ArubaOS and Controllers

Occasional Contributor II

restricting controller management access

Hi All,

I'm trying to restrict gui\cli access to a controller. Assuning I need an ACL. Can someone share an example ACL and where it should be applied?

Aruba Employee

Re: restricting controller management access

I don't have one handy at the moment, but you would apply it to the interfaces.

Frequent Contributor I

Re: restricting controller management access

I've setup ACL's like this:

ip access-list session allow-ip
network alias all-controller-ips any permit
any alias all-controller-ips svc-ssh deny
any alias all-controller-ips tcp 4343 deny
any any any permit

then apply it to a specific interface:

interface gigabitethernet 0/0
ip access-group allow-ip session

I'm not particularly happy with this - but it does block https and ssh connections from all but the whitelisted network. So I'd be interested in what others have done. Looking to see if I can use the mgmt eth port and then block mgmt access from all other ports. Looks like this need to be done on the physical interface... can not put filters on the vlan ip interfaces. So one needs to use care and make sure your rules specify the controller ip's otherwise you'll be blocking ssh in general on that interface including traffic to/from clients to other hosts... etc...

and https need to be careful of I don't want to block my captive portal users.

In general I want to block access to the controller - permit everything else so that I know any port blocking is wholly contained in the user's role.

Re: restricting controller management access

FWIW, in situations where we don't have the 6000 controllers and don't use the out of band management network, this is essentially how we do it in DoD.

That said, ideally, in the perfect security world, you would have a non-routable management network and would use the management port on the 6000/SUP/M3. On the 3x00 you could configure a single access port into the OOB mgmt net and call it good. Then you can depend on your network routing policies for security restrictions without having to put wired ACLs on your ethernet ports.

In either case, though you still need to block 4343 and SSH on the wireless user's fw policy.

Jerrod Howard
Distinguished Technologist, TME
Regular Contributor II

Re: restricting controller management access

I too would like to see a solution for limiting SSH connections from a specific subnet(s) to specific IP addresses on the controllers. This looks like a good start.

It seems that an ACL could be created on the router (switch?) interface that hosts the controllers. Our controllers are connected to a Cisco 6509 Gig-E line card.

Has anyone created an ACL that lives on the host interface?

Super Contributor I

Feature Request

This is a huge problem that Aruba really needs to fix. When you start adding additional L3 interfaces on the controller (to support captive portal, igmp snooping, etc), you are creating additional doors from which others could access the controller. Thus, you have to block those addresses from unauthorized ssh/https as well.

If Aruba simply created service-based ACLs, we could then just have an "allow ssh and https from these networks only" concept, which would require zero alteration when additional L3 interfaces are added.

Linux boxes have this by default via the hosts.allow hosts.deny files, and the fact that Aruba is based off Linux makes it even more silly that this is not possible.

If you feel this would be useful for you, please chime in, as maybe it'll be enough leverage to have this added to a code release.
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: restricting controller management access

I guess I don't know why you couldn't just have a general access policy applied to all the physical interfaces on the controller, to limit access to SSH and 4343, except from specific subnets. No other protocols would need to be blocked, so IGMP, CP, etc should be unaffected. I may be missing something unique to some users or applications though.

Jerrod Howard
Distinguished Technologist, TME
Occasional Contributor II

Re: restricting controller management access

I think a general ACL applied to the physical interfaces would do the trick. However, a service ACL seems much simpler as it is one ACL applied to one area. No need to worry about an ACL spawned over multiple interfaces.
Search Airheads
Showing results for 
Search instead for 
Did you mean: