Wireless Access

Hi Team,

One of our customer want to know the cryptography details involved in the controller.
Currently they are using WPA2 enterprise with AES.
Controller details- Aruba3400 - OS 6.4.4.19
Aruba7005 - OS 6.4.4.19

Provide commands which help to get the information below.

need to know all the parameter of cryptography for GRE tunnel (forward mode tunnel) from AP to Controller.
TLS / SSL Cipher
TLS Protocol Versions
SSH Ciper (Static Key Type, Key Exchange (KEX), Symmetric Cipher, HMAC, SSH Protocol Versions)

IKE Phase 1 Cryptography :
Encryption
Authentication / Hash
DH Group / PFS

IKE Phase 2 Cryptography :
Encryption
Authentication / Hash
DH Group / PFS

Regards,
Mallikarjun

Please check the ArubaOS Datasheet.

For the IPSec Phase1 (ISAKMP) and Phase2 (IPSec), you can check the controller/MM:

(MM01) [Testgroup] (config) #crypto isakmp policy 999
(MM01) ^[Testgroup] (config-submode)# ?
authentication          Configure the IKE authentication method
disable                 Disable/Enable IKE policy
encryption              Configure the IKE encryption algorithm
group                   Configure the IKE Diffie Hellman group
hash                    Configure the IKE hash algorithm
lifetime                Configure the IKE lifetime in seconds
no                      Delete Command
prf                     Configure Pseudo Random Function for IKEv2
version                 Select IKE version for the policy

(MM01) ^[Testgroup] (config-submode)#hash ?
md5                     Use MD5 (HMAC variant) as the hash algorithm
sha                     Use SHA1-160 (HMAC variant) as the hash algorithm
sha1-96                 Use SHA1-96 (HMAC variant) as the hash algorithm
sha2-256-128            Use SHA2-256-128 (HMAC variant) as the hash algorithm
sha2-384-192            Use SHA2-384-192 (HMAC variant) as the hash algorithm
(MM01) ^[Testgroup] (config-submode)#encryption ?
3DES                    Use 168-bit 3DES-CBC encryption algorithm
AES128                  Use 128-bit AES-CBC encryption algorithm
AES192                  Use 192-bit AES-CBC encryption algorithm
AES256                  Use 256-bit AES-CBC encryption algorithm
DES                     Use 56-bit DES-CBC encryption algorithm

Similar for Phase2:

(MM01) ^[Testgroup] (config) #crypto ipsec transform-set test ?
esp-3des                Use ESP with 168-bit 3DES encryption
esp-aes128              Use ESP with 128-bit AES encryption
esp-aes128-gcm          Use ESP with the AES 128-bit GCM authentication algorithm
esp-aes192              Use ESP with 192-bit AES encryption
esp-aes256              Use ESP with 256-bit AES encryption
esp-aes256-gcm          Use ESP with the AES 256-bit GCM authentication algorithm
esp-des                 Use ESP with 56-bit DES encryption
esp-null                Use ESP with no encryption

Hi Herman,

Thank you for the details.

How do i know what is being used in the current controller in running config,actually I want show commands from which I can get the details of below.

SSH Ciper details as (Static Key Type, Key Exchange (KEX), Symmetric Cipher, HMAC, SSH Protocol Versions)

TLS Protocol Versions being used in controller
In IKE Phase 1 Cryptography below details :
Encryption
Authentication / Hash
DH Group / PFS

In IKE Phase 2 Cryptography below details :

Encryption
Authentication / Hash
DH Group / PFS

Regards,

Mallikarjun

Thank you.

I got the commands to check the details.

show ssh

to check ssh version we need to debug the ssh client for ssh packets n raw data.

show crypto ipsec sa peer
show web-server profiles

Regards,

Mallikarjun