Question: How do I restrict access to the controller management interface?
Product and Software: This article applies to all Aruba controllers and ArubaOS 3.1 and later.
Aruba provides multiple methods to manage the controller:
- Web management interface using https connection on TCP port 4343.
- Command line interface using SSH connection on TCP port 22.
- Command line interface using Telnet connection on TCP port 23. This method is disabled by default.
To restrict the access to the management interface, you need to create an access control list to deny access on the ports listed above.
The following example illustrates the steps to deny user access from "student-net" to the controller web base interface.
Step 1: Create the service definition for TCP port 4343. SSH and Telnet services are defined in the configuration by default.
Example:
netservice c-svc-mgmt-https tcp 4343
Step 2: Create the source subnets.
Example:
netdestination student-net
network 10.168.120.0 255.255.248.0
network 10.168.109.64 255.255.255.192
Step 3: Create the list of controller IP addresses.
Example:
netdestination controller-ips
host 30.30.30.1
host 10.168.109.70
Step 4: Create the session-based IP access list.
Example:
ip access-list session mgmt-access-control
alias student-net alias controller-ips c-svc-mgmt-https deny log
Step 5: Assign the session-based IP access list to the top of user role.
Example:
user-role m-role
session-acl mgmt-access-control
session-acl allowall