02-02-2021 09:15 AM - edited 07-05-2021 01:09 PM
As you can see by the CLI output, there are no FIPS options, it even looks like there is a space for them, they just are not there.
(Cisco Controller) >config switchconfig ? flowcontrol Enable/Disable 802.3x flow control. secret-obfuscation Enable/Disable secret obfuscation. password-encryption Enable/Disable password encryption with master key. restore-password Configures restore-password option for management user. strong-pwd Configures strong password enforcement options. (Cisco Controller) >config switchconfig fips-prerequisite enable Incorrect usage. Use the '?' or <TAB> key to list commands. (Cisco Controller) >config switchconfig fips-prerequisite ? (Cisco Controller) >config switchconfig fips-prerequisite k? (Cisco Controller) >config switchconfig fips-prerequisite e? (Cisco Controller) >config switchconfig fips-prerequisite d? (Cisco Controller) >config switchconfig fips-prerequisite enable Incorrect usage. Use the '?' or <TAB> key to list commands.
and it knows what FIPS is as the show command displays its status
(Cisco Controller) >show switchconfig 802.3x Flow Control Mode......................... Enable FIPS prerequisite features....................... Disabled WLANCC prerequisite features..................... Disabled UCAPL prerequisite features...................... Disabled Last login information display................... Disabled Last login information display duration.......... 0 secret obfuscation............................... Enabled Master key....................................... Configured password encryption.............................. Enabled Strong Password Check Features case-check.................................... Enabled consecutive-check............................. Enabled default-check................................. Enabled username-check................................ Enabled position-check................................ Disabled case-digit-check.............................. Disabled Min. Password length.......................... 8 Min. Upper case chars......................... 2 Min. Lower case chars......................... 2 Min. Digits chars............................. 1 Min. Special chars............................ 2
I could understand it it was built off the non-K9 version or if the "Export-Controlled Functionality: ALLOWED" was not allowed (but it is).
It's licensed and APs are working fine (albeit not in FIPS mode):
Registration: Status: REGISTERED Smart Account: ************* Virtual Account: ************* Export-Controlled Functionality: ALLOWED
Inventory:
Model No. AIR-CTVM-K9 Burned-in MAC Address **:**:**:**:**:** Maximum number of APs supported 200 FIPS Prerequisite Mode Disable WLANCC Prerequisite Mode Disable UCAPL Prerequisite Mode Disable UDI : Product Identifier Description AIR-CTVM-K9 Version Identifier Description V01 Serial Number ************ Entity Name Chassis Entity Description Cisco Wireless Controller
I'm just at a loss to know why it is behaving this way.
I'm sure it's just some sort of mystery command that generates higher cyrpto somewhere but I can't find an example of it anywhere (at least not for the OS version I have).
Anyone have any ideas?
02-02-2021 09:38 AM - edited 02-02-2021 09:40 AM
I don't think FIPS can be enabled (not supported) on a virtual machine (vWLC):
02-03-2021 11:42 AM - edited 02-03-2021 11:49 AM
It never occurred to me that the VM versions wouldn't be FIPS capable, that information isn't listed anywhere in the CTVM docs.
The VMs are billed as a comparable option alongside their physical 9800 counterparts but if they can't do FIPS then they absolutely are not.
I've sent an email to our rep requesting clarification.
I'm hoping first that it's just a missing command, or that there is a version that does support it other than this one or maybe a license option that activates it, we'll see.
I'll report back on any specifics I receive.
02-03-2021 11:50 AM
Sure... it has to be certified for FIPS and VM's... well its harder to certify those than appliances. Only a few virtual have been certified for FIPS. Keep us posted on what your rep tells you.
02-03-2021 12:45 PM
Take a look at this guide....
Step 1 |
Configure FIPS on the controller by entering this command: In FIPS mode both TLSv1.0 and TLSv1.2 are supported and only FIPS 140-2 compliant algorithms are used. |
Step 2 |
View the FIPS configuration by entering this command:
|
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: