Re: 2802 AP Hardening Questions

sn3 · ‎03-06-2019

Is there a way to display a login banner on the AP CLI? I've tested hoping that the login banner from the WLC would trickle down to the APs, but no dice.

Are all login attempts to the AP's CLI logged anywhere? I did not notice anything relevant from the output of "show logging"

Is there any documentation explicitly indicating the use of SSH version 2 and/or overall FIPS compliance of the system?

Do/Can the ACLs configured on the WLC (at Security > Access Control Lists > Access Control Lists) apply to the AP traffic as well? If not, is there somewhere else I could find this functionality?

CLI session timeout was tested to be 5 minutes. Is this configurable?

CLI session is killed after 10 failed attempts. Is this configurable?

Thank you!

patoberli · ‎03-07-2019

First of all, cisco recommends (when using Local Mode) to use a VLAN where no other devices have access to.

To your questions (find answer inline):

Is there a way to display a login banner on the AP CLI? I've tested hoping that the login banner from the WLC would trickle down to the APs, but no dice.

Not that I know of. I suggest to turn of SSH/Telnet access on the APs.

Are all login attempts to the AP's CLI logged anywhere? I did not notice anything relevant from the output of "show logging"

Not that I know of. I suggest to turn of SSH/Telnet access on the APs.

Is there any documentation explicitly indicating the use of SSH version 2 and/or overall FIPS compliance of the system?

Info about WLC (8.5) and FIPS:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/cisco_wlc_security.html

Do/Can the ACLs configured on the WLC (at Security > Access Control Lists > Access Control Lists) apply to the AP traffic as well? If not, is there somewhere else I could find this functionality?

That depends on the mode your APs are running. If you use LOCAL, then I think yes. If you use Flexconnect, then I think no. I suggest to do the ACLs upstream, meaning at the router/firewall for the ip subnet.

CLI session timeout was tested to be 5 minutes. Is this configurable?

Yes.

(Cisco Controller) >config sessions timeout ?

[0-160] Enter time in minutes.

CLI session is killed after 10 failed attempts. Is this configurable?

No idea. I anyway suggest to limit the IP access to the WLC on the upstream device.

sn3 · ‎03-07-2019

Thank you so much for your response!

To add a little bit of context, my organization and I both agree that SSH should be turned off on the AP, but at the same time, want to understand our options as best as possible should the need ever arise.

Below you have referenced some documentation and commands for the controller. Do these settings apply to the AP as well?

I tested the session timeout command on the controller, but this setting does not trickle down to the AP. This configuration doesn't exist on the AP itself.

Thanks again!

patoberli · ‎03-07-2019

No I don't think it will tickle down to the AP. They anyway have a very restricted interface when running in CAPWAP mode and don't allow much in the way of configuration (you can change the associated WLC for example). This is another reason to simply disable SSH/Telnet access completely on the AP. Do set an AP password though, there still is the console port.