Wireless Access

Reply
Occasional Contributor I
Posts: 8
Registered: ‎03-15-2017

How to enable the controller management via wireless

Hi all,

 

I am deploying new Aruba wireless setup with 7205 controller (HA with ArubaOS 6.5.1.3) and AP305. However, when the PC client connected to the broacasted SSID, the PC client was not able to manage the controller neither via Web GUI nor SSH. But,It is manageable via wired connection through switch.The PC client can reach the controller IP with ICMP ping either via wireless or wired connection. Is there anyway to enable the controller management via wireless?

 

thanks

KL 

MVP
Posts: 332
Registered: ‎07-26-2011

Re: How to enable the controller management via wireless

Hey, do you have any more information  in regards to your deployment? There could be a number of reasons why the controller isn't avaiable for management?

 

- Is there a User Role with an ACL preventing you from accessing the controller?

- Is there any routing issues between the client and the controller?

- Is there any ACL's applied to the VLAN or port in which you access the controller from?

- Do you see any traffic being denied or not reaching the controller with the below command (where xxxx is the controllers  IP)

 

#show datapath session | include xxx

- Do you have any inter-vlan routing enable?

ACMA, ACMP
If my post addresses your query, give kudos:)
MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: How to enable the controller management via wireless

[ Edited ]

Do you have any acl rules under the user-role that might be blocking this type of access?
Do you have an access-group defined under the controller physical interface blocking this type of access?
Any ACL rules on the uplink switch ?
You can run the following commands from the controller CLI:
Show datapath session table <wireless client IP> | include <Controller Mgmt IP> - and look for any denied traffic flag with "D"

Show rights - and take a look at the ACLs

Show ip access-group - and if there's any ACLs applied under the interface

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 8
Registered: ‎03-15-2017

Re: How to enable the controller management via wireless

Hi Zalion,

The reply as below in bold. Hereby attached my controller 1 configuration fo r your reference. It is just a very basic wireless setup. The controller act as L2 mode and all L3 inter-vlan routing at core switch.

 

-Is there a User Role with an ACL preventing you from accessing the controller? No.

- Is there any routing issues between the client and the controller?

   No. The client able to ping the controller via wireless. The client able to manage the controller via wired.

- Is there any ACL's applied to the VLAN or port in which you access the controller from?No.

- Do you see any traffic being denied or not reaching the controller with the below command (where xxxx is the controllers  IP).Will try later.

 

#show datapath session | include xxx

- Do you have any inter-vlan routing enable?

  Inter-vlan routing enable at core switch. The controller in L2 mode. 

Occasional Contributor I
Posts: 8
Registered: ‎03-15-2017

Re: How to enable the controller management via wireless

Hi Victor,

The reply as below in bold. Hereby attached my controller 1 configuration for your reference. It is a very basic wireless setup.

 

Do you have any acl rules under the user-role that might be blocking this type of access?No.
Do you have an access-group defined under the controller physical interface blocking this type of access?No.
Any ACL rules on the uplink switch ?No.
You can run the following commands from the controller CLI:

Will try later.

 

thanks!

MVP
Posts: 332
Registered: ‎07-26-2011

Re: How to enable the controller management via wireless

Hey, did you attach the configuration as I believe it might have been forgotten :)

ACMA, ACMP
If my post addresses your query, give kudos:)
Occasional Contributor I
Posts: 8
Registered: ‎03-15-2017

Re: How to enable the controller management via wireless

Hi Zalion,

Re-attached. :)

 

thanks!

 

MVP
Posts: 332
Registered: ‎07-26-2011

Re: How to enable the controller management via wireless

[ Edited ]

Hey, just taking a look now, can you confirm the output of the below for me please as well?

 

#show controller-ip

Only reason I ask as VLAN 1 is the default management VLAN and this may not have been changed to VLAN3, so the below ipv6 address may not be valid. 

 

interface vlan 1
	ipv6 address 2001::1/64
!
ACMA, ACMP
If my post addresses your query, give kudos:)
Occasional Contributor I
Posts: 8
Registered: ‎03-15-2017

Re: How to enable the controller management via wireless

Hi Zalion,

 

I have removed the vlan 1 ipv6 address. Below are the output of show  controller ip and show datapath session table. IP 172.16 80.4 is the PC client which was not able to manage the controller via wireless.


