Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
7
Replies

WLC3504 8.10.196.0 - TLS1.2 Uso de cifrados inseguros, CBC y SHA

victor-castillo
Level 1
Level 1

‎09-09-2025 07:37 PM

Hello good afternoon.

I have a wireless controller models 3504, with firmware version 8.10.196.0, and when it comes to pentesting, it marks the following vulnerabilities, I already applied a procedure with the following commands:

victorcastillo_0-1757471507706.pngvictorcastillo_1-1757471528344.png

likewise, I already updated the local certificate, disabled telnet, http, modified the security of my ssids, but my pentest shows vulnerabilities, does anyone know anything about it?
I found that Cisco for compatibility reasons cannot remove all RSAs.

victorcastillo_2-1757471680338.png

likewise, I thank you for your help, greetings...

 

0 Helpful
7 Replies 7

ammahend
VIP Alumni
VIP Alumni

‎09-09-2025 09:14 PM - edited ‎09-09-2025 09:14 PM

did you try the steps recommended in this post

its a bit old but relevant. 

-hope this helps-
0 Helpful

victor-castillo
Level 1
Level 1
In response to ammahend

‎09-09-2025 09:39 PM

Hi friend, I just took that post as a reference for the solution to my problem, but it didn't work.

0 Helpful

Rich R
VIP
VIP

‎09-10-2025 02:51 PM - edited ‎09-10-2025 02:52 PM

You may not like the answer but ...
https://www.cisco.com/c/en/us/products/collateral/wireless/3504-wireless-controller/eos-eol-notice-c51-744737.html
https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/wireless-software-8-10-pb.html

It's a legacy product running a legacy operating system (AireOS).  Basically if you want the latest technology, features and security standards then you need to upgrade to a more recent product like 9800 series which is IOS-XE based and therefore inherits most of the security features and standards from the IOS-XE base code.  They did "port" some things from AireOS which is not great but most of it is modern and certainly the part you're looking for has the latest standards.  And of course it is still maintained and in development so will continue to be updated and evolve with the standards for the foreseeable future.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

victor-castillo
Level 1
Level 1
In response to Rich R

‎09-11-2025 10:19 AM

I really appreciate your support friend

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee

‎09-11-2025 10:08 AM

Can you share the exact vulnerability CVE IDs? I see that you have shared the ciphers but if you can help me with the CVE IDs, I can at least check the status.

0 Helpful

victor-castillo
Level 1
Level 1
In response to Saikat Nandy

‎09-11-2025 10:20 AM - edited ‎09-11-2025 10:28 AM

will you have a procedure to remove CVE IDs from these vulnerabilities?, likewise, I found this cve id that refers to this type of topic

CVE-2013-0169

 

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to victor-castillo

‎09-15-2025 05:21 AM

I have looked CVE-2013-0169 and the only thing needed is cipher option high that I can see you have already enabled. So that should be it. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card