cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
2
Helpful
10
Replies

inquiries for WLC 3504

Ahmed Tarek
Participant
Participant

hi all,

i have some inquiries for WLC 3504

- how can i get current TLS version applied on WLC ?

- how can i get current SSL version applied on WLC ?

- what is recommended version for SSL now and TLS ?

- when i access WLC GUI i need to install certificate ( self sign ) how can i install it from CA?

- after apply new TLS and SSL versions, it mean old versions is off ? or i have to disable them manually ?

thanks in advance

2 Accepted Solutions

Accepted Solutions

marce1000
VIP
VIP

 

 - FYI : %   nmap --script ssh2-enum-algos  controller-hostname
            %  nmap --script ssl-enum-ciphers -p 443 controller-hostname

  In general , if you are worried about security issues concerning TLS/SSL then upgrade the controller according to :
               https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
                              and review the situation again , 

 M.
               



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

Rich R
VIP
VIP

- Upgrade software to 8.10.190.0 (or later as per TAC recommended link below)

- Ensure WLC is configured for maximum security options as per the config guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#ID520
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#hsts_policy

- Update the certificate as per the guides:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

View solution in original post

10 Replies 10

marce1000
VIP
VIP

 

 - FYI : %   nmap --script ssh2-enum-algos  controller-hostname
            %  nmap --script ssl-enum-ciphers -p 443 controller-hostname

  In general , if you are worried about security issues concerning TLS/SSL then upgrade the controller according to :
               https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
                              and review the situation again , 

 M.
               



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Ahmed Tarek
Participant
Participant

hi @marce1000 

what are these

% nmap --script ssh2-enum-algos controller-hostname
% nmap --script ssl-enum-ciphers -p 443 controller-hostname

are they command i need to type in CLI ?

sorry but i need to understand

 

 - nmap is hacking tool ; you can download it from https://nmap.org/    but for your purposes you can consider yourself being an ethical hacker ! (You can install nmap on a windows on linux host ; the commands must then be executed from where nmap was installed)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Rich R
VIP
VIP

- Upgrade software to 8.10.190.0 (or later as per TAC recommended link below)

- Ensure WLC is configured for maximum security options as per the config guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#ID520
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#hsts_policy

- Update the certificate as per the guides:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

Ahmed Tarek
Participant
Participant

thanks @Rich R for your links,

but is there any command i can check current TLS version from CLI or GUI for WLC 3504 ?

all commands i found related to other WLCs

Not specifically - refer to Marce's answer for how to check that.

On the WLC you can use:
grep include "Secure Web" "show network summary"
to check the configured settings but that won't show you TLS versions explicitly.

Ahmed Tarek
Participant
Participant

thanks @Rich R,

show network summary show the following

Secure Web Mode............................. Enable

it mean what ? which TLS version is applied ? 1.1 or 1.2 or 1.3 ?

As I already explained it does not tell you the TLS version(s). 
Refer to Marce's earlier answer for how to check TLS versions!
That line just tells you that https is enabled.
The lines you're more interested in are "Secure Web Mode Cipher-Option High" which should be Enable and "Secure Web Mode SSL Protocol" which should be Disable.

Ahmed Tarek
Participant
Participant

i can not use his commands, is not allowed to use this in my environment.

i hope now you can get what i mean

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: