04-28-2020 10:59 PM - edited 07-05-2021 11:59 AM
I have already enabled high-cipher on SSH, but for security compliance, I need evidence to show that the only version of SSH enabled on WLC is version 2 only.
Is there a way to show this evidence?
04-28-2020 11:34 PM - edited 04-28-2020 11:34 PM
Hi,
As per cisco FAQ, WLC only support SSH version 2
For verification you can sniff the packets.
Regards
Dont forget to rate helpful posts
04-29-2020 12:14 AM
Adding to Sandeep's response.
What version of AireOS are you running?
If it is 8.6.x or above then when you enable high cipher option, then it uses sha2. Those ECDH key exchanges are supported only in SSHv2
"In Release 8.6, controllers are migrated from OpenSSH to libssh, and libssh does not support these key exchange (KEX) algorithms: ecdh-sha2-nistp384 and ecdh-sha2-nistp521. Only ecdh-sha2-nistp256 is supported."
There is no CLI command to verify form WLC end.
HTH
Rasika
09-06-2024 07:29 AM
Hello Rasika, Thanks for your message, what if we are running lower version ie 8.6
09-06-2024 08:00 AM
Take a look at the configuration guide for the version you are curious about. Then just search for the work cipher and see if that provides you with the information you need. You can also use NMAP and have that query your device to see what ciphers are allowed. If you have NMAP installed you can run the following command:
nmap --script ssh2-enum-algos -sV -p 22 <target_IP>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide