Wireless Access

Is there a way to disable HTTP from the administration of the Wireless controller?

 

I mean if you put the ip of the wirelesss controller yeah it will autredirect to the https

But i would like to that when you type in http://wcip   it just doesnt work... and force you to do manually  https://wcip:4343

 

Cheers

Carlos

Put an acl on the physical management interface denying port 80 traffic to the management ip address, as a session ACL.

 

Ah so i have to use the firewall? i though it was something like with the swithces which you do something like aaa authentication https or something like that..

 

Anyhways i tried that and when i try putting the policy to the interface i get this error

GigabitEthernet 1/8:Invalid Access List Usage

 

my rule looks like this

 

ip access-list session Nohttp
  any   alias controller svc-http  deny 
  any any any  permit 

 I whent to the interface to apply this rule on "in" option

What im doing wrong?

 

Cheers

Carlos

I apologize.  Make the ACL blocking http traffic to the controller's management port and allowing everything else:

ip access-list session block-http
  any host 192.168.1.3 svc-http  deny 
  any any any  permit 

 Then, apply it as a session ACL to the controller's uplink port as a session ACL

 

config t
interface gigabitethernet "1/0"
interface gigabitethernet "1/0" ip access-group "block-http" session

 Try to access the controller's management interface on http via that uplink port.  You should not be able to.  After that you can monitor the "hits" to that ACL:

 

(192.168.1.3) #       show acl hits


Port Based Session ACL
----------------------
Policy      Src  Dst          Service   Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------      ---  ---          -------   ------  -----------  --------  ----------  -----  ---------
validuser   any  any          any       permit               0         488         7727   ipv4
block-http  any  192.168.1.3  svc-http  deny                 3         8           8449   ipv4
block-http  any  any          any       permit               59        200         8450   ipv4

 

This of course will only work for traffic that is traversing that uplink.  If you have wireless users who's traffic terminates on that controller, it does not traverse that link, so you would have to block their traffic via user role.

 

Thanks Colllin that worked....

 

Another thing....

IF i got another interface vlan like for the guest access... well i do have to block that one too for http access...

Does this would bother the captive portal?

I bealive it wont because it will redirect it to the https://controlerip:8080 right?

Where i am i cannot test that :(

But i can remotely configure and test for the https access... what i cannot test is the captive portal.... but i would like to know that

 

Cheers

Carlos

The Captive Portal ACL already forwards all port 80 traffic to the 8081 captive portal. This is active in "logon" roles. You do not need to do anything in that role.

When the user has already authenticated, you need an ACL in that role that blocks traffic from the ip address of the controller via http.

So what i need to do is to add that firewall policy that you gave me to all the authenticated roles im using  right?

The one i just put on, just would work for non wireless users as far i understand

 

Cheers

Carlos

You are correct.

Thank you very much Collin!