Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
10
Replies

guest client can manage the guest anchor controller and internal controller?

Go to solution
raymond wang
Level 1
Level 1

‎02-04-2014 06:54 AM - edited ‎07-05-2021 12:05 AM

Hi all,

I found with dhcp configured on the guest controller, the guest client can access the guest controller and the internal controller which has tunnel to guest controller.

I even disable the allow to mgmt the controller via wireless client, but it still allow. I found 2 issues below and got some answers from cisco. Do you guys find the same issue? It is high security issue!

1 issues-1 if the AP is in flexconnect mode, the wireless client can manage the controller(is it expected?)

//yes, it is expected, use ACL to prevent the same.

2 dhcp server is configured on the guest controller, the guest clients can manage the guest controller and internal controller both. Both tested with code 7.0.98 and 7.6.110.

//have filed bug CSCum93894, check cco after 24hrs to track the bug.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to raymond wang

‎02-04-2014 07:30 AM

I dont think this command can be enabled by the GUI. My question was more towards, did you enable this command on the dynmic interface. I thinks its disbaled by default. If you enabled it, your guest users can access the controllers interfaces.

So  "managment via wireless" is unchecked. Thats good.

I looked at the bug, it lacks detail.

Have you applied an ACL to the managment interface ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎02-04-2014 08:21 AM

Maybe 'technically', but with Flex the client is accessing the WLC via the wire not the wireless.  And the other issue of being on one WLC and accessing another is well known.

This runs into best practices of configruing ACL to only allow mgmt access to those subnets that need it, IMHO

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful
10 Replies 10

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎02-04-2014 07:11 AM

Hi Raymond,

Interesting Ray, thanks for posting. In my deisgn I don't use internal DHCP server on the WLC, but I dont think that matters much. I have 40+ controllers anchored to 2 guest controllers in the DMZ and ACLs are applied to the WLC interface. I am unable to access the controllers via HTTP, HTTPS TELNET or SSH. Im running 7.0.240.

Keep in mind 7.0.98 is no longer supported by Cisco and was pulled.

Also do you have this enabled on your dynamic interface ?

config network mgmt-via-dynamic-interface {enable | disable}

I have an ACL applied to the managment interface ans its working ..

I will follow the bug .. Post any updates ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
raymond wang
Level 1
Level 1
In response to George Stefanick

‎02-04-2014 07:23 AM

HI George,

I also tested with 7.6.110 and got the same result. Can you tell me how to configure it from GUI as you mentioned for dynamic interface?

From GUI I did not check this option under management tab.

Enable Controller Management to be accessible from Wireless Clients

0 Helpful

Go to solution
raymond wang
Level 1
Level 1
In response to raymond wang

‎02-04-2014 07:25 AM

my concern is since the controller assign the ip to the guest client, if i did not check that option, the guest client can not access the controller at all.

ACL is a work around which I have tested.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to raymond wang

‎02-04-2014 07:36 AM

I dont know that to be true, if you mean "managment via wireless" check box. Thats only to manage the WLC. Not needed for access. Are you saying, if you dont check box that clents do not work ?Specific to number 2 .. Not flex connect

BTW - DHCP on the WLC has been problematic in the past.

BTW here is what my guest dynamic interface WLC ACL looks like.

mgtacl.png

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
raymond wang
Level 1
Level 1
In response to George Stefanick

‎02-04-2014 08:03 AM

" if you dont check box that clents do not work"

I do not check that box which means the wireless client can not access the controller. That is my understanding,

but with flexconnect client or guest client both still can access the controller.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to raymond wang

‎02-04-2014 07:30 AM

I dont think this command can be enabled by the GUI. My question was more towards, did you enable this command on the dynmic interface. I thinks its disbaled by default. If you enabled it, your guest users can access the controllers interfaces.

So  "managment via wireless" is unchecked. Thats good.

I looked at the bug, it lacks detail.

Have you applied an ACL to the managment interface ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
raymond wang
Level 1
Level 1
In response to George Stefanick

‎02-04-2014 07:34 AM

I did not configure it which means it is disabled.

I did not apply the ACL currently. I have tested with ACL, it works fine. I only allow the guest to access to the internet and can not access to any private ip address.By this way, the guest can not access the controller then. I just want to know why even I uncheck that, it it still can access the controller.

Another issues is the internal user which is connected to the flexconnect AP still can access to the controller even that mgmt via wireless is unchecked. With this senario, it is hard to apply ACL .

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to raymond wang

‎02-04-2014 07:38 AM

I wouod have to say the flex connect issue is a bug.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to George Stefanick

‎02-04-2014 08:21 AM

Maybe 'technically', but with Flex the client is accessing the WLC via the wire not the wireless.  And the other issue of being on one WLC and accessing another is well known.

This runs into best practices of configruing ACL to only allow mgmt access to those subnets that need it, IMHO

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
raymond wang
Level 1
Level 1
In response to Stephen Rodriguez

‎02-04-2014 08:45 AM

Hi Stephen,

I think that is the only option I have right now...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card