-28-2020

I have already enabled high-cipher on SSH, but for security compliance, I need evidence to show that the only version of SSH enabled on WLC is version 2 only.

Is there a way to show this evidence?

Sandeep Choudhary · ‎04-28-2020

Hi,

As per cisco FAQ, WLC only support SSH version 2

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/118833-wlc-design-ftrs-faq.html

For verification you can sniff the packets.

Regards

Dont forget to rate helpful posts

Rasika Nayanajith · ‎04-29-2020

Adding to Sandeep's response.

What version of AireOS are you running?

If it is 8.6.x or above then when you enable high cipher option, then it uses sha2. Those ECDH key exchanges are supported only in SSHv2

"In Release 8.6, controllers are migrated from OpenSSH to libssh, and libssh does not support these key exchange (KEX) algorithms: ecdh-sha2-nistp384 and ecdh-sha2-nistp521. Only ecdh-sha2-nistp256 is supported."

There is no CLI command to verify form WLC end.

HTH

Rasika

schnkumar331 · ‎09-06-2024

Hello Rasika, Thanks for your message, what if we are running lower version ie 8.6

Scott Fella · ‎09-06-2024

Take a look at the configuration guide for the version you are curious about. Then just search for the work cipher and see if that provides you with the information you need. You can also use NMAP and have that query your device to see what ciphers are allowed. If you have NMAP installed you can run the following command:

nmap --script ssh2-enum-algos -sV -p 22 <target_IP>

-Scott
*** Please rate helpful posts ***