(LWEH_ARUBA_WLC1) #show controller-ip

Switch IP Address: 192.168.189.3

Switch IP is from Loopback interface

Switch IPv6 address is not configured.

 

 

(LWEH_ARUBA_WLC1) #show datapath session table 172.16.80.4 | include 192.168.189.3
192.168.189.3 172.16.80.4 6 8080 34671 0/0 0 0 1 tunnel 13 1e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 33530 0/0 0 0 0 tunnel 13 e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 45435 0/0 0 0 0 tunnel 13 e 0 0 SY
192.168.189.3 172.16.80.4 6 8080 46004 0/0 0 0 1 tunnel 13 17 0 0 SY
192.168.189.3 172.16.80.4 6 8081 45466 0/0 0 0 1 tunnel 13 18 0 0 SYI
172.16.80.4 192.168.189.3 6 41137 443 1/15787 0 0 0 tunnel 13 23 4 240 NYCI
172.16.80.4 192.168.189.3 6 41138 443 1/15787 0 0 0 tunnel 13 22 4 240 NYCI
192.168.189.3 172.16.80.4 6 8081 52818 0/0 0 0 0 tunnel 13 3 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45023 0/0 0 0 1 tunnel 13 11 0 0 SYI
192.168.189.3 172.16.80.4 6 8080 59036 0/0 0 0 1 tunnel 13 12 0 0 SY
192.168.189.3 172.16.80.4 6 8081 41138 0/0 0 0 0 tunnel 13 22 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 50049 0/0 0 0 1 tunnel 13 29 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 49166 0/0 0 0 1 tunnel 13 19 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 54654 0/0 0 0 1 tunnel 13 9 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 35011 0/0 0 0 1 tunnel 13 12 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43550 0/0 0 0 1 tunnel 13 21 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45691 0/0 0 0 0 tunnel 13 d 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 56738 0/0 0 0 0 tunnel 13 8 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 44495 0/0 0 0 1 tunnel 13 1e 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 33234 0/0 0 0 1 tunnel 13 22 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43580 0/0 0 0 1 tunnel 13 18 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 45653 0/0 0 0 0 tunnel 13 10 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 43007 0/0 0 0 0 tunnel 13 0 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 39105 0/0 0 0 1 tunnel 13 19 0 0 SYI
192.168.189.3 172.16.80.4 6 8080 40932 0/0 0 0 0 tunnel 13 d 0 0 SY
192.168.189.3 172.16.80.4 6 8081 41137 0/0 0 0 0 tunnel 13 23 0 0 SYI
192.168.189.3 172.16.80.4 6 8081 53442 0/0 0 0 0 tunnel 13 1 0 0 SYI

 

thanks!

MVP
Posts: 332
Registered: ‎07-26-2011

Re: How to enable the controller management via wireless

[ Edited ]

Hey, I've noticed a couple of things. Are you able to provide the full output of the CLI? The AAA profiles are missing which don't allow us to determine the User Role assigned to the User and any firewall rules. The ports 8080, 8081, 443 shown in the datapath session are all used as part of the re-direct in the logon role, so I am wondering if you have this assigned to the user as opposed to any allowing ACL?

 

If you connect a client and run #show user-table you will be able to see the User Role assigned to the client. If you then run #show rights XXXX (where XXX is the User Role name) you will be able to see the ACL assigned to the user.

 

Looking at the output you provided previously, I can see the NYCI flags.

 

172.16.80.4 192.168.189.3 6 41137 443 1/15787 0 0 0 tunnel 13 23 4 240 NYCI
172.16.80.4 192.168.189.3 6 41138 443 1/15787 0 0 0 tunnel 13 22 4 240 NYCI

 

1) Have you changed the management port from 4343 to 443?

2) The N flag shows that dest NAT is occuring. Is this configured in the User Role?

 

FYI the Y flag means the 3-way hand shake is occuring, but we kind of know this already :D 

ACMA, ACMP
If my post addresses your query, give kudos:)
Search Airheads
Showing results for 
Search instead for 
Did you mean: