Question: How does an end user access the RAP Console on a RAP? How does an admin control access to the RAP Console on a RAP? How do I access the RAP Console behind a split-tunnel connection when the IP a.
Product and Software: This article applies to all RAP deployments that run ArubaOS 5.0 and later.
The RAP Console is a graphical user interface (WebUI) accessible by end-users connected to a remote access point (RAP) for trouble-shooting purpose. The RAP Console allows end users to view wired-port stats, broadcasted SSID, connected users (wired and wireless), and other system logs. This information is valuable for local administrators (who have no access to the controller GUI) or when the RAP is disconnected from the controller.
This article discusses how access can be granted or restricted by a network administrator to different types of users.
Granting User Access to the RAP Console
The RAP Console on a RAP can be accessed by end users who are connected to a RAP (wired or wireless) in split-tunnel or bridge mode by accessing this URL:
http://rapconsole.arubanetworks.com/
A user in split-tunnel mode can access the RAP Console if the user is assigned a role with access policy similar to this one:
ip access-list session corp-user
user any udp 68 deny
any any svc-dhcp permit
user alias corp any permit
user any any route src-nat
where 'corp' is an alias for all the IP addresses (usually private) used at a corporate. For example, this can defined as:
netdestination corp
network 10.0.0.0 255.0.0.0
For a user in bridge mode, the ACL is even simpler. For bridge users where IP addresses are assigned by the RAP, the ACL is as follows:
ip access-list session bridge-user-nat
any any svc-dhcp permit
any any any route src-nat
For bridge users where IP addresses are assigned by an uplink router, the ACL is as follows:
ip access-list session bridge-user
any any any permit
Blocking User Access to the RAP Console
In ArubaOS 5.0, we introduced a special alias called "localip", which dynamically resolves to the uplink IP address of the RAP (address of enet0 or the cellular uplink address). We can use this alias to restrict RAP Console access to end users. For example, to block access to split-tunnel user, we can use the following ACL:
ip access-list session corp-user-no-rap-console
user any udp 68 deny
any any svc-dhcp permit
user localip svc-http deny
user alias corp any permit
user any any route src-nat
To block access to bridge users, use the following ACL:
ip access-list session bridge-user-nat-no-rap-console
any any svc-dhcp permit
user localip svc-http deny
any any any route src-nat
Or
ip access-list session bridge-user-no-rap-console
user localip svc-http deny
any any any permit
Special Consideration If the IP Address Assigned to the RAP Clashes with the Corporate IP Address Space
If the IP address that is assigned to the uplink of the RAP clashes with the IP address space used at corporate, the RAP console might not be accessible. This situation usually happens when the RAP is connected to a network that also uses private IP addresses (for example, 10.0.0.0/8 or 192.168.0.0/16). This situation might also happen if cellular uplink is used, because the carrier might assign private addresses.
To work around this problem, use the following ACL:
ip access-list session corp-user
user any udp 68 deny
any any svc-dhcp permit
user localip svc-http route src-nat
user alias corp any permit
user any any route src-nat