Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

620: Accessing WebUI or ssh from WLAN

This thread has been viewed 4 times

  • 1.  620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 01:23 PM

    Hey all, you guys have been great so far - really appreciate it! My next issue is that I can't access 172.16.0.254 from WLAN that's on the same VLAN as some wired ports.

     

    For example, if I plug in directly to the 620 with ethernet and get 10.1.100.3, I can ssh and access the WebUI.

     

    But if I connect to the WLAN, which is on the same VLAN as the ethernet\, and I get 10.1.100.101, I can't get to ssh or WebUI.

     

    Any ideas? I'm thinking it is a setting in my WLAN:

     

    ap-group.jpg

     

    Thanks all!



  • 2.  RE: 620: Accessing WebUI or ssh from WLAN

    EMPLOYEE
    Posted Feb 08, 2014 01:27 PM

    First find out what role your wireless device is getting:

         show user-table | include <mac-addr>

     

    Then run the following to see if you are blocking access in that user role:

         show rights <user-role-name>



  • 3.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 01:44 PM
    @cappalli wrote:

    First find out what role your wireless device is getting:

         show user-table | include <mac-addr>

     

    Then run the following to see if you are blocking access in that user role:

         show rights <user-role-name>


    Good idea Tim!

     

    Here is what I got:

     

    (Cocoa-620) #show user-table

    Users
    -----
        IP            MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name         Roaming   Essid/Bssid/Phy                     Profile               Forward mode  Type
    ----------   ------------       ------    ----      ----------  ----  --------  -------         -------   ---------------                     -------               ------------  ----
    10.1.100.29  00:25:00:48:6a:df            logon     00:00:00                    cocoa-internal  Wireless  Cocoa-Admin/d8:c7:c8:16:f9:88/a-HT  Cocoa-Admin-aaa_prof  tunnel        

    User Entries: 1/1

    (Cocoa-620) #show rights logon

    Derived Role = 'logon'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 1/0
     Max Sessions = 65535


    access-list List
    ----------------
    Position  Name              Location
    --------  ----              --------
    1         ra-guard          
    2         logon-control     
    3         captiveportal     
    4         vpnlogon          
    5         v6-logon-control  
    6         captiveportal6    

    ra-guard
    --------
    Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
    logon-control
    -------------
    Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any                      udp 68    deny                             Low                                                           4
    2         any     any                      svc-icmp  permit                           Low                                                           4
    3         any     any                      svc-dns   permit                           Low                                                           4
    4         any     any                      svc-dhcp  permit                           Low                                                           4
    5         any     any                      svc-natt  permit                           Low                                                           4
    6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
    captiveportal
    -------------
    Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
    2         user    any          svc-http         dst-nat 8080                           Low                                                           4
    3         user    any          svc-https        dst-nat 8081                           Low                                                           4
    4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
    5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
    6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
    vpnlogon
    --------
    Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any          svc-ike   permit                           Low                                                           4
    2         user    any          svc-esp   permit                           Low                                                           4
    3         any     any          svc-l2tp  permit                           Low                                                           4
    4         any     any          svc-pptp  permit                           Low                                                           4
    5         any     any          svc-gre   permit                           Low                                                           4
    v6-logon-control
    ----------------
    Priority  Source  Destination          Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------          -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any                  udp 68       deny                             Low                                                           6
    2         any     any                  svc-v6-icmp  permit                           Low                                                           6
    3         any     any                  svc-v6-dhcp  permit                           Low                                                           6
    4         any     any                  svc-dns      permit                           Low                                                           6
    5         any     fc00::/7             any          permit                           Low                                                           6
    6         any     fe80::/64            any          permit                           Low                                                           6
    7         any     ipv6-reserved-range  any          deny                             Low                                                           6
    captiveportal6
    --------------
    Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller6  svc-https        captive                           Low                                                           6
    2         user    any          svc-http         captive                           Low                                                           6
    3         user    any          svc-https        captive                           Low                                                           6
    4         user    any          svc-http-proxy1  captive                           Low                                                           6
    5         user    any          svc-http-proxy2  captive                           Low                                                           6
    6         user    any          svc-http-proxy3  captive                           Low                                                           6

    Expired Policies (due to time constraints) = 0

    (Cocoa-620) #



  • 4.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 02:31 PM

    Your device has the "logon" role which is not enough access for a device that should have internal access.  How are you authenticating your devices?  Do you have a RADIUS server configured in your AAA profile?



  • 5.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 02:40 PM
    @thecompnerd wrote:

    Your device has the "logon" role which is not enough access for a device that should have internal access.  How are you authenticating your devices?  Do you have a RADIUS server configured in your AAA profile?

