02-12-2019 01:40 AM - edited 07-05-2021 09:50 AM
Dear All,
We just performed a PenTest from our Guest wireless network. The result showed that from this Guest network , the virtual IP (1.1.1.1) and the ip of the Guest network dynamic interface were reachable from a Guest wireless client.
The client can reach the HTTPS webAuth page .
In our setup, we do not use webAuth , we use Cisco ISE Self guest registration portal , it means that our WLC setup , for the Guest wlan is like this :
- Layer 3 Security is set to none and we configured the AAA servers part only with an ACL that allow traffic to our Cisco ISE servers.
As we do not use WLC webAuth , Is there a way to disable webAuth feature or block access to the WebAuth page with an ACL ?
I thought maybe I could assign an ACL that deny traffic to the IPs mentionned before to the Guest WLAN dynamic interface
Any help is welcome
Thank you
Best regards
Marc
02-12-2019 02:02 AM
I am taking it your using central web auth not local web auth with ISE doing the splash page.
This deployment guide shows the Pre-auth ACL you need:
Noticed that you are using the virtual interface of 1.1.1.1. The IP of 1.1.1.1 is now a registered public IP address as 1.0.0.0/8 have been assigned to the public space.
That being said the Virtual interface is also used for other things, so blocking access to it could cause issues, if you were going to block it via an ACL then only do it to http/https.
Are the users accessing the virtual interface before they have entered the RUN state or whilst still in WEBAUTH_REQD or POSTURE_REQD? And have you confirmed that the virtual IP is not routable?
02-12-2019 02:58 AM
02-13-2019 12:14 AM
10-15-2020 07:17 AM
Hi there. I have the same issue as you where a pen test highlighted this vulnerability.
Did the CPU ACL work for you as expected?
Thanks,
Jim.
02-13-2019 12:13 AM
Hi,
Thanks for your feedbacks . Yes we do Central Web Auth , I had a look at the deployement guide URL and it's exactly what we have done.
To this question : Are the users accessing the virtual interface before they have entered the RUN state or whilst still in WEBAUTH_REQD or POSTURE_REQD? And have you confirmed that the virtual IP is not routable?
The pen test has beed done after the user was authentified/authorized in ISE
1.1.1.1 is not routable on our network .
So I think I will try to limit access to HTTP/HTTPS with CPU ACL .
Thanks a lot
Marc
02-13-2019 06:18 AM
02-13-2019 05:22 PM
1.1.1.1 is not routable on our network .
So I think I will try to limit access to HTTP/HTTPS with CPU ACL .
Don't forget telnet and SSH access as well, recommend virtual IP address to use is 192.0.2.x (reload on the wlc will be required)
<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide