Wireless Access

Reply
Contributor II

620: Accessing WebUI or ssh from WLAN

Hey all, you guys have been great so far - really appreciate it! My next issue is that I can't access 172.16.0.254 from WLAN that's on the same VLAN as some wired ports.

 

For example, if I plug in directly to the 620 with ethernet and get 10.1.100.3, I can ssh and access the WebUI.

 

But if I connect to the WLAN, which is on the same VLAN as the ethernet\, and I get 10.1.100.101, I can't get to ssh or WebUI.

 

Any ideas? I'm thinking it is a setting in my WLAN:

 

ap-group.jpg

 

Thanks all!

Guru Elite

Re: 620: Accessing WebUI or ssh from WLAN

First find out what role your wireless device is getting:

     show user-table | include <mac-addr>

 

Then run the following to see if you are blocking access in that user role:

     show rights <user-role-name>


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: 620: Accessing WebUI or ssh from WLAN

Answer:

 

Don't connect to the controller on 172.16.0.254:  It is non-routable.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: 620: Accessing WebUI or ssh from WLAN


cjoseph wrote:

Answer:

 

Don't connect to the controller on 172.16.0.254:  It is non-routable.


This makes sense! But when I go to 10.1.100.254 (the VLAN IP, which should be routable) via WebUI I get:

 

https://securelogin.arubanetworks.com/auth/cp_disabled.html

 

and

 

Web authentication is disabled.
Please contact the administrator for assistance.
Guru Elite

Re: 620: Accessing WebUI or ssh from WLAN

Go to the interface that the controller is connected to on your infrastructure, and make it trusted.

 

Type "show port status" to see what interface is up.  Then make it trusted:

 

config t

interface gigabitethernet (x,y)

trusted

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: 620: Accessing WebUI or ssh from WLAN


cappalli wrote:

First find out what role your wireless device is getting:

     show user-table | include <mac-addr>

 

Then run the following to see if you are blocking access in that user role:

     show rights <user-role-name>



Good idea Tim!

 

Here is what I got:

 

(Cocoa-620) #show user-table

Users
-----
    IP            MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name         Roaming   Essid/Bssid/Phy                     Profile               Forward mode  Type
----------   ------------       ------    ----      ----------  ----  --------  -------         -------   ---------------                     -------               ------------  ----
10.1.100.29  00:25:00:48:6a:df            logon     00:00:00                    cocoa-internal  Wireless  Cocoa-Admin/d8:c7:c8:16:f9:88/a-HT  Cocoa-Admin-aaa_prof  tunnel        

User Entries: 1/1

(Cocoa-620) #show rights logon

Derived Role = 'logon'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 1/0
 Max Sessions = 65535


access-list List
----------------
Position  Name              Location
--------  ----              --------
1         ra-guard          
2         logon-control     
3         captiveportal     
4         vpnlogon          
5         v6-logon-control  
6         captiveportal6    

ra-guard
--------
Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                      udp 68    deny                             Low                                                           4
2         any     any                      svc-icmp  permit                           Low                                                           4
3         any     any                      svc-dns   permit                           Low                                                           4
4         any     any                      svc-dhcp  permit                           Low                                                           4
5         any     any                      svc-natt  permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4
vpnlogon
--------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          svc-ike   permit                           Low                                                           4
2         user    any          svc-esp   permit                           Low                                                           4
3         any     any          svc-l2tp  permit                           Low                                                           4
4         any     any          svc-pptp  permit                           Low                                                           4
5         any     any          svc-gre   permit                           Low                                                           4
v6-logon-control
----------------
Priority  Source  Destination          Service      Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------          -------      ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                  udp 68       deny                             Low                                                           6
2         any     any                  svc-v6-icmp  permit                           Low                                                           6
3         any     any                  svc-v6-dhcp  permit                           Low                                                           6
4         any     any                  svc-dns      permit                           Low                                                           6
5         any     fc00::/7             any          permit                           Low                                                           6
6         any     fe80::/64            any          permit                           Low                                                           6
7         any     ipv6-reserved-range  any          deny                             Low                                                           6
captiveportal6
--------------
Priority  Source  Destination  Service          Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller6  svc-https        captive                           Low                                                           6
2         user    any          svc-http         captive                           Low                                                           6
3         user    any          svc-https        captive                           Low                                                           6
4         user    any          svc-http-proxy1  captive                           Low                                                           6
5         user    any          svc-http-proxy2  captive                           Low                                                           6
6         user    any          svc-http-proxy3  captive                           Low                                                           6

Expired Policies (due to time constraints) = 0

(Cocoa-620) #

Contributor II

Re: 620: Accessing WebUI or ssh from WLAN


cjoseph wrote:

Go to the interface that the controller is connected to on your infrastructure, and make it trusted.

 

Type "show port status" to see what interface is up.  Then make it trusted:

 

config t

interface gigabitethernet (x,y)

trusted

 

 


All ports are trusted by default by believe, but what I see is:

 

(Cocoa-620) #show port status

Port Status
-----------
Slot-Port  PortType  adminstate  operstate  poe      Trusted  SpanningTree  PortMode
---------  --------  ----------  ---------  ---      -------  ------------  --------
1/0        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
1/1        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
1/2        FE        Enabled     Up         Enabled  Yes      Forwarding    Access
1/3        FE        Enabled     Down       Enabled  Yes      Disabled      Access
1/4        FE        Enabled     Up         N/A      Yes      Forwarding    Access
1/5        FE        Enabled     Down       N/A      Yes      Disabled      Access
1/6        FE        Enabled     Down       N/A      Yes      Disabled      Access
1/7        FE        Enabled     Down       N/A      Yes      Disabled      Access
1/8        GE        Enabled     Down       N/A      Yes      Disabled      Trunk

 

1/0 = AP125 assigned to Guest-AP WLAN group, VLAN 200

1/1 = AP125 assigned to Guest-AP WLAN group, VLAN 200

1/2 = AP105 assigned to Employee-AP WLAN group, VLAN 100 (10.1.100.x) that I'm trying to get connected.

1/4 = ethernet on VLAN 100 I'm connecting to

 

Ignore 1/8 - this is my uplink port I've been trying to get working on a cable modem that I'll leave for another topic, which is hopefully the last item before going into production! :-)

 

Thanks all very much!!

Re: 620: Accessing WebUI or ssh from WLAN

Your device has the "logon" role which is not enough access for a device that should have internal access.  How are you authenticating your devices?  Do you have a RADIUS server configured in your AAA profile?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Contributor II

Re: 620: Accessing WebUI or ssh from WLAN


thecompnerd wrote:

Your device has the "logon" role which is not enough access for a device that should have internal access.  How are you authenticating your devices?  Do you have a RADIUS server configured in your AAA profile?


No RADIUS server - is that required?

 

I assume the "logon" role is the default role assigned when anyone sets up an "internal" WLANs (not a guest network) in the WLAN Wizard in the GUI. I'm fine with opening this role up (if required) since this VLAN is only used by those that have the WPA-2 pass for the WLAN or directly connect to the 620. Guests will connect to the Guest WLAN, on a guest VLAN, on the captive portal (which I haven't tested yet, since I don't have uplink working yet).

 

Thanks!!!

 

 

Guru Elite

Re: 620: Accessing WebUI or ssh from WLAN

In the AAA profile "Cocoa admin..." change the initial role to authenticated.  Delete your user from the user table and see if it works.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: