Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
2
Helpful
10
Replies

inquiries for WLC 3504

Go to solution
Ahmed Tarek
Level 3
Level 3

‎12-05-2023 12:51 AM

hi all,

i have some inquiries for WLC 3504

- how can i get current TLS version applied on WLC ?

- how can i get current SSL version applied on WLC ?

- what is recommended version for SSL now and TLS ?

- when i access WLC GUI i need to install certificate ( self sign ) how can i install it from CA?

- after apply new TLS and SSL versions, it mean old versions is off ? or i have to disable them manually ?

thanks in advance

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎12-05-2023 12:56 AM

 

 - FYI : %   nmap --script ssh2-enum-algos  controller-hostname
            %  nmap --script ssl-enum-ciphers -p 443 controller-hostname

  In general , if you are worried about security issues concerning TLS/SSL then upgrade the controller according to :
               https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
                              and review the situation again , 

 M.
               



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Go to solution
Rich R
VIP
VIP

‎12-06-2023 10:27 AM

- Upgrade software to 8.10.190.0 (or later as per TAC recommended link below)

- Ensure WLC is configured for maximum security options as per the config guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#ID520
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#hsts_policy

- Update the certificate as per the guides:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

0 Helpful
10 Replies 10

Go to solution
marce1000
VIP
VIP

‎12-05-2023 12:56 AM

 

 - FYI : %   nmap --script ssh2-enum-algos  controller-hostname
            %  nmap --script ssl-enum-ciphers -p 443 controller-hostname

  In general , if you are worried about security issues concerning TLS/SSL then upgrade the controller according to :
               https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
                              and review the situation again , 

 M.
               



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Ahmed Tarek
Level 3
Level 3

‎12-05-2023 01:17 AM

hi @marce1000 

what are these

% nmap --script ssh2-enum-algos controller-hostname
% nmap --script ssl-enum-ciphers -p 443 controller-hostname

are they command i need to type in CLI ?

sorry but i need to understand

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Ahmed Tarek

‎12-05-2023 02:35 AM

 

 - nmap is hacking tool ; you can download it from https://nmap.org/    but for your purposes you can consider yourself being an ethical hacker ! (You can install nmap on a windows on linux host ; the commands must then be executed from where nmap was installed)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Rich R
VIP
VIP

‎12-06-2023 10:27 AM

- Upgrade software to 8.10.190.0 (or later as per TAC recommended link below)

- Ensure WLC is configured for maximum security options as per the config guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#ID520
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/administration_of_cisco_wlc.html#hsts_policy

- Update the certificate as per the guides:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/managing_certificates.html
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3

‎12-06-2023 11:06 PM

thanks @Rich R for your links,

but is there any command i can check current TLS version from CLI or GUI for WLC 3504 ?

all commands i found related to other WLCs

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Ahmed Tarek

‎12-07-2023 04:03 AM

Not specifically - refer to Marce's answer for how to check that.

On the WLC you can use:
grep include "Secure Web" "show network summary"
to check the configured settings but that won't show you TLS versions explicitly.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3

‎12-07-2023 04:16 AM

thanks @Rich R,

show network summary show the following

Secure Web Mode............................. Enable

it mean what ? which TLS version is applied ? 1.1 or 1.2 or 1.3 ?

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Ahmed Tarek

‎12-07-2023 04:38 AM

As I already explained it does not tell you the TLS version(s). 
Refer to Marce's earlier answer for how to check TLS versions!
That line just tells you that https is enabled.
The lines you're more interested in are "Secure Web Mode Cipher-Option High" which should be Enable and "Secure Web Mode SSL Protocol" which should be Disable.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Ahmed Tarek
Level 3
Level 3

‎12-07-2023 05:08 AM

i can not use his commands, is not allowed to use this in my environment.

i hope now you can get what i mean

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Ahmed Tarek

‎12-07-2023 05:46 AM

Then it is impossible to do what you want.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card