Please, anybody knows how to disable the wireless management in Aruba 650 Controller? i want to manage the controller only across the wired ports, i think Aruba should have an option to deny access to the controller for wirelless clients but i don't see this option in the controller.
You an disable the Virtual APs of access points that connect to the controller:
configuration > Wireless> AP configuration. Edit the Default AP group. Expand Wireless LAN. Click on Virtual AP. Uncheck the Virtual AP Enable Checkbox. Click on Apply in the lower right hand corner.
I dont use the default ap group. i have 2 ap groups with 4 vap profiles, if i uncheck the virtual ap enable i'm not sure what will happen. virtual ap enable is only for management purposes?
I apologize. I did not answer your question.
You want to ONLY be able to manage the controller from particular subnets, right?
We do not have a specific feature that does that (service acls), for now, but you can accomplish it by doing the following:
1. Create an "alias" or netdestination that defines what subnets you want management traffic from
2. Write rules allowing TCP 4343 traffic and SSH traffic from that subnet to the controller's IP address
3. Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.
4. Allow all traffic at the end of the rule
5. Apply it to a controller interface
In the example below, I allow management traffic from 192.168.1.0 255.255.255.0 to the controller at 192.168.1.3 and drop if from everywhere else. If I want to expand where I want management traffic from, I can just edit the Alias/Netdestination "management-subnet":
HINT: Please have a console cable handly just in case you lock yourself out of the controller!
network 192.168.1.0 255.255.255.0
ip access-list session "Controller-Access"alias "management-subnet" host 192.168.1.3 tcp 4343 4343 permit queue lowany host 192.168.1.3 tcp 4343 4343 deny queue lowalias "management-subnet" host 192.168.1.3 "svc-ssh" permit queue lowany host 192.168.1.3 "svc-ssh" deny queue lowany any any permit queue low!interface gigabitethernet 1/0ip access-group "Controller-Access" session
thanks for your reply!
i thought Aruba has a feature for this.
you are right, i,m afraid i will have to use acl to deny or permit traffic for differents subnets.
I did the following:
In the role authenticated, create a acl, only permit 1 subnet to access port 4343, other subnets are denied.
role guest doesn't need this policy because this role is not permited to access https by default.
I have 4 SSID's, 3 SSID's use role authenticated and 1 use role-guest (captive portal), so i think wtih this config, only the users in the subnet permited in acl could reach the WEBUI in the controller. it's ok?
True. Please post in the IDEAS forum...
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.