Solved: WLC web auth changing cipher suite

pematthe · ‎07-27-2017

All,

I have just had a looming issue highlighted to me about the cipher offered by the WLC for web-auth. Apparently in iOS 11 (due for release in September) support for the weaker SSL and TLS encryption suites are being removed. Notable TLS 1.0 is no longer supported and will block a connection.

With no other specification, it seem that WLC web auth offers TLS 1.0 by default and I am trying to find out how to turn it off so stronger ciphers are offered. Any ideas?

Someone has suggested that the web auth cert can contain information about what ciphers to negotiate, though I get conflicting information from SSL providers.

See the attached screenshot for an example of the error that has been highlighted to me.

schaefermeier · ‎07-27-2017

We are looking into this same issue. Haven't had a chance to test it yet but depending on your code version you might be able to run the below command which enables/requires TLS 1.2 support on the internal controller. This is for internal captive portal and web management , which may fix the issue. I plan to test in the next week or so. We are running 8.2 code.

config network secureweb cipher-option high enable

Beware that anyone using a browser that doesn't support TLS1.2 (very old browsers) will not be able to access the captive portal or web gui. Some browsers may support TLS 1.2 but may need to manually enable support as well.

Performing a "show network summary" will show you the current setting.

Secure Web Mode Cipher-Option High.......... Enable/Disable

Scott

View solution in original post

schaefermeier · ‎07-27-2017

We are looking into this same issue. Haven't had a chance to test it yet but depending on your code version you might be able to run the below command which enables/requires TLS 1.2 support on the internal controller. This is for internal captive portal and web management , which may fix the issue. I plan to test in the next week or so. We are running 8.2 code.

config network secureweb cipher-option high enable

Beware that anyone using a browser that doesn't support TLS1.2 (very old browsers) will not be able to access the captive portal or web gui. Some browsers may support TLS 1.2 but may need to manually enable support as well.

Performing a "show network summary" will show you the current setting.

Secure Web Mode Cipher-Option High.......... Enable/Disable

Scott

schaefermeier · ‎07-31-2017

I was able to perform tests on this today and the above command did fix the issue. It forced the web server to use TLS 1.2. Without the above command the internal web server would use TLS 1.0 which would cause it to be blocked.

We are running 8.2.141.0, so your code version may vary.

Scott

dripley · ‎08-14-2017

I have also been tracking and troubleshooting this issue along with another web auth related timeout bug. We tested a patched version of AirOS (8.2.154.67) for our timeout bug which was successful and this iOS11 / MacOS 10.13 beta issue.

The problem does not happen in this version of code. I also verified that the secureweb cipher high option is still set to the default setting of "disable". Since, we have also tested both web auth issues against 8.2.160 and we're no longer seeing issues.

pematthe · ‎09-07-2017

Since implementing, have you seen any user reported issues with the higher security?

We are going to implement the cypher change on 8.2MR6 code this weekend. Just checking with the community if the move to only strong cyphers has any unforseen issues.

pematthe · ‎07-27-2017

More information from other investigations.

It seems that iOS 11 and HighSierra will both remove the TLS1.0 support but once of the highlights is that the certificate signing is affected rather than maybe the http encryption cipher. https://www.thesslstore.com/blog/crypto-ssl-improvements-high-sierra-ios-11/

"Certificates signed with SHA-1 and/or using private keys under 2048-bits will no longer be trusted on High Sierra, iOS 11, watchOS 4, or tvOS 11."

Still investigating.