AirWave and Network Management

Reply
Occasional Contributor I
Posts: 8
Registered: ‎10-01-2009

Restrict SSH HTTPS access to controller

Hi,

I'd like to be able to restrict ssh and https access to manage the controller to specific lan subnets (not wifi clients), but cannot find an option to do this. Is this possible?
thanks
Guru Elite
Posts: 19,974
Registered: ‎03-29-2007

Port ACL

You would create an IPv4 acl (Configuration> Security> access control policies). You would then apply that acl to a physical port: (Configuration> Network> Ports, select port and apply policy to the "Firewall Policy" in the section called "session".

***It is important to note that this policy will correspond to ALL traffic coming in on that physical port, so after you create rules to block traffic from where you don't want it to go, you would need to do a "any any any permit" as the last line in the policy to ensure that the controller can still accept normal traffic like from APs, return user traffic, etc; otherwise, you might have to get out the console cable to remove that policy....
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 760
Registered: ‎05-31-2007

Restrict SSH HTTPS access to controller

You can build an ACL and place upon the port(s) you are interested in
protecting.

The ACL would follow the standard formats and can allow https/ssh from
'specific stations' if that is the desired outcome.

Rds,

JF
Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: Restrict SSH HTTPS access to controller

What if you created a netdestination that included all aruba controllers and then added a policy to your authenticated role. For example, I connect to the wifi, log in, and get assigned the role "user". Then user would have "no-admin-access-policy" policy on top of that.

#define the controllers
netdestination aruba-controllers
host 192.168.200.10
host 192.168.200.11

#define the session-acl
ip access-list session no-admin-access-policy
any alias aruba-controllers svc-http deny
any alias aruba-controllers svc-aruba-http deny
any alias aruba-controllers svc-aruba-https deny
any alias aruba-controllers svc-ssh deny

#add the acl to the user-role
user-role authenticated-user
session-acl no-admin-access-policy
session-acl cplogout
session-acl allow-all

This should stop anyone with the role of authenticated-user from accessing the defined controllers. Then you have to go in via LAN on the network or from a different user-role.
MVP
Posts: 485
Registered: ‎04-03-2007

Do both

You need to do both aforementioned methods. You must apply a session policy on the uplink port to protect the controller. Remember to make the destination ALL ip addresses on the controller, otherwise, a hole will remain.

However, wireless users on that controller will not hit that policy, as their traffic will be in the APs' GRE tunnel. Thus, you'll need to also protect ssh/http(s) access to the controller in each of the user-roles.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: Restrict SSH HTTPS access to controller

@ryan is right. The port acl won't affect the traffic in the GRE tunnel that includes everyone being blocked from having access ^^
Search Airheads
Showing results for 
Search instead for 
Did you mean: