11-01-2016 12:56 AM
I am having difficulties figuring out, whow I can modify managment access for directly connected wireless clients.
VC and IAPs are in vlan5 and SSID setup is following:
SSID1. Client IP assignment -> Network Assigned and Client VLAN assignment -> Default. //IAP and client will get IP address from same DHCP scope(vlan5), IAP SSID ACL is any-any allow
SSID2. Client IP assignment -> Network Assigned and Client VLAN assignment -> VLAN40 //IAP(vlan5) and client(vlan40) will get IP addresses from diffrent IP scopes, IAP SSID ACL and router(terminates the subnets) ACL has any-any allow rules.
I have managment access to VC-s, when connected to SSID1, but not when connected to SSID2. I did a packet capture and saw that when connected to SSID2 then ssh/https packets are correctly sent to router via vlan40 and router is correctly routing these packets to vlan5 and IAP, but IAP is not responding to them. I I do icmp ping, then IAP is responding...
Did not find any option to allow this access, is this by feature or do I have option to allow this traffic?
11-01-2016 01:53 AM
Do you have the native vlan configured on the switch ports for the IAP?
Might also be worth seeing if you have any Management Subnet restrictions on the IAP (Security -> Inbound Firewall -> Magement and Corporate access configuration)
11-01-2016 02:01 AM
I have native vlan configured:
- in same direction ping is working
- If I connect myself directly with cable to router and vlan 40(SSID2), then I also have access to IAP
No management subnet restrictions have been configured, they are as it comes in default setup(allow all).
11-01-2016 02:12 AM
Thanks, it is odd that https isn't working yet ping is. I would've suggested it could be due to the cert being revoked based on the latest round of security issues.Do you see anything in the datapath session when you attempnt to connect? Would you mind sharing the configuration as well?
11-01-2016 06:26 AM - edited 11-01-2016 06:27 AM
Thank you for answers.
If I connect laptop with cable to the same VLAN, then I can get access to IAP. So I do not think it is releated to certificate, it is rather releted to client being wirelessly connected to IAP..
Added cleaned configuration.