Controller Based WLANs

Can I enable and restrict Telnet access to a campus or remote AP?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions. 

Telnet is disabled for APs by default and usually there is no need to enable it. Enable Telnet only if instructed to do so by engineering or to do advanced troubleshooting.  Make sure to disable Telnet after the required troubleshooting is complete. 

Enabling Telnet to the AP 


Enable Telnet in the ap-system-profile of the ap-group. 

ap system-profile <profile> 
telnet 

 

This command enables Telnet access to normal AP and RAP. 

Restricting Telnet Access to a Certain Subnet 
To restrict Telnet access to certain subnet, you should have a firewall between AP and controller. This can be achieved by the controller in two ways: 

•     Campus AP is connected to un-trusted port in the controller. 
•     RemoteAP 

In both cases, when the AP communicates with the controller, it gets a system-role called “ap-role”. The default privilege of default ap-role is shown here, and Telnet is denied in the default ap-role: 

 

 

#show rights ap-role

Derived Role = 'ap-role'
Up BW:No Limit   Down BW:No Limit  
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 4/0
Max Sessions = 65535


access-list List
----------------
Position  Name     Location
--------  ----     --------
1         control  
2         ap-acl   

control
-------
Priority  Source  Destination  Service       Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------       ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         user    any          udp 68        deny                             Low                                    
2         any     any          svc-icmp      permit                           Low                                    
3         any     any          svc-dns       permit                           Low                                    
4         any     any          svc-papi      permit                           Low                                    
5         any     any          svc-cfgm-tcp  permit                           Low                                    
6         any     any          svc-adp       permit                           Low                                    
7         any     any          svc-tftp      permit                           Low                                    
8         any     any          svc-dhcp      permit                           Low                                    

ap-acl
------
Priority  Source  Destination  Service        Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------        ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         any     any          svc-gre        permit                           Low                                    
2         any     any          svc-syslog     permit                           Low                                    
3         any     user         svc-snmp       permit                           Low                                    
4         user    any          svc-snmp-trap  permit                           Low                                    
5         user    any          svc-ntp        permit                           Low                                    

To enable Telnet from certain subnet, add a firewall policy (or modify existing policies, although not recommended) before the “control” firewall policy:

!
ip access-list session permit-telnet
network <network> <mask> any svc-telnet permit
!
user-role ap-role
session-acl permit-telnet position 1
!

 

A RFE1172 has been filed for the Telnet restriction on a regular AP as Telnet can be turned on or off completely and there is no way the regular AP would be restricted with the firewall policy.

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 03:05 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.