04-13-2014 02:59 PM - edited 04-13-2014 03:23 PM
Im useing the Aruba7210-US controler running 126.96.36.199 and Im looking on how to disable the web gui on the controler without blocking CLI. I do not see an easy way to disable the webgui on the controler maybe Im missing something I ould think the should be simple but my searches are coming up empty . Thinking service httpd stop would work but not sure if it would restart
Solved! Go to Solution.
04-13-2014 03:28 PM - edited 04-13-2014 03:36 PM
You need to create a session-ACL that blocks port TCP 443 (Captive Portal) and TCP 4343 (admin gui), permits everything else, and apply that to the controller's physical uplink port to your network as a session ACL. In the example below, the name of my acl is "no-webui". My controller's management ip address is 192.168.1.3. My controller's uplink to the network is gigabitethernet 0/0/0.
ip access-list session "no-webui" ip access-list session "no-webui" any host 192.168.1.3 tcp 4343 4343 deny position 1 queue low ip access-list session "no-webui" any host 192.168.1.3 tcp 443 443 deny position 3 queue low ip access-list session "no-webui" any any any permit position 3 queue low ! interface gigabitethernet "0/0/0" ip access-group "no-webui" session
NOTE: If your controller has more than one ip address, you need to add an ACL for those IP addresses as well to block 443 and 4343 for it to be truly effective. You should run these commands when you have console access to the controller so that if you lock yourself out, you can remove the acl from the gigabitethernet port. You also need an any any any permit at the end of your ACL to allow all other traffic to the controller.
If you have an upgrade window, upgrading to 188.8.131.52 has the fix and it will get you off of 184.108.40.206, which is NOT GA code.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-14-2014 04:42 AM
I hope you realize that if you are on an ArubaOS version with the heartbleed issue, the ssh is likely affected too since it also uses the same OpenSSL library.
04-14-2014 05:21 AM