Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎04-13-2014

Heartbleed problem I have be asked to just use the CLI and disable the webgui

[ Edited ]

Im useing the Aruba7210-US controler running 6.3.0.1 and Im looking on how to disable the web gui on the controler without blocking CLI. I do not see an easy way to disable the webgui on the controler maybe Im missing something I ould think the should be simple but my searches are coming up empty . Thinking service httpd stop would work but not sure if it would restart

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: Heartbleed problem I have be asked to just use the CLI and disable the webgui

[ Edited ]

You need to create a session-ACL that blocks port TCP 443 (Captive Portal) and TCP 4343 (admin gui), permits everything else, and apply that to the controller's physical uplink port to your network as a session ACL.  In the example below, the name of my acl is "no-webui".   My controller's management ip address is 192.168.1.3.  My controller's uplink to the network is gigabitethernet 0/0/0.

 

ip access-list session "no-webui"
ip access-list session "no-webui" any host 192.168.1.3 tcp 4343 4343 deny position 1 queue low
ip access-list session "no-webui" any host 192.168.1.3 tcp 443 443 deny position 3 queue low
ip access-list session "no-webui" any any any permit position 3 queue low
!
interface gigabitethernet "0/0/0" ip access-group "no-webui" session

 NOTE:  If your controller has more than one ip address, you need to add an ACL for those IP addresses as well to block 443 and 4343 for it to be truly effective.  You should run these commands when you have console access to the controller so that if you lock yourself out, you can remove the acl from the gigabitethernet port.  You also need an any any any permit at the end of your ACL to allow all other traffic to the controller.

 

If you have an upgrade window, upgrading to 6.3.1.5 has the fix and it will get you off of 6.3.0.1, which is NOT GA code.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎04-13-2014

Re: Heartbleed problem I have be asked to just use the CLI and disable the webgui

Thank you for the help . This what I feared the it would not be as simple service stop . Thank you for the help

Contributor II
Posts: 146
Registered: ‎05-12-2010

Re: Heartbleed problem I have be asked to just use the CLI and disable the webgui

I hope you realize that if you are on an ArubaOS version with the heartbleed issue, the ssh is likely affected too since it also uses the same OpenSSL library.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
New Contributor
Posts: 3
Registered: ‎04-13-2014

Re: Heartbleed problem I have be asked to just use the CLI and disable the webgui

I had not thank you for the heads up on that

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Heartbleed problem I have be asked to just use the CLI and disable the webgui

The heartbleed vulnerability is not known to affect SSH AFAIK. However, you still should do the upgrade to the patched ArubaOS version AND replace your certificates. Even though you are now using SSH, any compromised keys are still out there.
Search Airheads
Showing results for 
Search instead for 
Did you mean: