Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
6
Replies

Nmap Scan indicates open ports on 5580 WLC from a client connected wirelessly.

mt3368
Level 1
Level 1

‎05-28-2019 01:53 PM - edited ‎07-05-2021 10:28 AM

Recently we ran a Nmap scan of our wireless network using a client connected via Wifi.  The scan showed common ports over the dynamic interfaces (80,443, 22,) as open and reachable from the client.  Further testing showed that we were able to connect to the dynamic interface IP over one of the open ports.  I suspect this may be a vulnerability that Cisco needs to address. Any suggestions as to what can be done to restrict access to the dynamic interfaces over these ports?  We have attempted to apply an ACL  to the dynamic and WLAN interfaces without any success.  Keep in mind the dynamic interfaces are reachable from a client over the CAPWAP tunnel.   

Labels:
0 Helpful
6 Replies 6

patoberli
VIP Alumni
VIP Alumni

‎05-29-2019 12:02 AM

Which firmware are you running?
There somewhere once was an option to allow "management over wireless", if that is enabled, then those ports are accessible. I currently can't find the option on my WLC though, but am a tad short on time.
0 Helpful

mt3368
Level 1
Level 1
In response to patoberli

‎05-29-2019 11:03 AM

We are running 8.2.170.   The management over wireless option is not enabled.  

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to mt3368

‎06-03-2019 05:04 AM

Is your management interface in the same VLAN as your users clients? That could also cause this (it's advised not to do this).
0 Helpful

mt3368
Level 1
Level 1
In response to patoberli

‎06-03-2019 08:36 AM

It is not in the same vlan.
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to mt3368

‎06-05-2019 11:19 PM

Some weeks ago a security issue was uncovered in regards to open ports directly on the 2800, 1800, 3800 APs, but I don't think the same applies here.

I just checked my WLC and scanned its dynamic interface with a wireless client inside that VLAN and nmap showed SSH and HTTPS as open ports. I tried to connect to them, but the WLC (correctly) refused the connection. So I think those ports are indeed open, but no service is offered to the client behind those ports.

Using 8.5.140.0 here on a 5520.

0 Helpful

mt3368
Level 1
Level 1
In response to patoberli

‎06-06-2019 06:25 AM

That is the behavior I am seeing as well. Try to telnet to one of the dynamic interfaces over any of those ports then escape (ESC) or control-c and you should see a response from the WLC. While I have not been able to get a login prompt using this method, it still seems to be something that needs to be addressed by Cisco.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card