| 30122 |
RLDP: RLDP is enabled for all AP types. This may have severe impact on voice applications, and lower performance for general data. It is advisable to use the option of monitor mode Aps if this is a security requirement, or disable it
Action: RLDP should be configured to use only Monnitor mode APs, please check your WPS configuration. This may have severe impact on performance
|
| 30012 |
AP Manager: AP manager interfaces count less than number of active ports, and no LAG, not supported configuration
Action: For non LAG scenarios, all active physical ports should have a AP manager interface associated, otherwise there can be traffic issues, or CAPWAP errors. Check active port assignment on the interfaces
|
| 120003 |
Security: It is recommended to monitor all channels for rogue detection. Band(s): 2.4GHz,5GHz
Action: None
|
| 30071 |
Fast SSID: Fast SSID enabled is recommended for networks that may have Apple IOS client devices
Action: Fast SSID allows easier client jump between WLANS, and it is highly recommended for networks with Apple devices. It should not be used in combination with NAC policies. Command: config network fast-ssid-change enable
|
| 30076 |
NTP: Controller without time source, please configure a valid NTP server
Action: No time source detected for this controller. It could be incomplete configuration, check that NTP servers are configured. Command: config time ntp server
|
| 30077 |
Security: Controller with telnet enabled, this is not advisable from security point of view
Action: For security reasons, it is not recommended to use Telnet for CLI access to the controller, use SSH instead
|
| 30112 |
Multicast: The IPv6 Multicast/Broadcast mode is on Unicast.
Action: For performance optimizations, it is recommended to use multicast transport mode. Please enable in general multicast settings
|
| 30119 |
NTP: NTP Polling Interval is set, but no NTP Server is configured. Controller should have time source
Action: Please check the NTP time sync status, as having a proper time source is critical for several features
|
| 120001 |
Security: It is recommended to disable Management over wireless, if the feature is needed, ensure you have a proper CPU ACL
Action: In Config/network, you can enable/disable this feature. Use only when needed
|
| 120004 |
Security: No WLAN with WPA2/802.1x was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models
Action: It is expected to see at least one network with L2 security policies enable. This is just a general check to confirm if this is a status done intentionally
|
| 120009 |
Security: No CPU ACL detected, it is recommended it, to restrict management access to the controller
Action: In some scenarios, a CPU ACL can be set to improve security. This may need testing, so use with care
|
| 120014 |
Security: The following Management Password policies are not enabled: Position Check,Case Digit Check
Action: This is optional security best practice
|
| 120015 |
Security: HTTP access to management is enabled, it is recommended to only allow https for security reasons
Action: This is optional security best practice
|
| 60020 |
RF: WLC has 12.5% of APs with failed Interference Profile for 2.4GHz Band
Action: None
|
| 30097 |
RRM: TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): 2.4 GHz,5 GHz
Action: None
|
| 30057 |
RF: Legacy rate in Global in use. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies.
Action: In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X
|
| 30064 |
Authentication: EAPoL request timeout larger than 400 ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes
Action: EAPoL request timer found to be higher than 400ms. In most scenarios, 400 would allow faster recovery in case of problems. Some devices may need longer timers, so always check. Use command: config advanced eap eapol-key-timeout, to adjust
|
| 30067 |
Rogue Detection: Minimum Rogue RSSI detection threshold should be set to -80 or higher, unless mandated by your security policies
Action: Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi
|
| 30083 |
High Availability: High Availability is a recommended redundancy solution for supported platforms
Action: This is general recommendation to use HA feature when possible, to improve network reliability
|
| 30084 |
Webauth: Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended to avoid overlapping with Internet Allocated addresses. RFC5737
Action: Virtual GW address must not match any Internet Routable address, as it could lead to controller absorving traffic for it. Use one of the recommended addresses
|
| 30111 |
DHCP: It is recommended to have the DHCP proxy enabled.
Action: This is purely a general recommendation, please validate if applicable in your environment
|
| 30081 |
Load Balancing: Enterprise: Aggressive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video)
Action: Load Balancing could help on load distribution on some scenarios, it must be avoided for networks with interactive traffic like voice or video. Command: config wlan load-balance allow enable ID
|
| 30082 |
Client Profiling: Local Profiling is a recommended best practice for better client visibility
Action: Local profiling is recommended in general, unless using NAC profiling. To enable: config wlan profiling local all enable ID
|
| 30130 |
Security: WLC is not vulnerable to CVE-2017-13082 802.11r/FT
Action: Informational message about vulnerability exposure
|
| 30125 |
WLAN: Disabled WLAN, no checks run. WLAN(s): Senior Officer
Action: None
|
