- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: MSM720 - Accessable Controller Management thro...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2013 01:36 AM - edited тАО12-19-2013 01:37 AM
тАО12-19-2013 01:36 AM - edited тАО12-19-2013 01:37 AM
Hello,
i have an MSM720 WLAN Controller. Goal is two SSIDs. One for employees (VLAN 7) and one for guests (with HTML Authentication) (VLAN 8).
I configured the Controller with the "Configure initial controller settings". The "Access network" was set to the IP 10.160.6.2/24 and is untagged in VLAN 6 on the Core Switch Port. The "Internet network" was configuried with the IP 10.160.8.2/24 with Gateway 10.160.8.1 (Internet Router/Firewall). DNS was set to 8.8.8.8 and 8.8.4.4. The "Internet network"-Port (Port 5) was untagged in VLAN 8. All Access Points are untagged in VLAN 6 and tagged in VLAN 7 and get an IP per DHCP from my "Internet Router/Firewall".
After that, i created a new "Network profile" for VLAN 7 named "employees". Then i created with the wizard an new wireless network for employess. Setup SSID and ticked the "Network Profile" "employees" at the Point "Send traffic to:" to get this traffice into VLAN 7. Except wireless Security all Settings are default. This network works just fine. I get an IP per DHCP from my Internet Router/Firewall from VLAN 7 and can access the Internet.
After that, i created a second wireless network for guests with the known wizard. Named SSID "guests", configured "guest authentication" for local user Accounts on the controller and setup the controller to act as a DHCP Server with the Range (192.168.1.1 - 192.168.1.254 and Mask 255.255.255.0).
I tried the guest WLAN and all seems to work fine. I get an 192.168.1.x IP Address, get the Login Page and can access the Internet after successfull login. On my firewall Port for VLAN 8 i see just the "Internet network" IP 10.160.8.2 as Source IP.
The Problem now is, that i am able to ping the following IPs:
- 10.160.6.2 (Controller Access network IP)
- 10.160.8.2 (Controller Internet network IP)
- 10.160.8.1 (Internet Router/Firewall IP)
Much more "unfortunatelly" is, that i can access the Controller Management Site from guest WLAN if i type the controller IP in my browser.
I'am not sure, if first my setup is ok and second where my misstake is hidden.
Please help.
Thank you for any tip or advice.
Best regards
Marco
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2013 12:04 PM
тАО12-19-2013 12:04 PM
Re: MSM720 - Accessable Controller Management through Guest WLAN
Just to verify, on the guest VSC, you have the "Always tunnel client traffic" enabled, correct?
By default, you WILL be able to ping the IP addresses of the network controller for both the Access Port and Internet Port, even from the guest network. This is NORMAL.
Even being able to ping the 10.160.8.1 is normal too. The bigger concern is, can you ping devices on the 10.160.6.x network or the 10.160.7.x network -- I'm guessing you can't -- when connected to the guest wireless.
Also remember, you CAN setup ACLs on the wireless controller too via the Public Access -> Attributes page. Here you can put in deny statements as necessary to prevent access to your internal network. However, since (from what I can tell by your description) the Internet port of your MSM is plugged Directly into your firewall (maybe on a DMZ interface?), you're probably more than good to go.
If you want to turn OFF the ability for guest users to get intot the MSM controllers web interface, that would be done from Management -> Management Tool, where you can DESELECT the interfaces of your choice!
Hope that helps.
Source One Technology, Inc.
HP Partner
MSM 5.7.x deployment guide:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2013 01:06 PM
тАО12-19-2013 01:06 PM
Re: MSM720 - Accessable Controller Management through Guest WLAN
Hi,
thank you for your reply.
Yes, "Always tunnel client traffic" is for the guest wireless network enabled. For the "employees" Network not enabled.
I cannot ping devices from the other VLANs. I just can ping the controller IP 10.160.6.2. The Gateway in the VLAN 6 for example (10.160.6.1) is not pingable.
I tried to work with ACLs like described in a HP Guide and tried to deny access to private Networks (10.x.x.x). Unfortunatelly the guest wireless clients were still able to ping the IPs.
Yes. I just want to turn off management for my guest users. The ability to ping the controllers IPs is not really a problem for me or my customer.
Unfortunatelly I am not able to set the setting you advice right now. The device is at the customers site.
But do i unstand right, that i can DISABLE management for specific interfaces? So i can DESELECT the "Access network port" and "Internet network port" and use a third custom port/network for management which i place in my productiv Network?
Please give a short reply if i understand right.
Then i will try to change the setting.
Thanks!
Marco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-19-2013 01:30 PM
тАО12-19-2013 01:30 PM
SolutionRegards.
Source One Technology, Inc.
HP Partner
MSM 5.7.x deployment guide:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-30-2014 03:35 AM
тАО01-30-2014 03:35 AM
Re: MSM720 - Accessable Controller Management through Guest WLAN
Hello,
i tried your suggestion and it worked like a charm.
Thank you.
Best Regards
Marco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-07-2014 10:34 PM
тАО08-07-2014 10:34 PM
Re: MSM720 - Accessable Controller Management through Guest WLAN
Thank you all. This is of great help.
Can I ask one question please? Your help is greatly appreciated.
How do I change the local hostname of the html login page for public access? The default is : http://wireless.hp.internal:8080.
Thank you in advance for your help.