Disable ability to manage WAP321 via wireless connection

Brian Bergin · ‎01-12-2013

Most WAPs we've used in the past have the ability to disable access to the WAP's management interface via a wireless connection. This greatly increases security when the WAP is being used to provide guest Wi-Fi access. Support suggested today that I use the Management Access Control to restrict to specific IPs but that's easy enough to defeat simply by assigning different IPs to a device. The other "solution" offered by support was to change the port for management. Again, simple enough to defeat with a port scanner. The last was to use a very strong password, which I would have done anyway; however, that still allows access to the login GUI which tells a user exactly what AP is in use and could potentially allow for some sort of attack if a vulnerability were found in that particular unit. IMHO, the WAP's GUI should be inaccessible by a wireless connection for any sort of management purposes. Does anyone know of a way to prevent this? The firmware on these devices is 1.0.2.3 and they're clustered. Any thoughts?

Tom Watts · ‎01-12-2013

Hello Brian, Management Access Control is the solution. Unlike seen on previous SB devices where there was a tick box to remove wireless access.

To the best of my recollection, if this mode is enabled, no one may log in to the device unless it is the specified IP address.

I see and understand your point there should be the tick box, it is a feature that is easy. But I guess.. you know.. if someone knew enough about your network wirelessly, I promise you wired they could do even more damage.

Your management should always be on a separate LAN or subnet.. If anyone has access to your management LAN or subnet. then your network is not properly designed with security in mind. Also, your management nodes should be on a static IP addresses.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/