Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Controller Management Access

Jump to Best Answer
  • 1.  Controller Management Access

    Posted Oct 11, 2019 03:03 AM

    Hi all,

     

    I'm configuring a new aruba controller, model 7024, with Aruba OS 6.5.4.13.

    I was configuring the management access, so only one interface can access to the controller management via web or ssh. The weUI access s through 4343 port and ssh access through 22 port, so I made an acl, configure it to the interface and it works fine.

     

    I want to configure the same setting on other controllers, such a 7205 with the same version of Aruba OS.

    In this controller I can access to webUI through 4343 port or 443, if I attack 443 it doesn´t redirection to 4343 port, like the new 7024 controller does. Is it normal? Could I deny traffic to the controller through 443 port without affect clients connected to the WLANs?

    Is there any option to configure the port access to webUI?

     

    Thanks in advance.



  • 2.  RE: Controller Management Access
    Best Answer

    Posted Oct 11, 2019 03:59 AM

    By default access to the web interface via 443 is disabled. This option would have to have been enabled for this to work.

     

    You can check using the following:

     

    (Aruba7030) #show web-server profile
    
    Web Server Configuration
    ------------------------
    Parameter                                          Value
    ---------                                          -----
    --------------- TRUNCATED ---------------
    Enable WebUI access on HTTPS port (443)            false
    --------------- TRUNCATED ---------------

     

     



  • 3.  RE: Controller Management Access

    Posted Oct 11, 2019 04:37 AM

    Thanks a lot.

    Now I've configured web-server with the command:

    no web-https-port-443

    And now the url https://hostnameController redirect automatically to 4343 port.

    I'm going to continue with the acl configuration for the controller access due to deny 4343 and 22 connection to interfaces except to admin vlan.



  • 4.  RE: Controller Management Access

    Posted Oct 11, 2019 07:59 AM

    The classic way of determining what is allowed to contact the controller on what ports is the "firewall-cp" command.  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/firewall-cp.htm?Highlight=firewall%20cp

     

    Type "show firewall-cp internal" to see what is allowed to contact the controller on what ports.  You can then carefully decide what source subnets are allowed to contact the controller on ports 4343 and 22 and configure it.  Please understand that the maximum number of rules is 64.



  • 5.  RE: Controller Management Access

    Posted Oct 13, 2019 01:24 PM

    Thanks, I'll check that way to control the access to the controller.

     

    The way I thought was a firewall policy type session linked to the port interface (this port is trunk mode and allowed all vlans), which blocks any access with 4343 and 22 port to the controller's ip on user's vlans and permits these connections to the controller's ip on admin vlan.

     

    In the network's core I have an acl which permit or deny access to the admin vlan.

     

    I've tested it with a new 7024 controller and it worked, but I'm going to check you said, thanks.



  • 6.  RE: Controller Management Access

    Posted Oct 13, 2019 07:36 PM
    The benefit of the cp-firewall is that no matter how your interfaces are configured, it will only allow connections to Port 4343 and 22 from the subnets you specify. This is typically called a "service ACL" by other manufacturers. You can certainly configure it your way, as well.


  • 7.  RE: Controller Management Access

    Posted Oct 25, 2019 01:59 AM

    Finally it works but I have to rolled back the configuration.

    People which create guest wifi tickets aren't able to access to the website to do this. They haven't access to admin vlan.