Controller Based WLANs

How do I restrict access to the controller management interface?

by on ‎07-03-2014 01:23 PM

Question:  How do I restrict access to the controller management interface?

 

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.1 and later.

 

Aruba provides multiple methods to manage the controller:

  • Web management interface using https connection on TCP port 4343.
  • Command line interface using SSH connection on TCP port 22.
  • Command line interface using Telnet connection on TCP port 23. This method is disabled by default.

 

To restrict the access to the management interface, you need to create an access control list to deny access on the ports listed above.

 

The following example illustrates the steps to deny user access from "student-net" to the controller web base interface.

 

Step 1: Create the service definition for TCP port 4343. SSH and Telnet services are defined in the configuration by default.

 

Example:

netservice c-svc-mgmt-https tcp 4343

 

Step 2: Create the source subnets.

 

Example:

netdestination student-net
network 10.168.120.0 255.255.248.0
network 10.168.109.64 255.255.255.192

 

Step 3: Create the list of controller IP addresses.

 

Example:

netdestination controller-ips
host 30.30.30.1
host 10.168.109.70

 

Step 4: Create the session-based IP access list.

 

Example:

ip access-list session mgmt-access-control
alias student-net alias controller-ips c-svc-mgmt-https deny log

 

Step 5: Assign the session-based IP access list to the top of user role.

 

Example:

user-role m-role
session-acl mgmt-access-control
session-acl allowall

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.