Wireless Access

Reply
Occasional Contributor I

Controller Management Access

Hi all,

 

I'm configuring a new aruba controller, model 7024, with Aruba OS 6.5.4.13.

I was configuring the management access, so only one interface can access to the controller management via web or ssh. The weUI access s through 4343 port and ssh access through 22 port, so I made an acl, configure it to the interface and it works fine.

 

I want to configure the same setting on other controllers, such a 7205 with the same version of Aruba OS.

In this controller I can access to webUI through 4343 port or 443, if I attack 443 it doesn´t redirection to 4343 port, like the new 7024 controller does. Is it normal? Could I deny traffic to the controller through 443 port without affect clients connected to the WLANs?

Is there any option to configure the port access to webUI?

 

Thanks in advance.

MVP Guru

Re: Controller Management Access

By default access to the web interface via 443 is disabled. This option would have to have been enabled for this to work.

 

You can check using the following:

 

(Aruba7030) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
--------------- TRUNCATED ---------------
Enable WebUI access on HTTPS port (443)            false
--------------- TRUNCATED ---------------

 

 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Occasional Contributor I

Re: Controller Management Access

Thanks a lot.

Now I've configured web-server with the command:

no web-https-port-443

And now the url https://hostnameController redirect automatically to 4343 port.

I'm going to continue with the acl configuration for the controller access due to deny 4343 and 22 connection to interfaces except to admin vlan.

Guru Elite

Re: Controller Management Access

The classic way of determining what is allowed to contact the controller on what ports is the "firewall-cp" command.  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/1cli-commands/firewall-cp.htm?Highlight=firewall%20cp

 

Type "show firewall-cp internal" to see what is allowed to contact the controller on what ports.  You can then carefully decide what source subnets are allowed to contact the controller on ports 4343 and 22 and configure it.  Please understand that the maximum number of rules is 64.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Controller Management Access

Thanks, I'll check that way to control the access to the controller.

 

The way I thought was a firewall policy type session linked to the port interface (this port is trunk mode and allowed all vlans), which blocks any access with 4343 and 22 port to the controller's ip on user's vlans and permits these connections to the controller's ip on admin vlan.

 

In the network's core I have an acl which permit or deny access to the admin vlan.

 

I've tested it with a new 7024 controller and it worked, but I'm going to check you said, thanks.

Guru Elite

Re: Controller Management Access

The benefit of the cp-firewall is that no matter how your interfaces are configured, it will only allow connections to Port 4343 and 22 from the subnets you specify. This is typically called a "service ACL" by other manufacturers. You can certainly configure it your way, as well.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Controller Management Access

Finally it works but I have to rolled back the configuration.

People which create guest wifi tickets aren't able to access to the website to do this. They haven't access to admin vlan.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: