AirWave and Network Management

Occasional Contributor I

Restrict SSH HTTPS access to controller


I'd like to be able to restrict ssh and https access to manage the controller to specific lan subnets (not wifi clients), but cannot find an option to do this. Is this possible?
Guru Elite

Port ACL

You would create an IPv4 acl (Configuration> Security> access control policies). You would then apply that acl to a physical port: (Configuration> Network> Ports, select port and apply policy to the "Firewall Policy" in the section called "session".

***It is important to note that this policy will correspond to ALL traffic coming in on that physical port, so after you create rules to block traffic from where you don't want it to go, you would need to do a "any any any permit" as the last line in the policy to ensure that the controller can still accept normal traffic like from APs, return user traffic, etc; otherwise, you might have to get out the console cable to remove that policy....

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

Restrict SSH HTTPS access to controller

You can build an ACL and place upon the port(s) you are interested in

The ACL would follow the standard formats and can allow https/ssh from
'specific stations' if that is the desired outcome.


Contributor II

Re: Restrict SSH HTTPS access to controller

What if you created a netdestination that included all aruba controllers and then added a policy to your authenticated role. For example, I connect to the wifi, log in, and get assigned the role "user". Then user would have "no-admin-access-policy" policy on top of that.

#define the controllers
netdestination aruba-controllers

#define the session-acl
ip access-list session no-admin-access-policy
any alias aruba-controllers svc-http deny
any alias aruba-controllers svc-aruba-http deny
any alias aruba-controllers svc-aruba-https deny
any alias aruba-controllers svc-ssh deny

#add the acl to the user-role
user-role authenticated-user
session-acl no-admin-access-policy
session-acl cplogout
session-acl allow-all

This should stop anyone with the role of authenticated-user from accessing the defined controllers. Then you have to go in via LAN on the network or from a different user-role.
All-Decade MVP 2020

Do both

You need to do both aforementioned methods. You must apply a session policy on the uplink port to protect the controller. Remember to make the destination ALL ip addresses on the controller, otherwise, a hole will remain.

However, wireless users on that controller will not hit that policy, as their traffic will be in the APs' GRE tunnel. Thus, you'll need to also protect ssh/http(s) access to the controller in each of the user-roles.
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Contributor II

Re: Restrict SSH HTTPS access to controller

@ryan is right. The port acl won't affect the traffic in the GRE tunnel that includes everyone being blocked from having access ^^
Search Airheads
Showing results for 
Search instead for 
Did you mean: