Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased.
Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts pageto determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center TAC or their contracted maintenance providers. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Customers should upgrade to an appropriate release as indicated in the table in this section. The center column indicates whether a major release is affected by the vulnerability described in this advisory and the first minor release that includes the fix for this vulnerability. The right column indicates whether a major release is affected by all the vulnerabilities described in this collection of advisories and the current recommended release for those vulnerabilities.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors.
The information in this document is intended for end users of Cisco products. Home Skip to content Skip to footer. Cisco Security. Advisory ID:. Base 8. The vulnerability is due to a missing internal handler for the specific request. An attacker could exploit this vulnerability by accessing a specific hidden URL on the web management interface. A successful exploit could allow the attacker to cause a reload of the device, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.It is important that engineers working with WLCs, understand the purpose of each interface and how it should be used. This will help maximize the stability and scalability of any WLC deployment by correctly configuring all necessary interfaces and attached devices.
We will now take a look at the different ports that can be found on WLCs and explain their purpose. Depending on the WLC model, some ports might or might not be present.
Figure 1. The redundancy port is used for configuration, operational data synchronization and role negotiation between the primary and secondary controllers. The service port is used for out-of-band management of the controller and system recovery and maintenance in the event of a network failure.
It is important to note that the service port does not support VLAN trunking or VLAN tagging and is therefore required to connect to an access port on the switch. It is also recommended not to connect the service port to the same VLAN as the wired clients network because by doing so, administrators will not be able to access the management interface analysed later of the controller.
The distribution system ports are the most important ports on the WLC as they connect the internal logical interfaces analysed below and wireless client traffic to the rest of our network. Figure 2. For example, the WLC provides up to 4 Gigabit Ethernet ports and can support up to 75 access pointswhile the WLC provides up to 8 FastEthernet ports and supports up to 25 access points. Figure 3. In this section, we will examine the logical interfaces that can be found on all WLCs.
Understanding the functionality of each logical interface is crucial for the correct setup and deployment of any Cisco WLC-based wireless network. The diagram below provides and visual layout of the logical interfaces and how they connect to the physical ports of a WLC:. Figure 4. In this case, the Distribution port is configured as an The management interface is the default interface used to access and manage the WLC.
The management interface is also used by the access points to communicate with the WLC. A controller can have one of more AP-Manager interfaces which are used for all Layer 3 communications between the controller and lightweight access points after they have joined the controller.
For these models, under the Management interface settingsthere is an option labeled Enable Dynamic AP Managementthat allows the Management interface to work as an AP-Manager interface at the same time:. Figure 5. If more access points are installed, then multiple AP-Manager interfaces are required to be configured. The virtual interface is used to manage and support wireless clients by providing DHCP relay functionalityguest web authenticationVPN termination and other services.
The virtual interface plays the following two primary roles:. The virtual interface IP address is only used for communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out through the distribution ports and on to the local network. Finally, the IP address of the virtual interface must be unique on the network. For this reason, a common IP address used for the virtual interface is 1.
All controllers within a mobility group must be configured with the same virtual interface IP address to ensure inter-controller roaming works correctly without connectivity loss.
The service-port interface is used for out-of-band management of the controller. If the management workstation is in a remote subnet, it may be necessary to add a IPv4 route on the controller in order to manage the controller from the remote workstation. As mentioned earlier, dynamic interfaces can be assigned to separate physical distribution portsso that traffic from specific WLANspass to the wired network via specific distribution ports. In this scenario, each distribution port is a single access-link carrying one VLAN only.
This is a common setup method for smaller networks. All WLCs support the aggregation of multiple distribution ports into a single port using the This allows an administrator to create one large link between the WLC and the local switch.
For example, the WLC provides 4 Gigabit Ethernet portsallowing us to aggregate all 4 ports with the neighbour switch and create a 4 Gigabit Ethernet link with the wired network. EtherChannel will have to be configured on the local switch for the link aggregation to work.This chapter describes how to initially configure and log into the controller. It contains these sections:.
