Guest

Preview Tool

Cisco Bug: CSCvi59011 - Customer gets a challenge prompt when they SSH to a dynamic interface

Last Modified

Jul 26, 2018

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

8.2(160.0)

Description (partial)

Symptoms:
Customer has put in place jump boxes for enhanced security and they have put in place CPU
ACL's for each jump box to be able to access the controller. They have tested this - they
are working as designed.

They ran Qualys scans on the dynamic interfaces and when they SSH to the GW of a dynamic
interface triggers a challenge but then shuts down. Telnet to the GW address - Message,
''telnet not allowed on this port''.

This triggers the following QID: 86476
https://community.qualys.com/thread/1205
https://community.qualys.com/docs/DOC-1171

Verified the ''Enable Dynamic AP Management'' switch is OFF.

This is normal behavior according to this doc: Document ID: 109669 (2/2009) 
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html

''Remember that by design, even if management over wireless or dynamic interface is
disabled, a device can still make an SSH connection to the controller.''

This bug is to investigate if the SSH protocol should be bound to the interface.

Conditions:
''Enable Dynamic AP Management'' is disabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.