03-04-2010 04:21 AM
I'd like to be able to restrict ssh and https access to manage the controller to specific lan subnets (not wifi clients), but cannot find an option to do this. Is this possible?
03-04-2010 04:57 AM
***It is important to note that this policy will correspond to ALL traffic coming in on that physical port, so after you create rules to block traffic from where you don't want it to go, you would need to do a "any any any permit" as the last line in the policy to ensure that the controller can still accept normal traffic like from APs, return user traffic, etc; otherwise, you might have to get out the console cable to remove that policy....
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
03-04-2010 09:45 AM
The ACL would follow the standard formats and can allow https/ssh from
'specific stations' if that is the desired outcome.
03-09-2010 08:56 AM
#define the controllers
#define the session-acl
ip access-list session no-admin-access-policy
any alias aruba-controllers svc-http deny
any alias aruba-controllers svc-aruba-http deny
any alias aruba-controllers svc-aruba-https deny
any alias aruba-controllers svc-ssh deny
#add the acl to the user-role
This should stop anyone with the role of authenticated-user from accessing the defined controllers. Then you have to go in via LAN on the network or from a different user-role.
03-11-2010 05:25 AM
However, wireless users on that controller will not hit that policy, as their traffic will be in the APs' GRE tunnel. Thus, you'll need to also protect ssh/http(s) access to the controller in each of the user-roles.
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University