2504 Controller disable Recover-Password

Scott Raley · ‎04-15-2016

I have had several co-workers help me with my problem having a local 2504 being hacked and changing the admin password and the AP passwords. We believe they are somehow using the Recover-Password option. Is there a way to disable this on the device?

Prabath Godevithanage · ‎04-18-2016

Hi Scott,

It has to be done through the console,means physical access to the device and I don't think you could disable this function.

If you don't have the WLC admin password,alternative possible ways would be through SNMP,Sniffing(telnet) and of course through a compromised admin pc

With routers and Switches, you could get almost full access quite easily if you have access to a RW snmp community,this is some what true with WLCs as well.

assuming you do not have WCS or Prime

I suggest you to,disable snmpv1,2 and implement snmpv3 with new credentials,enable ssh and disable telnet,disable http and enable https(well you'd need appropriate certificates).disable management over the wireless,if you have that enabled.

You can disable remote management of APs through WLC if you like

You also can carefully add a CPU access list to limit the management of wlc to a known subnet(perhaps ICT department).these are some of the things that you could implement to protect your WLC

Prabath

***Please rate all the useful posts***
-Prabath

Scott Raley · ‎04-18-2016

I have disabled snmp 2 and added v3. ssh is already enabled and telnet disabled. http is disabled and https is available. management over the wireless is not checked. I saw the box about remote management of AP's but did not disable that currently. Currently the device is on the same subnet as all other devices. I tried to set up its own Subnet on the wireless to route devices to the internet but was unsuccessful with that working. I need to read up on that.