Note Before you configure your controller for basic operation, refer to the quick start guide or installation guide for your controller to complete any necessary hardware procedures.
The configuration wizard enables you to configure basic settings on the controller. You can run the wizard after you receive the controller from the factory or after the controller has been reset to factory defaults. Before you can configure the controller for basic operations, you need to connect it to a PC that uses a VT terminal emulation program such as HyperTerminal, ProComm, Minicom, or Tip.
Follow the installation prompts to install the driver. Step 3 Configure the terminal emulation program for these parameters:. Step 5 Turn on the power supply. The bootup script displays operating system software initialization code download and power-on self test verification and basic configuration. If the controller passes the power-on self test, the bootup script runs the configuration wizard, which prompts you for basic configuration input.
Follow these steps to configure the controller using the GUI configuration wizard. Step 1 Connect your PC to the service port and configure it to use the same subnet as the controller for example, Step 2 Start Internet Explorer 6.
The configuration wizard appears see Figure 1. Step 3 In the System Name field, enter the name that you want to assign to this controller. Step 4 In the User Name field, enter the administrative username to be assigned to this controller. The default username is admin. Step 5 In the Password and Confirm Password fields, enter the administrative password to be assigned to this controller.
The default password is admin. Step 6 Click Next. Otherwise, leave this parameter set to Disable. Step 11 When the following message appears, click OK :. The Service Interface Configuration page appears see Figure 3. If you do not want to use the service port or if you want to assign a static IP address to the service port, leave the check box unchecked.See WLC Software Release Notes for an accurate upgrade path, download information, and upgrade procedure information for each specific release.
For example, if you migrate to Release 8. In addition to basic networking knowledge and familiarity with the basic configuration and installation of Cisco Wireless LAN Controllers, ensure that you read the Guidelines and Recomendations present in the release notes. For example, for version 8. Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image.
Upgrading a controller with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported in the controller software release, the upgrade time should be significantly reduced. The access points must remain powered, and the controller must not be reset during this time.
You can predownload the AP image. This feature allows you to download the upgrade image to the controller, and then download the image to the access points while the network is still up. A new CLI allows you to specify the boot image for both devices and to reset the access points when the controller resets. Note : Verify that your APs are compatible with the software you are planning to upgrade to to avoid loosing APs during the upgrade. Note : It is highly recommended to back up the configuration on the Wireless LAN controller before you perform the upgrade.
For this reason, it is recommended that you use a console port connection in order to check the state of the controller during the upgrade process and expedite any recovery procedures, if necessary. Make sure that the FTP server is reachable from the controller, and make sure the upgrade file resides in a directory of the FTP server.
It is best to complete this procedure via the console port, but you can also SSH or Telnet if enabled to the controller's management IP address in order to complete the procedure. The use of SSH or Telnet results in the loss of connectivity with the controller during the reboot process following the image download. Therefore, console access should be available in order to expedite troubleshooting and recovery of the controller if the upgrade fails. This is sample output of the show sysinfo command, which shows that the controller runs 8.
Issue the transfer download mode ftp command in order to define the mode of file transfer. Issue the transfer download filename filename command in order to specify the name of the image. Issue the transfer download start command in order to initiate the upgrade process.
Reboot the controller after the upgrade process is complete in order for the new code to take effect. Issue the reset system command, and enter y or yes in response to the question "Would you like to save them now? The configuration is not kept when you downgrade versions of controller code. Controllers can be upgraded from one release to another. Should you require a downgrade from one release to another, you possibly cannot use the higher release configuration. The workaround is to reload the previous controller configuration files that were saved on the backup server or reconfigure the controller.The attacker would need to have valid administrator credentials on the device.
These vulnerabilities are due to incomplete input validation for unexpected configuration options that the attacker could submit while accessing the GUI configuration menus. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted user input when using the administrative GUI configuration feature.
