Link encryption
|
Data link encryption is not supported for C91xx wireless mobility express platform.
|
Link encryption
|
For non-C91xx wireless mobility express platfoms - Enabling Data link encryption (using ECDHE keypair) would make AP flap
continually.
|
LDAP
|
Secure LDAP does not support strong ciphers and is not part of CC certification.
|
Mobility
|
Mobility between Cisco Catalyst 9800 Series Wireless controllers is possible with LSC as wireless management trustpoint (having
RSA based keys).
|
Mobility
|
Mobility between AireOS WLC and Cisco Catalyst 9800 Series Wireless controllers is supported (using SUDI and MIC certificates
for wireless management trustpoint).
|
Mobility
|
Mobility between AireOS WLC and Cisco Catalyst 9800 Series Wireless controllers is not supported (if using LSC certficates
for wireless management trustpoint).
|
CC mode
|
The show wireless certification config command displays the configured values for WLANCC, or AP-dtls-ciphersuite, or AP-dtls-version, and needs reload after re-configuring
these parameters.
|
CC mode
|
The AES128-SHA option is not supported for AP-dtls-ciphersuite when Cisco Catalyst 9800 Series Wireless Controller is operating
in CC mode.
|
CC mode
|
The AES128-SHA option is supported for AP-dtls-ciphersuite when Cisco Catalyst 9800 Series Wireless Controller is operating
in FIPS mode.
|
CC mode
|
If you want your Cisco Catalyst 9800 Series Wireless Controller to operate in CC mode (you need to enable both FIPS mode and
CC mode).
|
LSC
|
To secure communication between Cisco Catalyst 9800 Series Wireless Controller and LSC server, you need to deploy ESTCA as
LSC server (which uses TLS to secure related communication).
|
LSC
|
Cisco Catalyst 9800 Series Wireless Controllers do not support HTTPS to secure its communication with the LSC server.
|
LSC
|
During LSC provisioning, APs generate EC based keys only when related Cisco Catalyst 9800 Series Wireless Controller is operating
in CC mode.
|
LSC
|
During LSC provisioning, APs generate RSA based keys when related Cisco Catalyst 9800 Series Wireless Controller is operating
in FIPS mode.
|
LSC
|
During LSC provisioning, APs generate RSA based keys when related Cisco Catalyst 9800 Series Wireless Controlle is operating
in non-FIPS or non-CC mode.
|
Password Obfuscation
|
You can use the following commands for password obfuscation:
|
CC mode
|
APs reload immediately, if you change the wlancc status.
|
FIPS mode
|
APs do not reload immediately, if you change the FIPS status.
|
Cisco 1562 AP
|
To assist Cisco 1562 APs join the Cisco Catalyst 9800 Series wireless controller, you need to have the ethernet MAC of the
AP in the username list.
|
AP serial number authorization
|
Serial number authorization is possible only when Cisco Catalyst 9800 Series wireless controller is in FIPS and CC mode, and
with LSC based trustpoints/certficates only (not with SUDI trustpoint).
|
Display
|
FIPS suitability displays Suitable only if the controller is in CC mode and LSC certificate is compatible. Both wireless management and Certs CN should match the
hostname of the controller and length of RSA Key (> 2048) (or) EC keys being used.
|
RADSEC
|
RSA key size must contain a minimum of 2048 bits (of certificate under RADSEC) when operating in FIPS or CC mode, else RADSEC
fails.
|