    No RADIUS server - is that required?

     

    I assume the "logon" role is the default role assigned when anyone sets up an "internal" WLANs (not a guest network) in the WLAN Wizard in the GUI. I'm fine with opening this role up (if required) since this VLAN is only used by those that have the WPA-2 pass for the WLAN or directly connect to the 620. Guests will connect to the Guest WLAN, on a guest VLAN, on the captive portal (which I haven't tested yet, since I don't have uplink working yet).

     

    Thanks!!!

     

     



  • 6.  RE: 620: Accessing WebUI or ssh from WLAN
    Best Answer

    EMPLOYEE
    Posted Feb 08, 2014 03:45 PM

    In the AAA profile "Cocoa admin..." change the initial role to authenticated.  Delete your user from the user table and see if it works.



  • 7.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 04:41 PM
    @cjoseph wrote:

    In the AAA profile "Cocoa admin..." change the initial role to authenticated.  Delete your user from the user table and see if it works.

    Woo hoo! This did it! Thank you very much. For completeness I'll include a screenshot and a summary from the User Guide.

     

     

    Assigning User Roles in AAA Profiles

    An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for MAC and 802.1x authentication. To configure user roles in the AAA profile:

    In the WebUI

    1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

    2. Select the default profile or a user-defined AAA profile.

    3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.

    4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for users who have completed 802.1x authentication.

    5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients who have completed MAC authentication.

    6. Click Apply.

    In the CLI

    (host)(config) #aaa profile <profile>

         initial-role <role>

         d>ot1x-default-role <role>

         mac-default-role <role>

     

     

    auth-1.jpg



  • 8.  RE: 620: Accessing WebUI or ssh from WLAN

    EMPLOYEE
    Posted Feb 08, 2014 01:28 PM

    Answer:

     

    Don't connect to the controller on 172.16.0.254:  It is non-routable.



  • 9.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 01:34 PM
    @cjoseph wrote:

    Answer:

     

    Don't connect to the controller on 172.16.0.254:  It is non-routable.

    This makes sense! But when I go to 10.1.100.254 (the VLAN IP, which should be routable) via WebUI I get:

     

    https://securelogin.arubanetworks.com/auth/cp_disabled.html

     

    and

     

    Web authentication is disabled.
    Please contact the administrator for assistance.


  • 10.  RE: 620: Accessing WebUI or ssh from WLAN

    EMPLOYEE
    Posted Feb 08, 2014 01:35 PM

    Go to the interface that the controller is connected to on your infrastructure, and make it trusted.

     

    Type "show port status" to see what interface is up.  Then make it trusted:

     

    config t

    interface gigabitethernet (x,y)

    trusted

     

     



  • 11.  RE: 620: Accessing WebUI or ssh from WLAN

    Posted Feb 08, 2014 01:52 PM
    @cjoseph wrote:

    Go to the interface that the controller is connected to on your infrastructure, and make it trusted.

     

    Type "show port status" to see what interface is up.  Then make it trusted:

     

    config t

    interface gigabitethernet (x,y)

    trusted

     

     

    All ports are trusted by default by believe, but what I see is:

     

    (Cocoa-620) #show port status

    Port Status
    -----------
    Slot-Port  PortType  adminstate  operstate  poe      Trusted  SpanningTree  PortMode
    ---------  --------  ----------  ---------  ---      -------  ------------  --------
    1/0        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
    1/1        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
    1/2        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
    1/3        FE        Enabled     Down       Enabled  Yes      Disabled      Access
    1/4        FE        Enabled     Up         N/A      Yes      Forwarding    Access
    1/5        FE        Enabled     Down       N/A      Yes      Disabled      Access
    1/6        FE        Enabled     Down       N/A      Yes      Disabled      Access
    1/7        FE        Enabled     Down       N/A      Yes      Disabled      Access
    1/8        GE        Enabled     Down       N/A      Yes      Disabled      Trunk

     

    1/0 = AP125 assigned to Guest-AP WLAN group, VLAN 200

    1/1 = AP125 assigned to Guest-AP WLAN group, VLAN 200

    1/2 = AP105 assigned to Employee-AP WLAN group, VLAN 100 (10.1.100.x) that I'm trying to get connected.

    1/4 = ethernet on VLAN 100 I'm connecting to

     

    Ignore 1/8 - this is my uplink port I've been trying to get working on a cable modem that I'll leave for another topic, which is hopefully the last item before going into production! :-)

     

    Thanks all very much!!