Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2133
Views
3
Helpful
7
Replies

SHA1 deprecated setting for SSH on WLC 5520

jiahaurnyon
Level 1
Level 1

‎12-05-2023 02:07 AM

Dear Cisco Comunity Expert,

We have WLCs running on 8.5.182.7. During our cybersecurity team scanning vulnerability, we have the result on SHA1 deprecated setting for SSH. We have already put "config network ssh host-key use-device-certificate-key".  Through "show network summary", we can observe that the Secure Shell (ssh) Cipher-Option high has been "Enabled".

Please let us know how we can check/correct the SSH configuration in the configuration to fix this SHA1 deprecated setting for SSH.

Labels:
0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎12-05-2023 02:42 AM

 

 - Upgrade to https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.190.0   and check again , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

suresh-manandhar
Level 1
Level 1
In response to marce1000

‎08-22-2024 02:08 AM

AOS upgrade didn't resolve for me

0 Helpful

ammahend
VIP
VIP
In response to suresh-manandhar

‎08-22-2024 02:44 AM - edited ‎08-22-2024 02:46 AM

Did you run this ? If not run the command and check again. 

“config network ssh cipher-option high enable” command to enable sha2. 

-hope this helps-
0 Helpful

suresh-manandhar
Level 1
Level 1
In response to ammahend

‎08-22-2024 02:47 AM

yes this is already there

0 Helpful

ammahend
VIP
VIP
In response to suresh-manandhar

‎08-22-2024 03:45 AM - edited ‎08-22-2024 03:46 AM

Sorry just saw you mentioned in original post, I don’t think there is a command to check the cipher-suite other than show network summary (to see it’s enabled). If you have upgraded and high-cipher is enabled ask them to audit again, and see how they are claiming use of sha1, make sure they are talking about ssh and not some other service like web, mic cert etc. 

-hope this helps-
0 Helpful

marce1000
VIP
VIP
In response to ammahend

‎08-22-2024 04:58 AM

 

  @ammahend >...., I don’t think there is a command to check the cipher-suite other than ...
                               For your references :  %  nmap --script ssh2-enum-algos WLC5520-hostname 

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi
Hall of Fame
Hall of Fame

‎12-05-2023 04:34 AM

As suggested to upgrade to latest version (make sure before upgrade to latest code, check the AP compatability before upgrade)

and follow below thread :

https://community.cisco.com/t5/wireless/wlc5520-8-10-185-tls1-2-using-insecure-ciphers-cbc-amp-sha/td-p/4869853

If the WLC inside network and there is no Guest network, some how you are ok, but since WLC 5520 getting end of Life, suggest to move to WLC cat 9800 for Long life.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card