Community Home > Discuss > Technology > Wireless Access > Re: Controller Management Access

Wireless Access

Reply
cpaniag
Occasional Contributor I
cpaniag

Controller Management Access

‎10-11-2019 12:02 AM

Hi all,

 

I'm configuring a new aruba controller, model 7024, with Aruba OS 6.5.4.13.

I was configuring the management access, so only one interface can access to the controller management via web or ssh. The weUI access s through 4343 port and ssh access through 22 port, so I made an acl, configure it to the interface and it works fine.

 

I want to configure the same setting on other controllers, such a 7205 with the same version of Aruba OS.

In this controller I can access to webUI through 4343 port or 443, if I attack 443 it doesn´t redirection to 4343 port, like the new 7024 controller does. Is it normal? Could I deny traffic to the controller through 443 port without affect clients connected to the WLANs?

Is there any option to configure the port access to webUI?

 

Thanks in advance.

Alert a Moderator
Message 1 of 7
440 Views
Reply
0 Kudos
Highlighted
MVP Guru
MVP Guru
Craig Syme

Re: Controller Management Access

‎10-11-2019 12:59 AM

By default access to the web interface via 443 is disabled. This option would have to have been enabled for this to work.

 

You can check using the following:

 

(Aruba7030) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
--------------- TRUNCATED ---------------
Enable WebUI access on HTTPS port (443)            false
--------------- TRUNCATED ---------------

 

 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Alert a Moderator
Message 2 of 7
430 Views
Reply
0 Kudos
cpaniag
Occasional Contributor I
cpaniag

Re: Controller Management Access

‎10-11-2019 01:37 AM

Thanks a lot.

Now I've configured web-server with the command:

no web-https-port-443

And now the url https://hostnameController redirect automatically to 4343 port.

I'm going to continue with the acl configuration for the controller access due to deny 4343 and 22 connection to interfaces except to admin vlan.

Alert a Moderator
Message 3 of 7
420 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller Management Access

‎10-11-2019 04:58 AM

The classic way of determining what is allowed to contact the controller on what ports is the "firewall-cp" command.  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/firewall-cp.htm?Highlight=firewall%20cp

 

Type "show firewall-cp internal" to see what is allowed to contact the controller on what ports.  You can then carefully decide what source subnets are allowed to contact the controller on ports 4343 and 22 and configure it.  Please understand that the maximum number of rules is 64.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 4 of 7
388 Views
Reply
0 Kudos
cpaniag
Occasional Contributor I
cpaniag

Re: Controller Management Access

‎10-13-2019 10:24 AM

Thanks, I'll check that way to control the access to the controller.

 

The way I thought was a firewall policy type session linked to the port interface (this port is trunk mode and allowed all vlans), which blocks any access with 4343 and 22 port to the controller's ip on user's vlans and permits these connections to the controller's ip on admin vlan.

 

In the network's core I have an acl which permit or deny access to the admin vlan.

 

I've tested it with a new 7024 controller and it worked, but I'm going to check you said, thanks.

Alert a Moderator
Message 5 of 7
308 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller Management Access

‎10-13-2019 04:35 PM

The benefit of the cp-firewall is that no matter how your interfaces are configured, it will only allow connections to Port 4343 and 22 from the subnets you specify. This is typically called a "service ACL" by other manufacturers. You can certainly configure it your way, as well.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 6 of 7
291 Views
Reply
0 Kudos
cpaniag
Occasional Contributor I
cpaniag

Re: Controller Management Access

3 weeks ago

Finally it works but I have to rolled back the configuration.

People which create guest wifi tickets aren't able to access to the website to do this. They haven't access to admin vlan.

Alert a Moderator
Message 7 of 7
149 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium