Monitoring, Management & Location Tracking

What-is-AMP-Whitelists-on-Airwave

Environment : This feature was introduced only in 7.7.3 release of Airwave.

 

AirWave 7.7.3 introduced support for AMP whitelists. On the AMP Setup > Authentication page, you can now include
a list of subnets that are able to log in to AMP. If this option is enabled, then by default, the current client network will
appear as the first entry in the list of subnets. Additional entries can be added, one per line, in the text entry box.

 

rtaImage (1).png

 

 

This feature provided more security to Airwave server. When we provision IAPs on Airwave via internet, we will have to allow HTTPS access to Airwave's IP address. So anyone can reach the Login page of Airwave via port 443 over internet.

Once this feature is enabled, only the IPs/subnets listed in the whitelist would be able to access the GUI of Airwave.

NOTE: Just enabling this option auto populates the list with your machine's IP address ( x.x.x.x/32). if we do not change it before saving, GUI access will be blocked from all the IPs except one.

Version History
Revision #:
1 of 1
Last update:
‎06-27-2014 03:15 PM
Updated by:
 
Labels (1)
Contributors
Comments
jerlev

It would prevent support calls to show how to reset this via SSH.  I have locked myself out twice now and I cannot find resolution online.  :(   Not sure how I copied the configuration from one AMP device and pasted into another and locked myself out.  lol

Enabling "Whitelist" adds a flag in the data base which blocks other IP soyrces to access Airwave. We can run the below command from CLI of Airwave to verify the same.

 

 

[root@localhost mercury]# dbc " select ip_address_whitelist ,ip_address_whitelist_enable from seas_config;"


ip_address_whitelist | ip_address_whitelist_enable
----------------------+-----------------------------
10.20.25.41/32 | 1
(1 row)

 

where "ip_address_whitelist" is the IP from which access is allowed  and "ip_address_whitelist_enable" is the flag. "1" means its enbaled while "0" means its disabled.

 

If we have accidently enabled Whitelist, we would need to the below.

 

SSH to AMP and run the below commands.

 

1: Disable Whitelist flag from DB.

 

[root@localhost mercury]# dbc "update seas_config set ip_address_whitelist_enable = 0;"

 

2: Recomplie the code.

 

[root@localhost mercury]# screen

[root@localhost mercury]# root

[root@localhost mercury]# make

 

The last command will bring down the AMP services for a couple of minutes once it completes execution, it would again take a bit for the service to come online before one could login to the WebUI.

 

NOTE: As you stated in your response above that the issue was seen after restoring the backup on a new server, it might be a different issue and we recommend to involve Aruba support team to assist.

 

Regards,

Quamruz Subhani

Aruba Networks.

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.