Re: How enable mic SHA2 on WLC

cdiaz · ‎11-15-2022

Hello,

I have 3 WLC, and have problems to register APs with MIC SHA2 only in WLC1. The difference with the others is in "show sysinfo"...

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.150.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

.....[omited info]

WLC MIC Certificate Types........................ SHA1 <------------- Others shown SHA1/SHA2

How can enable SHA1/SHA2? The command "config ap dtls-wlc-mic sha2" dont works.

Thanks!!

marce1000 · ‎11-15-2022

- You may try : config certificate ssc hash validation disable

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews · ‎11-15-2022

You have potentially hit this field notice

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Cisco IOS APs that were manufactured with SHA-2 certificates in August 2014 and later can be fixed via Cisco bug ID CSCvs22835 in Version 8.5.160.0 and later.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Rich R · ‎11-16-2022

Agreed with @Haydn Andrews it's probably CSCvs22835.
The sysinfo you showed is running 8.3.150.0 - is that the one which is not working?
What version are the other 2 WLCs running?
Are they all the same model of WLC - what model?
Assuming it is CSCvs22835 then your only option to resolve that is upgrade to latest 8.5 but whether you can do that or not depends on what WLCs you're using and what APs you need to support.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

cdiaz · ‎11-17-2022

Hello,

The sysinfo you showed is running 8.3.150.0 - is that the one which is not working? Yes, in all WLCs the version is 8.3.150, but only in WLC1 not working.

What version are the other 2 WLCs running? 8.3.150
Are they all the same model of WLC - what model?-All is 5508

Assuming it is CSCvs22835 then your only option to resolve that is upgrade to latest 8.5 but whether you can do that or not depends on what WLCs you're using and what APs you need to support.

Probably that is the solution, but my doubt is that only in WLC1 where sysinfo shows "SHA1" it doesn't work.

WLC1

WLC2 and WLC3

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 8.3.150.0

Bootloader Version............................... 1.0.20

Field Recovery Image Version..................... 7.6.101.1

Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

.....[omited info]

WLC MIC Certificate Types........................ SHA1

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 8.3.150.0

Bootloader Version............................... 1.0.20

Field Recovery Image Version..................... 7.6.101.1

Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2

OUI File Update Time.............................

.....[omited info]

WLC MIC Certificate Types........................ SHA1/SHA2

Thank you!! I will continue looking for the possibility of enabling SHA2.

vkokila · ‎11-17-2022

Hello,

I don't think we would be able to change it to SHA2, as it's Manufacturing Installed Certificate.

Depending on when WLC was manufactured it may have just SHA1 cert.

Please check the below output on wlc:

show ap dtls-cipher-suite

DTLS Cipher Suite................................ RSA-AES256-SHA256

if it's showing as above, try setting "config ap dtls-cipher-suite RSA-AES128-SHA" (required reload of wlc ) and see if it helps.