Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Telnet is disabled for APs by default and usually there is no need to enable it. Enable Telnet only if instructed to do so by engineering or to do advanced troubleshooting. Make sure to disable Telnet after the required troubleshooting is complete.
Enabling Telnet to the AP
Enable Telnet in the ap-system-profile of the ap-group.
ap system-profile <profile>
telnet
This command enables Telnet access to normal AP and RAP.
Restricting Telnet Access to a Certain Subnet
To restrict Telnet access to certain subnet, you should have a firewall between AP and controller. This can be achieved by the controller in two ways:
• Campus AP is connected to un-trusted port in the controller.
• RemoteAP
In both cases, when the AP communicates with the controller, it gets a system-role called “ap-role”. The default privilege of default ap-role is shown here, and Telnet is denied in the default ap-role:
#show rights ap-role
Derived Role = 'ap-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 4/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 control
2 ap-acl
control
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-icmp permit Low
3 any any svc-dns permit Low
4 any any svc-papi permit Low
5 any any svc-cfgm-tcp permit Low
6 any any svc-adp permit Low
7 any any svc-tftp permit Low
8 any any svc-dhcp permit Low
ap-acl
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-gre permit Low
2 any any svc-syslog permit Low
3 any user svc-snmp permit Low
4 user any svc-snmp-trap permit Low
5 user any svc-ntp permit Low
To enable Telnet from certain subnet, add a firewall policy (or modify existing policies, although not recommended) before the “control” firewall policy:
!
ip access-list session permit-telnet
network <network> <mask> any svc-telnet permit
!
user-role ap-role
session-acl permit-telnet position 1
!
A RFE1172 has been filed for the Telnet restriction on a regular AP as Telnet can be turned on or off completely and there is no way the regular AP would be restricted with the firewall policy.