cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
5
Helpful
4
Replies

FIPS seems to be be missing from AIR_CTVM-K9_8_10_130_0.ova, anyone know why?

hemmerling
Level 1
Level 1

As you can see by the CLI output, there are no FIPS options, it even looks like there is a space for them, they just are not there.

(Cisco Controller) >config switchconfig ?

flowcontrol    Enable/Disable 802.3x flow control.
secret-obfuscation Enable/Disable secret obfuscation.

password-encryption Enable/Disable password encryption with master key.

restore-password Configures restore-password option for management user.
strong-pwd        Configures strong password enforcement options.

(Cisco Controller) >config switchconfig fips-prerequisite enable

Incorrect usage.  Use the '?' or <TAB> key to list commands.
(Cisco Controller) >config switchconfig fips-prerequisite ?
(Cisco Controller) >config switchconfig fips-prerequisite k?
(Cisco Controller) >config switchconfig fips-prerequisite e?
(Cisco Controller) >config switchconfig fips-prerequisite d?
(Cisco Controller) >config switchconfig fips-prerequisite enable

Incorrect usage. Use the '?' or <TAB> key to list commands.

and it knows what FIPS is as the show command displays its status

(Cisco Controller) >show switchconfig

802.3x Flow Control Mode......................... Enable
FIPS prerequisite features....................... Disabled
WLANCC prerequisite features..................... Disabled
UCAPL prerequisite features...................... Disabled
Last login information display................... Disabled
Last login information display duration.......... 0
secret obfuscation............................... Enabled
Master key....................................... Configured
password encryption.............................. Enabled
Strong Password Check Features
   case-check.................................... Enabled
   consecutive-check............................. Enabled
   default-check................................. Enabled
   username-check................................ Enabled
   position-check................................ Disabled
   case-digit-check.............................. Disabled
   Min. Password length.......................... 8
   Min. Upper case chars......................... 2
   Min. Lower case chars......................... 2
   Min. Digits chars............................. 1
   Min. Special chars............................ 2

I could understand it it was built off the non-K9 version or if the "Export-Controlled Functionality: ALLOWED" was not allowed (but it is).
It's licensed and APs are working fine (albeit not in FIPS mode):

Registration:
  Status: REGISTERED
  Smart Account: *************
  Virtual Account: *************
  Export-Controlled Functionality: ALLOWED

Inventory:

Model No. 	AIR-CTVM-K9
Burned-in MAC Address 	**:**:**:**:**:**
Maximum number of APs supported 	200
FIPS Prerequisite Mode 	Disable
WLANCC Prerequisite Mode 	Disable
UCAPL Prerequisite Mode 	Disable
 
UDI :
	 
Product Identifier Description 	AIR-CTVM-K9
Version Identifier Description 	V01
Serial Number 	************
Entity Name 	Chassis
Entity Description 	Cisco Wireless Controller



I'm just at a loss to know why it is behaving this way.
I'm sure it's just some sort of mystery command that generates higher cyrpto somewhere but I can't find an example of it anywhere (at least not for the OS version I have).

Anyone have any ideas?

4 Replies 4

Scott Fella
Hall of Fame
Hall of Fame

I don't think FIPS can be enabled (not supported) on a virtual machine (vWLC):

https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html

 

-Scott
*** Please rate helpful posts ***

It never occurred to me that the VM versions wouldn't be FIPS capable, that information isn't listed anywhere in the CTVM docs.

The VMs are billed as a comparable option alongside their physical 9800 counterparts but if they can't do FIPS then they absolutely are not.
I've sent an email to our rep requesting clarification. 
I'm hoping first that it's just a missing command, or that there is a version that does support it other than this one or maybe a license option that activates it, we'll see.

I'll report back on any specifics I receive.

Sure... it has to be certified for FIPS and VM's... well its harder to certify those than appliances.  Only a few virtual have been certified for FIPS.  Keep us posted on what your rep tells you.

Scott Fella
Hall of Fame
Hall of Fame

Take a look at this guide.... 

Configuring FIPS (CLI)

Procedure


Step 1

Configure FIPS on the controller by entering this command:

config switchconfig fips-prerequisite { enable | disable }

In FIPS mode both TLSv1.0 and TLSv1.2 are supported and only FIPS 140-2 compliant algorithms are used.

Step 2

View the FIPS configuration by entering this command:

show switchconfig
Information similar to the following appears:

802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Enabled
WLANCC prerequisite features..................... Enabled
UCAPL prerequisite features...................... Disabled
secret obfuscation............................... Enabled

Cisco Wireless Controller Configuration Guide, Release 8.10 - Controller Security [Cisco Wireless LAN Controller Software] - Cisco

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: