Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Heartbleed problem I have be asked to just use the CLI and disable the webgui

This thread has been viewed 0 times

  • 1.  Heartbleed problem I have be asked to just use the CLI and disable the webgui

    Posted Apr 13, 2014 05:59 PM

    Im useing the Aruba7210-US controler running 6.3.0.1 and Im looking on how to disable the web gui on the controler without blocking CLI. I do not see an easy way to disable the webgui on the controler maybe Im missing something I ould think the should be simple but my searches are coming up empty . Thinking service httpd stop would work but not sure if it would restart



  • 2.  RE: Heartbleed problem I have be asked to just use the CLI and disable the webgui
    Best Answer

    EMPLOYEE
    Posted Apr 13, 2014 06:28 PM

    You need to create a session-ACL that blocks port TCP 443 (Captive Portal) and TCP 4343 (admin gui), permits everything else, and apply that to the controller's physical uplink port to your network as a session ACL.  In the example below, the name of my acl is "no-webui".   My controller's management ip address is 192.168.1.3.  My controller's uplink to the network is gigabitethernet 0/0/0.

     

    ip access-list session "no-webui"
ip access-list session "no-webui" any host 192.168.1.3 tcp 4343 4343 deny position 1 queue low
ip access-list session "no-webui" any host 192.168.1.3 tcp 443 443 deny position 3 queue low
ip access-list session "no-webui" any any any permit position 3 queue low
!
interface gigabitethernet "0/0/0" ip access-group "no-webui" session

     NOTE:  If your controller has more than one ip address, you need to add an ACL for those IP addresses as well to block 443 and 4343 for it to be truly effective.  You should run these commands when you have console access to the controller so that if you lock yourself out, you can remove the acl from the gigabitethernet port.  You also need an any any any permit at the end of your ACL to allow all other traffic to the controller.

     

    If you have an upgrade window, upgrading to 6.3.1.5 has the fix and it will get you off of 6.3.0.1, which is NOT GA code.



  • 3.  RE: Heartbleed problem I have be asked to just use the CLI and disable the webgui

    Posted Apr 13, 2014 06:36 PM

    Thank you for the help . This what I feared the it would not be as simple service stop . Thank you for the help



  • 4.  RE: Heartbleed problem I have be asked to just use the CLI and disable the webgui

    MVP
    Posted Apr 14, 2014 07:42 AM

    I hope you realize that if you are on an ArubaOS version with the heartbleed issue, the ssh is likely affected too since it also uses the same OpenSSL library.



  • 5.  RE: Heartbleed problem I have be asked to just use the CLI and disable the webgui

    Posted Apr 14, 2014 08:14 AM

    I had not thank you for the heads up on that



  • 6.  RE: Heartbleed problem I have be asked to just use the CLI and disable the webgui

    Posted Apr 14, 2014 08:22 AM
    The heartbleed vulnerability is not known to affect SSH AFAIK. However, you still should do the upgrade to the patched ArubaOS version AND replace your certificates. Even though you are now using SSH, any compromised keys are still out there.