Wireless Access

Reply
Contributor I
Posts: 30
Registered: ‎06-09-2013

how to prevent guest wireless clients from accessing and managing my controller

the controller is on 192.168.0.248/24 vlan, and it has two vlans that extend to our LAN, the two vlans are 10.3.150.0 and 10.3.151.0 for employee and guest, I configured the controller to have an ip address 10.3.150.2 and 10.3.151.2 on both vlans. 

 

I managed to prevent users from accessing the managment portal through the 192.168.0.248 ip, but guest users can still access the management portal through the 10.3.151.2 ip address. how to prevent that. 

 

i thought about removing that ip address from the vlan configuration, but i didn't know if that would disrupt the functionality of the dhcp.

 

any ideas on how to do that. 

 

thanks in advance.

MVP
Posts: 4,236
Registered: ‎07-20-2011

Re: how to prevent guest wireless clients from accessing and managing my controller

[ Edited ]

Create an access list to deny https/ssh to the management IP address and place it right on top in the user roles employee and guest

 

Re_ Denying Controller Management Access from outer world - Airheads_2013-07-01_08-46-29.png

 

user-role EMPLOYEE 

access-list session CONTROLLER-PROTECTION-ACL position 1

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 30
Registered: ‎06-09-2013

Re: how to prevent guest wireless clients from accessing and managing my controller

Session ACL configured with the ip access-list session command.
Note: This parameter requires the PEFNG license.

 

I don't have the PEFNG license. and buying the license is not an option. we limited the guest vlan access to our internal network through an ACL on the switch port connected to the controller.

 

is there any other way to do it?

Contributor I
Posts: 26
Registered: ‎08-12-2009

Re: how to prevent guest wireless clients from accessing and managing my controller

Hi

 

Depending on your configuration you may be able to configure the vlan number that corresponds to that IP range as untrusted under the port configuration. This will stop the users from having the ability to connect to the controller on that interface. I have done that in the past when I have not had the PEF license.

 

Thanks

 

Ryan

Contributor I
Posts: 30
Registered: ‎06-09-2013

Re: how to prevent guest wireless clients from accessing and managing my controller

configuring the vlan as untrusted killed all connections to internal network and to internet. 

I want employee to have access to internal network, guest is already filtered on the switch. but both have access to the controller.

 

if you have don't it before, then i must be doing something wrong. any ideas.

Contributor I
Posts: 26
Registered: ‎08-12-2009

Re: how to prevent guest wireless clients from accessing and managing my controller

Hi

 

ok for your vlans is the defauly gateway for those vlans(10.3.150.0 and 10.3.151.0) the Aruba controller or is it the core switch? If the default gateway is the core switch and not the controller then you should not need to have ip addresses on the controller for those vlans.

 

If the default gateway for those vlans is the aruba controller and you are routing all traffic through the controller then there is probably not a lot you can do without a PEF license.

 

If you could post your config that includes the vlan, ip and port configuration that would help.

 

Thanks

 

Ryan

 

 

Contributor I
Posts: 30
Registered: ‎06-09-2013

Re: how to prevent guest wireless clients from accessing and managing my controller

but the controller is the dhcp server for the vlan 150 and 151, if I remove the ip address of the controller will that affect. 

 

the gate way is the switch and not the controller as you see in the attached configuration. 

 

thank you for your help, I really appreciate it. 

Contributor I
Posts: 26
Registered: ‎08-12-2009

Re: how to prevent guest wireless clients from accessing and managing my controller

Hi

 

As the controller is the DHCP server then I think the only way you will be able to do it is via a PEF license unless you can move DHCP to a server on the network rather than the controller.

 

Thanks

 

Ryan

Contributor I
Posts: 30
Registered: ‎06-09-2013

Re: how to prevent guest wireless clients from accessing and managing my controller

Hi, 

 

you are right, for now due to how the network is designed I can't move dhcp server. later in time we are going to do that, then I'll just disable the dhcp on the controller and point the users to a dhcp on the network. 

 

Revans thank you for your help I really appreciate it

Search Airheads
Showing results for 
Search instead for 
Did you mean: