cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8242
Views
1
Helpful
5
Replies

restrict HTTPS access to 5508 WLC

ryan.rouleau
Level 1
Level 1

I would like to restrict HTTPS access to the management interface(the GUI management) on a 5508.  I created an ACL and applied it to the management interface.  Nothing happens.  Still able to access from any IP.  Maybe im goign about this the wrong way.

The ACL is attached as a picture to this discussion.

Any help is appreciated.

Thanks,

Ryan

1 Accepted Solution

Accepted Solutions

You have to use CPU Acl because this traffic is directed to the wlc itself.

Interface acl is for traffic from to wireless clients

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/security_solution/config_security_chapter_01110.html#ID2789

View solution in original post

5 Replies 5

Abhishek Abhishek
Cisco Employee
Cisco Employee

Hello Ryan,

As per your query i can suggest you the following solution-

Please use the commands to verify the acl on management interface-

  • •1.       config interface acl management access-control-list-name

  • •2.       config interface acl ap-manager access-control-list-name

Hope this will help you.

Through the CLI there was no ACL applied.  Now doing the command above, the ACL is now applied, but its still allowing HTTPS access from any IP.

You have to use CPU Acl because this traffic is directed to the wlc itself.

Interface acl is for traffic from to wireless clients

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/security_solution/config_security_chapter_01110.html#ID2789

Thanks everyone.  The CPU ACL works.  Just make sure you add a permit any any to the end of your ACL or you might lose access to other mangement services as well.

Ryan

So this announcement came out and now I'm looking at cpu acl stuff.  I found this thread but have a question about your statement "Just make sure you add a permit any any to the end of your ACL or you might lose access to other mangement services as well."

Im confused if you add this wouldn't this allow access for all anyway?  I can see you blocked https.  Does anyone know what other management services are needed? 

 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151016-wlc

Review Cisco Networking for a $25 gift card