Solved: Insecure Wifi Connection on Cisco Deskpro and Dx680 Tandberg Screens

aamir.aleem · ‎01-19-2022

Hello Fellow Networkers,

I need some guidance on possible issues that are leading to an "insecure Wifi Connection" message(Attached) on Cisco Deskpro kit screens and a DX680-Tandberg screen when connected to the corporate Wifi.

Below are some points to note:

1. The WLC which will be replaced soon is a 5508.

2. WPA + WPA2 is used for Layer-2 security option.

3. WPA-2 has AES only enabled as the encryption option. TKIP is disabled which caused IOS devices to show Weak Security. Disabling it got rid of this message.

4. Just to mention, we are using a Signed third party cert for authentication with ISE which is using a WildSAN method as is mentioned in the below link:

How To Implement Digital Certificates in ISE - Cisco Community

I could not get any info on this online but my guess is that maybe the screens have higher encryption requirements, like AES-256 etc but, I request your knowledge based opinions for identifying the reasons for the error message.

Thank you!

Aamir Aleem Jan

aamir.aleem · ‎01-24-2022

Hi @Rich R

Appreciate the input, yes these devices do come with pre-installed certificates but since it seems the ones we needed were'nt there, I was able to install the intermediate and the root certificate of the signing authority as per the below guide.

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/endpoint/ce912/desk-pro-administrator-guide-ce912.pdf

Search for Certificates

This has resolved the issue with for both the screens. Just FYI, the certs were installed as separate files in .pem format.

View solution in original post

ammahend · ‎01-20-2022

I think you meant : TKIP is "enabled" which caused IOS devices to show Weak Security. Disabling it got rid of this message.

TKIP is considered deprecated because there are vulnerabilities in TKIP which allow an attacker to decrypt packets, the counter measure TKIP uses can further be exploited for DoS, primary counter measure specifies that after two bad MICs within sixty seconds the AP must shutdown its radios for 60 seconds and then renegotiate its GTK and all pair-wise keys (A Study of the TKIP Cryptographic DoS Attack, Glass & Muthukkumarasamy 2007). This means an external attacker can invoke a 60 second shutdown by sending bad MICs, which can be achieved through a number of modification attacks (similar to those used to decrypt packets). Alternatively, a rogue authenticated client on the wireless network or a faulty client on the wireless network can initiate a 60 second shutdown trivially.

Keeping these vulnerabilities in mind a lot of vendor including Apple, will tag the wifi network as insecure if TKIP is used, that's what is happening here I think.

-hope this helps-

Rich R · ‎01-20-2022

@ammahend I believe he meant TKIP was enabled and is now disabled - which resolved the Apple warnings. But that's not what his question was about. His question is about the Cisco Deskpro kit screens and a DX680-Tandberg screen.

@aamir.aleem the problem is that error message doesn't say why it thinks the WiFi is insecure.

Does that Extended logging toggle give any more detail?

- What authentication are you using on the SSID - PSK or 802.1x?

- Is the device being redirected to a captive portal?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

aamir.aleem · ‎01-23-2022

Hello,

@ammahend...Thanks for your response. As @Rich R mentioned, we have disabled TKIP already and that was the reason of getting rid of the error message on the IOS devices.

@Rich R...Thank you! We are using 802.1x and no there is no captive portal involved.

What seems to be the issue is the WildSan certificate we are using, which is signed by a trusted CA but, upon connection, the Deskpro and the Tandberg give a unknown CA error(attached)| which is weird because they should trust the cert by default.

At the same time, mobile devices like Android connect without issue and accept the cert while using PEAP-MS-CHAP-V2 with "certificate validation" being enabled in the WiFi settings on the device.

For the Cisco screens mentioned above, how can i check their trusted root store? I want to ensure that the root and intermediate cert are present so as to drill down further.

Thanks

Aamir Aleem

Rich R · ‎01-23-2022

Devices like that often have the root cert store embedded in the firmware/OS so you need to contact the respective vendors (Cisco and Tandberg).

For Cisco Deskpro: https://software.cisco.com/download/home/286325128/type/280886992/release/RoomOS%2010.8.2.5

Be sure to check release notes: https://roomos.cisco.com/print/ReleaseNotesRoomOS_10

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

aamir.aleem · ‎01-24-2022

Hi @Rich R

Appreciate the input, yes these devices do come with pre-installed certificates but since it seems the ones we needed were'nt there, I was able to install the intermediate and the root certificate of the signing authority as per the below guide.

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/endpoint/ce912/desk-pro-administrator-guide-ce912.pdf

Search for Certificates

This has resolved the issue with for both the screens. Just FYI, the certs were installed as separate files in .pem format.