Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Disable wireless management

Jump to Best Answer
  • 1.  Disable wireless management

    Posted Feb 23, 2012 04:49 AM

    Hi all!

     

    Please, anybody knows how to disable the wireless management in Aruba 650 Controller? i want to manage the controller only across the wired ports, i think Aruba should have an option to deny access to the controller for wirelless clients but i don't see this option in the controller.

     

    thanks!



  • 2.  RE: Disable wireless management

    Posted Feb 23, 2012 05:51 AM

    You an disable the Virtual APs of access points that connect to the controller:

     

    configuration > Wireless> AP configuration.  Edit the Default AP group.  Expand Wireless LAN.  Click on Virtual AP.  Uncheck the Virtual AP Enable Checkbox.  Click on Apply in the lower right hand corner.

     



  • 3.  RE: Disable wireless management

    Posted Feb 23, 2012 06:01 AM

     

    I dont use the default ap group. i have 2 ap groups with 4 vap profiles, if i uncheck the virtual ap enable i'm not sure what will happen. virtual ap enable is only for management purposes?



  • 4.  RE: Disable wireless management

    Posted Feb 23, 2012 06:20 AM

    I apologize.  I did not answer your question.

     

    You want to ONLY be able to manage the controller from particular subnets, right?

     

    We do not have a specific feature that does that (service acls), for now, but you can accomplish it by doing the following:

     

    1.  Create an "alias" or netdestination that defines what subnets you want management traffic from

    2.  Write rules allowing TCP 4343 traffic and SSH traffic from that subnet to the controller's IP address

    3.  Write rules dropping TCP 4343 traffic and SSH traffic to the controller ip address from anywhere else.

    4.  Allow all traffic at the end of the rule

    5.  Apply it to a controller interface

     

    In the example below, I allow management traffic from 192.168.1.0 255.255.255.0 to the controller at 192.168.1.3 and drop if from everywhere else.  If I want to expand where I want management traffic from, I can just edit the Alias/Netdestination "management-subnet":

     

    HINT:  Please have a console cable handly just in case you lock yourself out of the controller!

     

    config t

    netdestination management-subnet

    network 192.168.1.0 255.255.255.0

    !

    ip access-list session "Controller-Access"
    alias "management-subnet"  host 192.168.1.3 tcp 4343 4343 permit queue low
    any host 192.168.1.3 tcp 4343 4343 deny queue low
    alias "management-subnet"  host 192.168.1.3 "svc-ssh" permit queue low
    any host 192.168.1.3 "svc-ssh" deny queue low
    any any any permit queue low
    !
    interface gigabitethernet 1/0
    ip access-group "Controller-Access" session

     

     

     

     



  • 5.  RE: Disable wireless management

    Posted Feb 23, 2012 06:50 AM

     

    thanks for your reply!

     

    i thought Aruba has a feature for this.

     

    you are right, i,m afraid i will have to use acl to deny or permit traffic for differents subnets.

     

     



  • 6.  RE: Disable wireless management

    Posted Feb 23, 2012 09:52 AM

     

    I did the following:

     

    In the role authenticated, create a acl, only permit 1 subnet to access port 4343, other subnets are denied.

    role guest doesn't need this policy because this role is not permited to access https by default.

     

    I have 4 SSID's, 3 SSID's use role authenticated and 1 use role-guest (captive portal), so i think wtih this config, only the users in the subnet permited in acl could reach the WEBUI in the controller. it's ok?

     

    Thanks!



  • 7.  RE: Disable wireless management
    Best Answer

    Posted Feb 23, 2012 08:05 PM

    That's great!

     



  • 8.  RE: Disable wireless management

    Posted Mar 23, 2012 07:00 PM
    Are there any plans to implement this feature? I think this is pretty important. I shouldn't have to kludge an ACL together that could potentially lock me out of the controller. Thanks!


  • 9.  RE: Disable wireless management

    Posted Mar 24, 2012 07:53 AM

    True.  Please post in the IDEAS forum...