Wireless Access

Reply
Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Disable wireless management

Hi all!

 

Please, anybody knows how to disable the wireless management in Aruba 650 Controller? i want to manage the controller only across the wired ports, i think Aruba should have an option to deny access to the controller for wirelless clients but i don't see this option in the controller.

 

thanks!

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Disable wireless management

You an disable the Virtual APs of access points that connect to the controller:

 

configuration > Wireless> AP configuration.  Edit the Default AP group.  Expand Wireless LAN.  Click on Virtual AP.  Uncheck the Virtual AP Enable Checkbox.  Click on Apply in the lower right hand corner.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Disable wireless management

 

I dont use the default ap group. i have 2 ap groups with 4 vap profiles, if i uncheck the virtual ap enable i'm not sure what will happen. virtual ap enable is only for management purposes?

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Disable wireless management

[ Edited ]

I apologize.  I did not answer your question.

 

You want to ONLY be able to manage the controller from particular subnets, right?

 

We do not have a specific feature that does that (service acls), for now, but you can accomplish it by doing the following:

 

1.  Create an "alias" or netdestination that defines what subnets you want management traffic from

2.  Write rules allowing TCP 4343 traffic and SSH traffic from that subnet to the controller's IP address

3.  Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.

4.  Allow all traffic at the end of the rule

5.  Apply it to a controller interface

 

In the example below, I allow management traffic from 192.168.1.0 255.255.255.0 to the controller at 192.168.1.3 and drop if from everywhere else.  If I want to expand where I want management traffic from, I can just edit the Alias/Netdestination "management-subnet":

 

HINT:  Please have a console cable handly just in case you lock yourself out of the controller!

 

config t

netdestination management-subnet

network 192.168.1.0 255.255.255.0

!

ip access-list session "Controller-Access"
alias "management-subnet"  host 192.168.1.3 tcp 4343 4343 permit queue low
any host 192.168.1.3 tcp 4343 4343 deny queue low
alias "management-subnet"  host 192.168.1.3 "svc-ssh" permit queue low
any host 192.168.1.3 "svc-ssh" deny queue low
any any any permit queue low
!
interface gigabitethernet 1/0
ip access-group "Controller-Access" session

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Disable wireless management

 

thanks for your reply!

 

i thought Aruba has a feature for this.

 

you are right, i,m afraid i will have to use acl to deny or permit traffic for differents subnets.

 

 

Occasional Contributor II
Posts: 37
Registered: ‎01-03-2012

Re: Disable wireless management

 

I did the following:

 

In the role authenticated, create a acl, only permit 1 subnet to access port 4343, other subnets are denied.

role guest doesn't need this policy because this role is not permited to access https by default.

 

I have 4 SSID's, 3 SSID's use role authenticated and 1 use role-guest (captive portal), so i think wtih this config, only the users in the subnet permited in acl could reach the WEBUI in the controller. it's ok?

 

Thanks!

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Disable wireless management

That's great!

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎12-27-2011

Re: Disable wireless management

Are there any plans to implement this feature? I think this is pretty important. I shouldn't have to kludge an ACL together that could potentially lock me out of the controller. Thanks!
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Disable wireless management

True.  Please post in the IDEAS forum...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: