How do I block guest users from acessing virtual controller web interface?

Aruba Employee
Aruba Employee

This articles guides on blocking guest users from accessing virtual controller's web interface.


Guest clients get an IP address from virtual controller when they connect to a SSID  that is configured with virtual-controller assigned. The virtual controller acts a default gateway for these guests users. Thereby, when guests users mention the gateway IP address in the browser, it brings up the virtual controller web interface, which shouldn't be the case.

Any user or internal employee who is aware of the username and password of the virtual controller, can connect to the guest SSID and can login into the web interface, thereby gets access to change settings or bring down the network.

Therefore, it is highly recommended to block virtual controller's web interface access from the guest users by adding an ACL in the guest role and denying traffic to the port TCP 4343.


Environment : This article applies to all Aruba Instant Access Points running any version of Aruba InstantOS.



Following steps shows the access list entries that need to be added to the guest role:
1. Login into Virtual Controller using GUI
2. Select the Guest SSID and click "Edit"
3. Navigate to Acess section and select the guest role
4. Click on "New" button and add the below ACL to the role:
rtaImage (1).jpg
5. Move the configured ACL to the position one.
rtaImage (2).jpg
NOTE: Once the configuration is done, connect a wireless client to guest SSID and try accessing the virtual controller with the help of default gateway IP assigned to guest client.
Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 09:42 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: