Security https://wlc.mmki.co.id/bp/helpfiles/r-security.

html

Security
802.1x on AP
Description—Provides greater network security by enabling 802.1X on the AP for high security networks.
Status:
Compliant—802.1x authentication for APs is enabled
Non-Compliant—802.1x authentication for APs is disabled
CLI Option—Enable 802.1x on AP by entering this command:
(Cisco Controller) >config ap 802.1Xuser add username ap-user password password all

CPU ACLs
Description—Control overall access to the WLC
Status:
Compliant—Configured
Non-Compliant—Not configured

Client Exclusion
Description—Enables the Cisco WLC to exclude the clients from joining under specific conditions. Clicking Fix it Now
enables client exclusion for all events.
Status:
Compliant—Client exclusion is enabled for all events
Non-Compliant—Client exclusion is disabled for all events
CLI Option—Enable client exclusion for all events by entering this command:
(Cisco Controller) >config wps client-exclusion all enable

Legacy IDS
Description—Enables wireless IDS feature and 17 built-in signatures to avoid intrusion attacks. Clicking Fix it Now enables
signature check.
For this best practice to work, ensure that at least one WLAN is enabled and client exclusion-listing is enabled for the WLAN.
To enable client exclusion-listing for a WLAN, use the conf wlan exclusionlist wlan-id enabled command.
Status:
Compliant—All standard signature check is enabled
Non-Compliant—All standard signature check is disabled
CLI Option—Enable signature check by entering this command:
(Cisco Controller) >config wps signature enable

Local Management Password Policies

Description—Strong password policies should be enforced. Clicking Fix it Now enables the following strong password
policies:
case-check—Checks the occurrence of same character thrice consecutively
consecutive-check—Checks the default values or its variants are being used
default-check—Checks either username or its reverse is being used
all-checks—Enables/disables all the strong password checks
position-check—Checks four-character range from old password
case-digit-check—Checks all four combinations to be present: lower, upper, digits, and special characters
Status:

1 of 3 12/20/2022, 11:23 AM
Security https://wlc.mmki.co.id/bp/helpfiles/r-security.html

Compliant—All strong password policies are enabled

Non-Compliant—Some or no password policies are enabled
CLI Option—Enable all strong password policies by entering this command:
(Cisco Controller) >config switchconfig strong-pwd all-checks enable

Min Rogue RSSI Threshold

Description—Specifies the minimum RSSI value that rogues should have for APs to detect them and for the rogue entries to
be created in the Cisco WLC. Recommended value is –80 dBm. Clicking Fix it Now changes the minimum RSSI value that
rogues should have to –80 dBm.
Status:
Compliant—Set to –80 dBm
Non-Compliant—Set to less than –80 dBm
CLI Option—Set the minimum RSSI value that rogues should have by entering this command:
(Cisco Controller) >config rogue detection min-rssi rssi-in-dBm

Peer to Peer
Description—Peer to peer blocking function disables bridging of traffic on the same subnet between clients. This is only
recommended on high security networks where client to client communication is undesirable. Not recommended on
enterprise and voice deployments.
Status:
Compliant—Peer to peer blocking enabled on one or more WLANs
Non-Compliant—Peer to peer blocking is disabled on all WLAN
CLI Option—Enable Peer to peer blocking by entering this command :
(Cisco Controller) >config wlan peer-blocking drop wlan-id

Rogue Policies
Description—Policy should be at least High. Clicking Fix it Now sets the rogue detection security level to High.
Status:
Compliant—Policy is set to High or above
Non-Compliant—Policy is set to Custom.
Set the rogue detection security level to High by entering this command:
(Cisco Controller) >config rogue detection security-level high

SSH/Telnet Access
Description—SSH to the WLC should be enabled by default. Clicking Fix it Now enables SSH and disables Telnet to the WLC.
Status:
Compliant—SSH enabled; Telnet disabled
Non-Compliant—SSH enabled and Telnet enabled OR SSH disabled and Telnet enabled
CLI Option:
Enable SSH by entering this command:
(Cisco Controller) >config network ssh enable
Disable Telnet by entering this command:
(Cisco Controller) >config network telnet disable

User Login Policies

Description— The user login policies are provided to limit the number of concurrent logins of the local netusers of the
controller. You can limit the number of concurrent logins, and the recommendation is greater than default of 0 (unlimited).

2 of 3 12/20/2022, 11:23 AM
Security https://wlc.mmki.co.id/bp/helpfiles/r-security.html

Status:
Compliant—Configured
Non-Compliant—No user login policies are present
CLI Option:
Verify the limit of the netusers by entering this command:
(Cisco Controller) >show netuser summary
Configure user login policies by entering this command:
(Cisco Controller) >config netuser maxUserLogin count

WLAN with WPA2 or 802.1X

Description—WLAN should be using 802.1X or WPA security. There is no fix it button. Link to the WLAN page is provided.
Day 0 default does not mandate an 802.1X.
Status:
Compliant—Enabled if at least one WLAN is using 802.1X or WPA
Non-Compliant—Disabled

WLAN with WPA2 and AES Policy

Description—We recommend that you use WPA2+AES instead of WPA+AES and TKIP because WPA2+AES provides greater
security. WPA+AES is deprecated and therefore not recommended to be used.
Status:
Compliant—All WLANs configured with WPA+WPA2 have WPA2+AES security policy
Non-Compliant—All WLANs configured with WPA+WPA2 have the following security policies:
WPA+AES, WPA2+AES
WPA+AES
CLI Option—Use the following CLI to enable WPA2+AES on the WLAN :
(Cisco Controller) >config wlan security wpa enable wlan-id

3 of 3 12/20/2022, 11:23 AM