A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. In that case, an unauthenticated attacker who first exploits the cross-site request forgery vulnerability could perform arbitrary commands with the privileges of the administrator user by exploiting the vulnerabilities described in this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. To use the CLI, log in to the controller by using Telnet, issue the show sysinfo command, and then refer to the value in the Product Version field of the command output.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. As a mitigation, customers may choose to implement access control lists ACLs to filter or restrict management access to a configured device.
Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner.
In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center TAC or their contracted maintenance providers. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Customers should upgrade to an appropriate release as indicated in the table in this section. To help ensure a complete upgrade solution, consider that this advisory is part of a collection that includes the following advisories:. In the following table, the left column lists major Cisco software releases. The center column indicates whether a major release is affected by the vulnerabilities described in this advisory and the minor release that fixes the vulnerabilities described in this advisory and the vulnerability described in Cisco Wireless LAN Controller Cross-Site Request Forgery Vulnerability.
The right column indicates whether a major release is affected by all the vulnerabilities described in this collection of advisories and which release includes fixes for those vulnerabilities. To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy.
This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. Home Skip to content Skip to footer. Cisco Security. Advisory ID:. Base 6. To use the web interface, do the following: By using a browser, log in to the controller web interface.
Click the Monitor tab. Click Summary in the left pane. Under Controller Summarythe Software Version field shows the release number of the software that is currently running on the device.
Cisco Systems Inc. Product NameThe browsers asks for authentication, but it doesnt take inside the GUI after entering the credentials. A reboot of WLC may resolve the issue but is there any workaround without going for a reboot or downtime?
Have you had a look at the release notes for the release you're running? There may alredy be a bug for this. Buy or Renew. Find A Community.
We're here for you! Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for. Search instead for. Did you mean:. Dears, WLC is running with code 8. Web mode - Disabled Secure web - Enabled Advance secure web mode - Disabled A reboot of WLC may resolve the issue but is there any workaround without going for a reboot or downtime? Regards, Thasleem. Labels: Wireless Security and Network Management.
I've not experienced this. I've not experienced this issue but have you tried disabling and enabling secure web? Thanks for your reply.
Cisco Wireless LAN Controller Basic Configuration
Disabling or enabling network secureweb needs reboot to effect the change. There are no cpu acls configured Thanks, Thasleem. Have you had a look at the. There is a bug affecting 8.The Cisco Wireless Controller WLC series devices provide a single solution to configuremanage and support corporate wireless networksregardless of their size and locations.
Cisco WLCs have become very popular during the last decade as companies move from standalone Access Point AP deployment designs to a centralized controller-based designreaping the enhanced functionality and redundancy benefits that come with controller-based designs.
Cisco Graphical User Interface (GUI) Basics
Cisco currently offers a number of different WLC models, each targeted for different sized networks. Figure 1. The CLI is mandatory only during the initial configuration, where the engineer is required to assign an IP address to the WLC device, along with a few other important parameters. Working with any WLC model gives the engineer a great advantage as the interface is identical across all WLC models, making it easy to manage and configure, regardless of the WLC model:.
Figure 2. Figure 3. Cisco WLC — Click to enlarge. The great part is that the homepage provides all necessary information an administrator would want to see during a routine check and that includes:. Obtaining more information on any section can be easily done by clicking on the Detail link next to it.
Figure 4. Browsing through All APs currently registered — Click to enlarge. Figure 5. Viewing currently connected clients — Click to enlarge.
We would however like to have the option to also show the IP address of the wireless client on this page — for this information you currently need to click on its MAC address, after which a page loads the IP address of the client alongside with other information.
When necessary, the administrator can dive further and obtain more information on almost any aspect of the Wireless network, SSIDs, clients connected, client speeds etc — the list is endless! We explained the basic concepts behind the product, and talked about the different models available and their main features. We took a look at the intuitive GUI interface used to setup and monitor the controller and the whole wireless infrastructure.
Wireless LAN Controller (WLC) Software Upgrade
Back to the Cisco Wireless Section. Deal with bandwidth spikes Free Download. Web Vulnerability Scanner Free Download. Articles To Read Next:.