cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25452
Views
21
Helpful
9
Replies

Enabling TLS for management access in WLC

vijay kumar
Level 2
Level 2

Hi all,

 

We want to disable to SSL v2 and SSL v3 for WLC web management . And we want to enable TLS version for web gui access. I have seen the below command to disable SSL v2

 

config network secureweb cipher-option sslv2 {enable | disable}

 

But i havent found for SSLv3 and TLS

 

Thanks,

Vijay

1 Accepted Solution

Accepted Solutions

I think you would use the following commands:

config network secureweb sslv3 disable [disables SSLv3]

config network secureweb cipher-option sslv2 disable [disables SSLv2]

config network secureweb cipher-option high [enables TLSv1.2]

Then reload the WLC for the changes to take effect.

View solution in original post

9 Replies 9

Enabling or disabling TLS

Enabling Transport Layer Security (TLS) enables the storage system to use TLS on HTTPS, FTPS, and LDAP traffic.

Before you begin

TLS is disabled by default, and setting up SSL does not automatically enable TLS. Before enabling TLS, ensure that SSL has been set up and enabled.

About this task

Data ONTAP supports TLSv1, SSLv3, and SSLv2. TLSv1 is a protocol version higher than SSLv3, and SSLv3 is a protocol version higher than SSLv2. A negotiation process is built into the TLS and the SSL protocols to use the highest protocol version that is supported by both the client and the server for communication. For TLS to be used for communication, both the client requesting connection and the storage system must support TLS.

Step

To enable or disable TLS, enter the following command:

options tls.enable {on|off}

 

  • Use on to enable TLS.
    • For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to on.
    • For TLS to take effect on FTPS, ensure that the ftpd.implicit.enable option or the ftpd.explicit.enable option is also set to on.
    • For TLS to take effect on LDAP, ensure that the ldap.ssl.enable option is also set to on.

    For more information about these options, see the na_options(1) man page.

    For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.

  • Use off (the default) to disable TLS.

    When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.

  •  

    Enabling or disabling SSLv2 or SSLv3

    If your storage system has the SSL protocol enabled, you can specify the SSL version(s) to use.

    About this task

    Enabling the SSL versions alone does not enable the SSL protocol for the storage system. To use SSL, ensure that the protocol is enabled on your storage system.

    TLS offers better security than SSLv3, and SSLv3 offers better security than SSLv2. In addition to enabling the SSL protocol, you must also have at least one of SSLv2, SSLv3, or TLS enabled for the storage system to use SSL for communication.

    Step

    Enter the following command to enable or disable SSLv2 or SSLv3:
    To enable or disable this SSL version...          Enter the following command...
    SSLv2
    options ssl.v2.enable {on|off}
    SSLv3
    options ssl.v3.enable {on|off}

     

    Setting the option to on (the default) enables the SSL version on HTTPS, FTPS, and LDAP connections, if the following options are also set to on:
    • httpd.admin.ssl.enable (for HTTPS)
    • ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)
    • ldap.ssl.enable (for LDAP)

    Setting the option to off disables the SSL version on HTTPS, FTPS, and LDAP connections.

     

Could you clarify something for me please? Those commands don't appear int the 5508 controller cli?? Am I missing something here?

options tls.enable {on|off}

httpd.admin.ssl.enable (for HTTPS)

ftpd.implicit.enable or ftpd.explicit.enable (for FTPS)

ldap.ssl.enable (for LDAP)

Thanks

Bryan

Those commands are not for a WLC.  What you are looking for are the secureweb commands that you referenced.  To enable SSLv3 use the following:

config network secureweb sslv3 enable

To ensure higher level TLS encryption ciphers, use the following:

config network secureweb ciper-option high

You can also use the command you referenced earlier to disable SSLv2, but keep in mind that if you try accessing the web gui or a client that needs to be re-directed to a captive portal and your browsers aren't configured for SSLv3, you will not be able to access the page.  Hope this helps.

So, is it currently possible to disable both SSLv2 and SSLv3, while enabling TLS?  Our security scanner is kicking out the following:

SSL Version 2 and Version 3 Detected

  • Synopsis

    The remote service encrypts traffic using a protocol with known weaknesses.

  • Description

    The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

    NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

  • Solution

    Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.

I think you would use the following commands:

config network secureweb sslv3 disable [disables SSLv3]

config network secureweb cipher-option sslv2 disable [disables SSLv2]

config network secureweb cipher-option high [enables TLSv1.2]

Then reload the WLC for the changes to take effect.

Beat me to it. :)  Those would be the correct commands.  Thanks Chris!

You may also want to also run the below command because I have seen some scanners ding WLCs for having RC4 ciphers in use as well, but ultimately would depend on your security policy.

config network secureweb cipher-options rc4-preference disable

Hi,

I recently used this commands in the following order : 

    config network secureweb cipher-option sslv2 disable 

    config network secureweb cipher-options rc4-preference disable

    config network secureweb cipher-option high

And the result was good, but not enough :  The test revealed support for TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3 (No RC4 nor SSLv2 but SSLv3 and DES).

So I looked for options and found the command to disable SSLv3 

     config network secureweb sslv3 disable

Checking again we got support only for TLSv1.0 (lost 1.1 and 1.2)

We thought that it can be a matter of order so I executed again  :

     config network secureweb cipher-option high

No changes. No support enabled for TLSv1.2 nor TLSv1.1, only TLSv1.0.

Re-enabling  SSLv3 restored support for this protocol and  TLSv1.1 and TLSv1.2.

(We are currently using ver. 8.0.140)

Hi Guys, 

 

is there a show command to know if SSLV3 is enabled or disabled on the WLC ?

 

Cheers,

 

Hello Team - Was anyone able to get rid of tlsv1.0?

 

Kind Regards,

Review Cisco Networking for a $25 gift card