10-26-2016 07:34 AM - edited 07-05-2021 06:02 AM
Hello,
I just found out that when connecting to a guest network I can ssh to 1.1.1.1. If I have the username and password, I can log in and wreck havoc in the network.
Of course, an attacker will find the 1.1.1.1 address (or whatever) and try to exploit it: it's in the web portal or shown as the dhcp server when doing an ipconfig.
My idea was to create a CPU acl that blocks ssh and telnet to 1.1.1.1, but would this be enough? Will I break other stuff?
Any ideas are greatly appreciated.
Btw, is there a guide regarding hardening the guest network?
Regards,
Eugen
Solved! Go to Solution.
10-27-2016 12:54 AM
Do you have 'Management Via Wireless' enabled? We don't and we cannot access the controller via the virtual address.
10-26-2016 01:06 PM
I just found out that when connecting to a guest network I can ssh to 1.1.1.1.
Did you able to log onto your WLC using this IP ?
Rasika
10-26-2016 02:31 PM
Hello,
Yes, when connected to the guest network, I am able to ping 1.1.1.1 and ssh to it. As I have the credentials for the WLC, I was able to log in.
10-26-2016 01:15 PM
you should be using an RFC5737 address for your virtual interface.
10-27-2016 12:54 AM
Do you have 'Management Via Wireless' enabled? We don't and we cannot access the controller via the virtual address.
10-27-2016 01:34 AM
On the anchor, we do, yes. On the remote sites we don't.
This is indeed a proper solution. Thanks!
10-27-2016 05:08 AM
I applied the change and now it's behaving like it should :)
Thanks again!
Eugen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide