This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The WLAN device can access the zone director ftp service in the pre-authentication phase under the web / captive portal

fung_kwong
New Contributor

‎03-30-2021 02:48 AM

We have a problem about the The WLAN device can access the zone director ftp service in the pre-authentication phase under the web / captive portal. Even I disable ftp anonymous but it is a concern about the port is still open and it seem no any alert or event log trigger if anyone access the ftp service.

I submit a case to the Ruckus support and the reply as the following:

The guest device are able to reach the controller before entering the guest pass / web / captive portal . Once the user gets an IP after the DHCP DORA process, the user will be able to ping the controller or FTP into the controller provided he knows the credentials before the authentication. The ACLs are applied post-authentication. Controller can create the policy, but it cannot apply the policy pre-authentication of the user.

Would you have any idea about this case? Because it is a security issue in my view.

0 Kudos
5 REPLIES 5

eizens_putnins
Valued Contributor II

‎03-30-2021 04:48 AM

WEB authentication isn't secure anyway, so design of network must be secured. One way to do it is to have 2 VLANs, one for AP management and ZD, one for clients, and create ACL on the switch or router, that only port 80 and 443 are allowed from client VLAN to ZD IP (to provide access to Guest portal). That should fix all issues. Even better -- never to use web authentication, as it is entirely insecure.

Hope it helps.

fung_kwong
New Contributor
In response to eizens_putnins

‎04-07-2021 01:15 AM

@eizens_putnins 

Thanks you eizens putnins. The guest WLAN network id is 192.168.34.0 and VLAN Tag is 34; The Controller management network is 192.168.28.0 and VLAN Tag is 36. We apply the "router on a stack" under a firewall but the issue is still existing in the pre-authentication phase. After the authentication completed, the guest device can't connect the access the management network. We review the Ruckus ICX 7150 that is layer 2 mode and not support layer 3, 4 ACL. Actually, would you know the zone director how to monitor self ftp service such as log or related control? Thanks you!

0 Kudos

syamantakomer
Community Admin
Community Admin

‎03-30-2021 11:31 AM

Hi Fung,

Are you saying that even when anonymous access is disabled, user are able to access FTP server when connected to captive portal SSID?

What is the case number?


Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn
0 Kudos

fung_kwong
New Contributor
In response to syamantakomer

‎04-07-2021 01:22 AM

@syamantak_omer 

Thanks you for your reply. If the anonymous id disabled, we can access the login prompt stage of zone director ftp service. I try to type the default and new admin / super login and password but still fail to login it.

The case id is: 01184688

0 Kudos
Copyright © 2024 Khoros, LLC