Wireless Access

 View Only
last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Mobility Conductor / Master Webgui admin interface restriction

This thread has been viewed 34 times
  • 1.  Mobility Conductor / Master Webgui admin interface restriction

    Posted 13 days ago

    Hi,

    I've recently found that i can only access the webgui of the Aruba MM from the same subnet as the server. Is this by design? I've been through the hardening guide and the config on the server and can't see any config that is locking it down and wondered if there is a way to open it to an IP outside of its subnet?

    I thought there might be a Web lockdown acl or setting like on clearpass, but can't seem to find it. maybe i'm missing something.

    thanks,



    ------------------------------
    matt
    ------------------------------


  • 2.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 13 days ago

    Could be that something is configured on internal Firewall.

    Do a "show firewall-cp" to investigate
    Reference - https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/firewall-cp.htm




  • 3.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 13 days ago

    Nothing that i can see. Port 4343 appears to be set to any.

    ipv4        any                     6         4343        4343      Permit            1140205    cpbwc-ipv4-http



    ------------------------------
    matt
    ------------------------------



  • 4.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 11 days ago

    Just to check the basics, the issue is only with the GUI? That is, you can ping and ssh from other subnets, right?



    ------------------------------
    Steve Bohrer
    IT Infrastructure, Emerson College
    ------------------------------



  • 5.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 13 days ago

    If you can reach the WebUI from the same subnet but not from another subnet, it may be as simple as routing; either to the MM or back to your client.

    It's not by design IMHO. I connect to multiple MM WebUIs from a different subnet and never had issues (except for firewalls blocking or routing not in place).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 13 days ago

    Its strange. I can ping it and i can get as far as it showing me its an untrusted cert (self-gen) and if i hit refresh a load of times quickly i get the logon box, but i can't logon.



    ------------------------------
    matt
    ------------------------------



  • 7.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 13 days ago

    Is your IP traffic passing through a firewall before reaching the MCr? Perhaps blocking 4343?




  • 8.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 13 days ago

    No direct. Subnet to subnet , No acl.



    ------------------------------
    matt
    ------------------------------



  • 9.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 13 days ago

    Can you SSH to the MM from the other subnet?

    What about accessing a different device on the same subnet as the MM from the other subnet?

    Have you tried different browsers?




  • 10.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 13 days ago

    Yes, SSH works fine and is stable.  Can ping from both sides. Tried Chrome, Edge and Firefox. Just had a two hour TAC sessions and they can't work it out either and have taken a diagnostic log.



    ------------------------------
    matt
    ------------------------------



  • 11.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 13 days ago

    What version is on the MCr?




  • 12.  RE: Mobility Conductor / Master Webgui admin interface restriction

    Posted 11 days ago

    8.10.0.11



    ------------------------------
    matt
    ------------------------------



  • 13.  RE: Mobility Conductor / Master Webgui admin interface restriction

    EMPLOYEE
    Posted 11 days ago

    Thanks. As far as I can tell, there are no related patches added in 8.10.0.12 or 8.10.0.13 where an upgrade may help fix your problem. This sounds like a bug if not a routing / firewall issue between subnets.