cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
5
Helpful
12
Replies

CSCvx84736 - 9115 EWC - Aps won't join when FIPS is enabled.

jguittet
Level 1
Level 1

Hello

I face this issue that is indicated as not reproductible.

What can I do to help ?

Joel

1 Accepted Solution

Accepted Solutions

Just replied with config guide links but one thing in the 17.9 guide caught my attention:
- While configuring WLAN ensure that the PSK length must be minimum of 15 characters. If not, the APs will not be able to join the controller after changing tags.
Don't suppose you had any WLANs with PSK < 15 characters when you enabled FIPS?

View solution in original post

12 Replies 12

marce1000
VIP
VIP

 

      - Ref : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx84736
         Workaround: None at the moment. To rejoin APs FIPS needs to be disabled on controller side.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

jguittet
Level 1
Level 1

@marce1000 this is not acceptable solution, I need FIPS to be enabled!

@Rich R software version is 17.03.08a.

Thanks for the help on this.

Joel

IOS-XE 17.3 is effectively end of life: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html and had a lot of issues!
It has already long passed the End of Vulnerability/Security Support date September 30, 2023!
This means that even if you find it's a bug it will never be fixed in 17.3.
There have been hundreds (maybe thousands) of bug fixes since then!

Refer to the TAC recommended codes link below - you should be running at least 17.9.5 or 17.12.3 now.

jguittet
Level 1
Level 1

Note: I can provide logs or anything else so that I can maybe help on solving this issue CSCvx84736

 

                              >.. .I need FIPS to be enabled!
                              >... I can provide logs or anything
  - The bug  (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx84736 ) report is rather clear :
                >...Workaround: None at the moment. To rejoin APs FIPS needs to be disabled on controller side.

        - That means that if this is a strong business concern for you ; then you need to contact Cisco (TAC)

 M.

   



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

No new bugs will be investigated or fixed in 17.3 code now.
If you want to pursue a fix then first upgrade to a currently supported release like 17.9.5 or 17.12.3 and then if you still see the issue open a TAC case for Cisco to investigate further.

jguittet
Level 1
Level 1

Ok, thanks I understand. This is a real issue since the FIPS approval from the NIST is only valid on 17.3, except if you indicate me a newer version is FIPS validated ? I have C9120AXE hardware.

It looks to me like FIPS is certified in 17.6 and 17.9.  All certificate details at https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html There we see:

Embedded Wireless Controllers on C9100 AP IOS XE 17.9 2022-08-01

17.12 is certified on regular 9800 series WLCs:

Cisco C9800 Wireless Controllers IOS XE 17.12 2023-11-23

and 17.12 on 9100 series APs:

Catalyst 9100, Wave 2 and IoT Wireless Access Point IOS XE 17.12 2024-03-06

So as far as I can see you could move to 17.9.5 straight away and I suggest you fire off a query to certteam@cisco.com about EWC on 17.12 in preparation for the fact that 17.12 will soon become the recommended release train.  You can also ask why NIST only lists 17.3.

Also see: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKEWN-2339.pdf page 14:RichR_0-1718631638659.png

 

jguittet
Level 1
Level 1

@Rich R thanks so much for this details, this is good news for me.

I will move to 17.9.5 as you suggested.

Latest question on this topic please: I previously asked for a good guide to enable FIPS on the AP but didn't get any answer: https://community.cisco.com/t5/cisco-software-discussions/activation-of-fips-mode-on-c9120ax-access-point/td-p/5106171

Can you indicate a good reference ?

Just replied with config guide links but one thing in the 17.9 guide caught my attention:
- While configuring WLAN ensure that the PSK length must be minimum of 15 characters. If not, the APs will not be able to join the controller after changing tags.
Don't suppose you had any WLANs with PSK < 15 characters when you enabled FIPS?

jguittet
Level 1
Level 1

Thanks a lot @Rich R !! Got the link to the documentation

The PSK was less than 15 characters

So probably this is the origin of the issue.

I will reset the AP now. You can consider this ticket solved and closed.

Again thanks for your support.

Joel

Review Cisco Networking for a $25 gift card