Showing results for 
Search instead for 
Did you mean: 

Securing WLC from external attacks


I'm deploying a new WLC which will use a public IP address (behinde a NAT & port forwarding) to register remote APs over the internet... the only ports that will be open are 443 ( for management purpose), 5246 & 5247 for CAPWAP flow... my question is : How can I secure the access to that WLC from external attacks in those 3 ports.... is there any options available in the WLC to avoid such problems, or everything security related should be done at the firewall level ?


Thank you in advance

VIP Advocate

Re: Securing WLC from external attacks

As a first step do it at the firewall level.
Secondly, make sure you are always keeping the WLC software up to date in case of security issues.
Thirdly, you can create ACLs on the WLC to only allow connections from certain IP addresses.
VIP Advisor

Re: Securing WLC from external attacks


 Are you using public IP address on the WLC but NAT and port forwarding ?  Does not make sense to me. If you are using public IP address then you dont need NAT. If you are using NAT then your WLC is not exposed on the Internet cause something must be in front of it.

 Considering you are really using public IP address and your WLC will be open on the internet, you can use ACL on the WLC but keep in mind that your WLC will be exposed on the Internet. You can suffer DDoS attacks and brutal force attacks.

 Some action you can take: 

Create  WLAN with ID greater then 16. They will not be advertised on the default AP group by default.

 Use AP auth list to avoid someone on the Internet to join an AP on your network and use you network without your permission.

 Lastly, avoid this kind of scenario on all cost.


-If I helped you somehow, please, rate it as useful.-


Re: Securing WLC from external attacks

Thank you for your reply,
indeed, the WLC is behind a FW and NAT is enabled on it, the public IP is added to the WLC tho, since the NAT used is the NAT-T.
the important thing for me is the WLC, Things that I will add to the list you provided : - APs Mac address filtering, so no Rogue APs can join
- Console AP Passwords, so none can login into remote APs ( who knows) and reveal the Public IP address of the WLC ( technically the IP of the outside firewall)
- Use of the Flexconnect mode (Data plane routed using the nearest end)
- use of the DTLS so the Control plane exchanges between the WLC and the remote AP will be encrypted (Needs a license i'm aware about this)

What do you think ?


Re: Securing WLC from external attacks

Some additional checks you can do as well

show switchconfig - make sure relevant checks are enabled, like strong password username check etc. 

Check for control plane policing

make sure https cipher is set to high.

access via dynamic interface is disabled 

Leverage cpu acl, might want to block all internet traffic except one coming from your AP, since you are using flex connect.

Use certificates for admin, webauth and IPSec communication. 

-Rate helpful posts-
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards