05-07-2018 03:54 PM - edited 07-05-2021 08:36 AM
How do you disable TLS Version 1.0 on Cisco WLC?
05-07-2018 04:49 PM
Try below command
(WLC) >config network secureweb cipher-option high ?
disable Don't require TLSv1.2 for web admin and web auth.
enable Require TLSv1.2 for web admin and web auth.
(WLC) >config network secureweb cipher-option high enable
Once you enable, it should use only TLSv1.2
HTH
Rasika
*** Pls rate all useful responses ***
08-13-2018 06:25 PM - edited 08-13-2018 06:26 PM
Hi,
I have run the command
(WLC) >config network secureweb cipher-option high enable
This did not disable TLSv1.0
This port supports TLSv1.0/TLSv1.1/TLSv1.2
Regards
Raj
08-13-2018 11:40 PM
After enable it, have you reloaded the WLC ?
Enable or disable secure web mode with increased security by entering this command:
config network secureweb cipher-option high {enable | disable}
This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.
HTH
Rasika
08-21-2018 12:53 AM
Hi,
Yes I did reload the controller after applying the command.
Cisco Tac mentioned its a bug in 8.3.143 code and will need to update to 8.5.
Regards
Raj
12-20-2018 10:14 AM
Do you have the BUG ID?
01-02-2019 01:38 PM
You are searching for CSCvk07479. Based on the bug details, there is no recent 8.3 (engineering) code available in which this issue is fixed. The 8.5 code-train is going to be the next "stable" and depending on your platform it might also be the latest supported code-train as well. My recommendation is to check if your hardware is still supported in 8.5. If this is still the case, I would start preparing for an upgrade. Please regular check this page as well.
In the meantime you might consider to restrict network access towards the management interface of the WLC with a firewall or with a CPU ACL on the controller itself.
Please rate useful post... :-)
10-07-2021 02:42 PM
Hi,
¿What would be the order to restart a couple of WLC in the HA envionment?
10-08-2021 07:32 AM
@jsuarez_ - You can start restarting your primary WLC, so your secondary will become Active.
Then you can proceed to restart your secondary (Active) WLC, so your primary will become Active just like before.
Regards,
12-17-2018 09:32 AM
Team - Can anyone please confirm if there is a bug ID associated to the WLC not taking the command to disable tlsv1.0?
Kind Regards,
07-16-2019 10:53 AM
I have the same issue here, even though my WLC is running a "Fixed Version" of the software per the Bug report found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk07479
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.150.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 20.0
Our device is showing security vulnerabilities for running TLS1.0 but I have already run the command and reloaded, and while this resolved the problem on one of my controllers, it is not on another. They are all running the same version.
I need to be able to address the vulnerability, but is the fixed version info accurate if I am still having the issue running a "fixed version"?
07-17-2019 08:28 AM
07-17-2019 10:30 AM
Done and here it is:
Thanks for your update, In order to disable TLSv1 with this command, WLC will need to be upgraded to 8.5 version on which it'll have the effect of disabling TLSv1.0 as well:
From 8.3 release notes:
Step 4 Enable or disable secure web mode with increased security by entering this command:
config network secureweb cipher-option high {enable | disable}
This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.
From 8.5 release notes:
Step 4
Enable or disable secure web mode with increased security by entering this command:
config network secureweb cipher-option high {enable | disable }
This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.
When high ciphers is enabled, SHA1, SHA256, SHA384 keys continue to be listed and TLS 1.0 is disabled. This is applicable to webauth and webadmin but not for NMSP.
In order to solve the issue, please upgradethe WLC to 8.5.140 version:
The AP models you are using are compatible with this code, Please find below the download link:
https://software.cisco.com/download/home/283848165/type/280926587/release/8.5.140.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide