Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

how to prevent guest wireless clients from accessing and managing my controller

Jump to Best Answer
  • 1.  how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 01, 2013 04:23 AM

    the controller is on 192.168.0.248/24 vlan, and it has two vlans that extend to our LAN, the two vlans are 10.3.150.0 and 10.3.151.0 for employee and guest, I configured the controller to have an ip address 10.3.150.2 and 10.3.151.2 on both vlans. 

     

    I managed to prevent users from accessing the managment portal through the 192.168.0.248 ip, but guest users can still access the management portal through the 10.3.151.2 ip address. how to prevent that. 

     

    i thought about removing that ip address from the vlan configuration, but i didn't know if that would disrupt the functionality of the dhcp.

     

    any ideas on how to do that. 

     

    thanks in advance.



  • 2.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 01, 2013 06:32 AM

    Create an access list to deny https/ssh to the management IP address and place it right on top in the user roles employee and guest

     

    Re_ Denying Controller Management Access from outer world - Airheads_2013-07-01_08-46-29.png

     

    user-role EMPLOYEE 

    access-list session CONTROLLER-PROTECTION-ACL position 1



  • 3.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 02, 2013 01:58 AM

    Session ACL configured with the ip access-list session command.
    Note: This parameter requires the PEFNG license.

     

    I don't have the PEFNG license. and buying the license is not an option. we limited the guest vlan access to our internal network through an ACL on the switch port connected to the controller.

     

    is there any other way to do it?



  • 4.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 02, 2013 10:03 PM

    Hi

     

    Depending on your configuration you may be able to configure the vlan number that corresponds to that IP range as untrusted under the port configuration. This will stop the users from having the ability to connect to the controller on that interface. I have done that in the past when I have not had the PEF license.

     

    Thanks

     

    Ryan



  • 5.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 03, 2013 05:11 AM

    configuring the vlan as untrusted killed all connections to internal network and to internet. 

    I want employee to have access to internal network, guest is already filtered on the switch. but both have access to the controller.

     

    if you have don't it before, then i must be doing something wrong. any ideas.



  • 6.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 03, 2013 05:40 AM

    Hi

     

    ok for your vlans is the defauly gateway for those vlans(10.3.150.0 and 10.3.151.0) the Aruba controller or is it the core switch? If the default gateway is the core switch and not the controller then you should not need to have ip addresses on the controller for those vlans.

     

    If the default gateway for those vlans is the aruba controller and you are routing all traffic through the controller then there is probably not a lot you can do without a PEF license.

     

    If you could post your config that includes the vlan, ip and port configuration that would help.

     

    Thanks

     

    Ryan

     

     



  • 7.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 03, 2013 07:37 AM
      |   view attached

    but the controller is the dhcp server for the vlan 150 and 151, if I remove the ip address of the controller will that affect. 

     

    the gate way is the switch and not the controller as you see in the attached configuration. 

     

    thank you for your help, I really appreciate it. 

    Attachment(s)



  • 8.  RE: how to prevent guest wireless clients from accessing and managing my controller
    Best Answer

    Posted Jul 03, 2013 07:12 PM

    Hi

     

    As the controller is the DHCP server then I think the only way you will be able to do it is via a PEF license unless you can move DHCP to a server on the network rather than the controller.

     

    Thanks

     

    Ryan



  • 9.  RE: how to prevent guest wireless clients from accessing and managing my controller

    Posted Jul 04, 2013 02:02 AM

    Hi, 

     

    you are right, for now due to how the network is designed I can't move dhcp server. later in time we are going to do that, then I'll just disable the dhcp on the controller and point the users to a dhcp on the network. 

     

    Revans thank you for your help I really appreciate it