Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
1
Helpful
6
Replies

Security Concern – Local WebAuth Pages Accessible via HTTP on C9800-L-

rwilkinson
Level 1
Level 1

‎11-06-2025 10:33 AM

Hi,

One of our customers has a C9800-L-F-K9 HA pair running Cisco IOS XE Software, Version 17.09.05. They operate a BYOD SSID, which uses local WebAuth with custom webauth pages stored locally on the controllers:

bootflash:/custom_webauth/login.html

bootflash:/custom_webauth/failed.html

bootflash:/custom_webauth/logout.html

This configuration has been in place and functioning successfully for several years. Recently, during a penetration test, a security consultant identified a vulnerability related to the WebAuth redirection process.

When a client is redirected to the login page, the redirection occurs over HTTPS as expected, for example: https://boyd.espo.org/login.html?redirect=http://msftconnecttest.com/redirect

However, the tester was able to manipulate the URL to use HTTP instead of HTTPS (this can be done by simply removing the 's' from https://) and successfully perform an insecure login, thereby capturing the username and password with a WIFI sniffer.

We understand that HTTP must be enabled on the C9800 for WebAuth redirection to function properly, since browsers initiate the redirection using an HTTP probe. This has been tested with both of the following configurations:

- Global command: ip http server

- Parameter map command: webauth-http-enable

Both configurations expose the same vulnerability. If "no ip http server" is configured and "webauth-http-enable" is not present in the parameter map, the redirection fails entirely.

Question: Is there a way to prevent the locally hosted WebAuth pages from being directly accessed over HTTP (port 80) through URL manipulation, while still maintaining functional redirection?

We did some in house testing with WebAuth on IOS-XE17.15.03 and found that we could replicate the issue. Once the client is redirected to the login page we were able to manipulate the URL to use HTTP and login successfully. We also captured the CAPWAP traffic (unencrypted by default) and we were able to extract the username and password from the HTTP.

This is very surprising that the security can so easily be circumvented.

Any thoughts here. I've attached a snippet of the packet capture.

Cheers,

Richard.

Labels:
Preview file
189 KB
0 Helpful
6 Replies 6

Mark Elsen
Hall of Fame
Hall of Fame

‎11-06-2025 12:06 PM

 

  - @rwilkinson   You can (also) report  your findings to : psirt@cisco.com

  That is the Product Securkty Incident Respons Team.

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

rwilkinson
Level 1
Level 1
In response to Mark Elsen

‎11-07-2025 01:41 AM

@Mark Elsen I'll look into doing that.. Thanks.

srimal99
Level 1
Level 1

‎11-07-2025 12:39 AM

I would raise a tac case as well.

0 Helpful

rwilkinson
Level 1
Level 1
In response to srimal99

‎11-07-2025 01:44 AM

@srimal99 Thanks for the response - first thing I did was raise a case with TAC. Thought it would be worth getting community advice also.

0 Helpful

srimal99
Level 1
Level 1
In response to rwilkinson

‎11-09-2025 01:45 PM

@rwilkinson Any suggestion from Tac ? 

0 Helpful

rwilkinson
Level 1
Level 1
In response to srimal99

‎11-10-2025 09:04 AM

@srimal99 Not yet... I provided them with "show tech wireless", and they have gone very quiet over the last few days.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card