Wireless Access

Hi all,

 

I'm configuring a new aruba controller, model 7024, with Aruba OS 6.5.4.13.

I was configuring the management access, so only one interface can access to the controller management via web or ssh. The weUI access s through 4343 port and ssh access through 22 port, so I made an acl, configure it to the interface and it works fine.

 

I want to configure the same setting on other controllers, such a 7205 with the same version of Aruba OS.

In this controller I can access to webUI through 4343 port or 443, if I attack 443 it doesn´t redirection to 4343 port, like the new 7024 controller does. Is it normal? Could I deny traffic to the controller through 443 port without affect clients connected to the WLANs?

Is there any option to configure the port access to webUI?

 

Thanks in advance.

By default access to the web interface via 443 is disabled. This option would have to have been enabled for this to work.

 

You can check using the following:

 

(Aruba7030) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
--------------- TRUNCATED ---------------
Enable WebUI access on HTTPS port (443)            false
--------------- TRUNCATED ---------------

 

 

Thanks a lot.

Now I've configured web-server with the command:

no web-https-port-443

And now the url https://hostnameController redirect automatically to 4343 port.

I'm going to continue with the acl configuration for the controller access due to deny 4343 and 22 connection to interfaces except to admin vlan.

The classic way of determining what is allowed to contact the controller on what ports is the "firewall-cp" command.  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/firewall-cp.htm?Highlight=firewall%20cp

 

Type "show firewall-cp internal" to see what is allowed to contact the controller on what ports.  You can then carefully decide what source subnets are allowed to contact the controller on ports 4343 and 22 and configure it.  Please understand that the maximum number of rules is 64.

Thanks, I'll check that way to control the access to the controller.

 

The way I thought was a firewall policy type session linked to the port interface (this port is trunk mode and allowed all vlans), which blocks any access with 4343 and 22 port to the controller's ip on user's vlans and permits these connections to the controller's ip on admin vlan.

 

In the network's core I have an acl which permit or deny access to the admin vlan.

 

I've tested it with a new 7024 controller and it worked, but I'm going to check you said, thanks.

The benefit of the cp-firewall is that no matter how your interfaces are configured, it will only allow connections to Port 4343 and 22 from the subnets you specify. This is typically called a "service ACL" by other manufacturers. You can certainly configure it your way, as well.

Finally it works but I have to rolled back the configuration.

People which create guest wifi tickets aren't able to access to the website to do this. They haven't access to admin vlan.