Controllerless Networks

last person joined: 18 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Management access over wireless- Instant

This thread has been viewed 8 times

  • 1.  Management access over wireless- Instant

    Posted Nov 01, 2016 03:57 AM

    Hello

     

    I am having difficulties figuring out, whow I can modify managment access for directly connected wireless clients.

     

    VC and IAPs are in vlan5 and SSID setup is following:
    SSID1. Client IP assignment -> Network Assigned and Client VLAN assignment -> Default.  //IAP and client will get IP address from same DHCP scope(vlan5), IAP SSID ACL is any-any allow


    SSID2. Client IP assignment -> Network Assigned and Client VLAN assignment -> VLAN40 //IAP(vlan5) and client(vlan40) will get IP addresses from diffrent IP scopes, IAP SSID ACL and router(terminates the subnets) ACL has any-any allow rules.

     

    I have managment access to VC-s, when connected to SSID1, but not when connected to SSID2. I did a packet capture and saw that when connected to SSID2 then ssh/https packets are correctly sent to router via vlan40 and router is correctly routing these packets to vlan5 and IAP, but IAP is not responding to them. I I do icmp ping, then IAP is responding...

     

    Did not find any option to allow this access, is this by feature or do I have option to allow this traffic?

     

    Thank you!



  • 2.  RE: Management access over wireless- Instant

    MVP EXPERT
    Posted Nov 01, 2016 04:54 AM

    Do you have the native vlan configured on the switch ports for the IAP?

    Might also be worth seeing if you have any Management Subnet restrictions on the IAP (Security -> Inbound Firewall -> Magement and Corporate access configuration)



  • 3.  RE: Management access over wireless- Instant

    Posted Nov 01, 2016 05:02 AM

    I have native vlan configured:

    - in same direction ping is working

    - If I connect myself directly with cable to router and vlan 40(SSID2), then I also have access to IAP

     

    No management subnet restrictions have been configured, they are as it comes in default setup(allow all).



  • 4.  RE: Management access over wireless- Instant

    MVP EXPERT
    Posted Nov 01, 2016 05:12 AM

    Thanks, it is odd that https isn't working yet ping is. I would've suggested it could be due to the cert being revoked based on the latest round of security issues.Do you see anything in the datapath session when you attempnt to connect? Would you mind sharing the configuration as well?

     

     



  • 5.  RE: Management access over wireless- Instant

    Posted Nov 01, 2016 09:26 AM
      |   view attached

    Thank you for answers.

    If I connect laptop with cable to the same VLAN, then I can get access to IAP. So I do not think it is releated to certificate, it is rather releted to client being wirelessly connected to IAP..

    Added cleaned configuration.

     

    Attachment(s)

    txt
    configuration.txt   2 KB 1 version