NAT Mode - Disable access to Local Status Page?

NolanHerring
Kind of a big deal

NAT Mode - Disable access to Local Status Page?

Not sure why I've never noticed this before, but on say a guest SSID running NAT mode, you can access the 10.128.128.128 (gateway) local status page on the AP your connected to.  I would prefer a guest not be able to do that because I'm a stickler.

 

I can't seem to find a way to disable that, while still leaving it enable for the other corp SSID's. The only option is on or off under General settings.

 

Anyone know how to lock it down so while on guest you won't be able to access?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
11 Replies 11
AjitKumar
Head in the Cloud

Hi Nolan,

Not sure... Not checked too as I am traveling.

Just a thought though..

Do you think L3 Firewall Rule can help us on this?

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
MarcP
Kind of a big deal


@AjitKumar wrote:

Hi Nolan,

Not sure... Not checked too as I am traveling.

Just a thought though..

Do you think L3 Firewall Rule can help us on this?


Tried it now, and was able to connect to local status page... Even after a L3 deny rule to 10.128.128.128

PhilipDAth
Kind of a big deal
Kind of a big deal

I've never tried it - but you could try specifying a management VLAN and see if that restricts it.

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Understanding_and_Configuring_Managemen...

 

ps. The local status page does provide some usefull information about the clients actual connection that could provide some benefit for resolving an issure (such as channel, signal strength, connection protocol, connection rate, etc).

dalmiroy2k
Getting noticed

Go to "network -wide" - "General"

 

nw.jpg

MarcP
Kind of a big deal

Yeah correct, just saw it now too... If necessary... But tbh is it necessary to disable it? Who would know that IP? And what to do with this information, if you are "a normal" person.

dalmiroy2k
Getting noticed

It's a security risk to leave local pages open on corporate or public networks. You should only enable them when and if you need to troubleshoot something or if you have a home network.
BrechtSchamp
Kind of a big deal


@MarcP wrote:

Yeah correct, just saw it now too... If necessary... But tbh is it necessary to disable it? Who would know that IP? And what to do with this information, if you are "a normal" person.


It's the default gateway, so everyone would know that IP :P.

 

@NolanHerring have you tried @PhilipDAth 's suggestion? Did that do anything?

NolanHerring
Kind of a big deal

@BrechtSchamp 

 

I always have a dedicated VLAN for my access points so I'm assuming that his possible solution is on by default in my situation. My ports are trunked, with the SSID vlans allowed, and the management vlan as well. the management vlan is native vlan on my trunk ports so access points reside on that vlan.  Makes no difference either way when I tested it.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
timeshimanshu
Getting noticed

hi why don't you change the local status page username and password which is not possible for anyone to guess only a dashboard administrator can view it.

 

local status page password change.PNG

 also try to put L3 rule in the NAT mode ssid (in my case GlobalWIFI ) to block access to 10.128.128.128 and check.L3 rule.PNG

 

 

 

NolanHerring
Kind of a big deal

@timeshimanshu 

 

Tried that, plus I also have Deny all local lan set. I can still reach the 10.128.128.128 (since its the gateway).

I do have a password set so nobody can really do anything, I just prefer that on a specific SSID (like a guest one), that they can't have access to this at all. Gives them information I would prefer they don't have access to, like AP name etc.

 

At this point I think the only solution is to turn the feature off, and only on if I ever need to access. Oh well >.<

Nolan Herring | nolanwifi.com
TwitterLinkedIn
timeshimanshu
Getting noticed

Yes Nolan you can disable the local status page too. unless a user logged in into 10.128.128.128 page he won't be able to guess whether it's a AP or something else or its name. so you don't need to be worry if 10.128.128.128 is accessible or not.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels