topic Re: MSM720 - Accessable Controller Management through Guest WLAN in M and MSM Series

MSM720 - Accessable Controller Management through Guest WLAN

Nameeert — Thu, 19 Dec 2013 09:37:19 GMT

Hello,

i have an MSM720 WLAN Controller. Goal is two SSIDs. One for employees (VLAN 7) and one for guests (with HTML Authentication) (VLAN 8).

I configured the Controller with the "Configure initial controller settings". The "Access network" was set to the IP 10.160.6.2/24 and is untagged in VLAN 6 on the Core Switch Port. The "Internet network" was configuried with the IP 10.160.8.2/24 with Gateway 10.160.8.1 (Internet Router/Firewall). DNS was set to 8.8.8.8 and 8.8.4.4. The "Internet network"-Port (Port 5) was untagged in VLAN 8. All Access Points are untagged in VLAN 6 and tagged in VLAN 7 and get an IP per DHCP from my "Internet Router/Firewall".

After that, i created a new "Network profile" for VLAN 7 named "employees". Then i created with the wizard an new wireless network for employess. Setup SSID and ticked the "Network Profile" "employees" at the Point "Send traffic to:" to get this traffice into VLAN 7. Except wireless Security all Settings are default. This network works just fine. I get an IP per DHCP from my Internet Router/Firewall from VLAN 7 and can access the Internet.

After that, i created a second wireless network for guests with the known wizard. Named SSID "guests", configured "guest authentication" for local user Accounts on the controller and setup the controller to act as a DHCP Server with the Range (192.168.1.1 - 192.168.1.254 and Mask 255.255.255.0).

I tried the guest WLAN and all seems to work fine. I get an 192.168.1.x IP Address, get the Login Page and can access the Internet after successfull login. On my firewall Port for VLAN 8 i see just the "Internet network" IP 10.160.8.2 as Source IP.

The Problem now is, that i am able to ping the following IPs:

- 10.160.6.2 (Controller Access network IP)

- 10.160.8.2 (Controller Internet network IP)

- 10.160.8.1 (Internet Router/Firewall IP)

Much more "unfortunatelly" is, that i can access the Controller Management Site from guest WLAN if i type the controller IP in my browser.

I'am not sure, if first my setup is ok and second where my misstake is hidden.

Please help.

Thank you for any tip or advice.

Best regards

Marco

Re: MSM720 - Accessable Controller Management through Guest WLAN

JesseR — Thu, 19 Dec 2013 20:04:19 GMT

Hey Marco. Good job on the setup, I read through each step you discussed and all looks good.

Just to verify, on the guest VSC, you have the "Always tunnel client traffic" enabled, correct?

By default, you WILL be able to ping the IP addresses of the network controller for both the Access Port and Internet Port, even from the guest network. This is NORMAL.

Even being able to ping the 10.160.8.1 is normal too. The bigger concern is, can you ping devices on the 10.160.6.x network or the 10.160.7.x network -- I'm guessing you can't -- when connected to the guest wireless.

Also remember, you CAN setup ACLs on the wireless controller too via the Public Access -> Attributes page. Here you can put in deny statements as necessary to prevent access to your internal network. However, since (from what I can tell by your description) the Internet port of your MSM is plugged Directly into your firewall (maybe on a DMZ interface?), you're probably more than good to go.

If you want to turn OFF the ability for guest users to get intot the MSM controllers web interface, that would be done from Management -> Management Tool, where you can DESELECT the interfaces of your choice!

Hope that helps.

Re: MSM720 - Accessable Controller Management through Guest WLAN

Nameeert — Thu, 19 Dec 2013 21:06:43 GMT

Hi,

thank you for your reply.

Yes, "Always tunnel client traffic" is for the guest wireless network enabled. For the "employees" Network not enabled.

I cannot ping devices from the other VLANs. I just can ping the controller IP 10.160.6.2. The Gateway in the VLAN 6 for example (10.160.6.1) is not pingable.

I tried to work with ACLs like described in a HP Guide and tried to deny access to private Networks (10.x.x.x). Unfortunatelly the guest wireless clients were still able to ping the IPs.

Yes. I just want to turn off management for my guest users. The ability to ping the controllers IPs is not really a problem for me or my customer.

Unfortunatelly I am not able to set the setting you advice right now. The device is at the customers site.

But do i unstand right, that i can DISABLE management for specific interfaces? So i can DESELECT the "Access network port" and "Internet network port" and use a third custom port/network for management which i place in my productiv Network?

Please give a short reply if i understand right.

Then i will try to change the setting.

Thanks!

Marco

Re: MSM720 - Accessable Controller Management through Guest WLAN

JesseR — Thu, 19 Dec 2013 21:30:33 GMT

When you go to Management -> Management Tool , there is an option for Active Interfaces, and a checkbox for each of the following: LAN Port, Internet Port, and VPN. You'd de-select the Internet Port if you don't want the management web interface to be available from the guest wireless network.

Regards.

Re: MSM720 - Accessable Controller Management through Guest WLAN

Treeeman — Thu, 30 Jan 2014 11:35:17 GMT

Hello,

i tried your suggestion and it worked like a charm.

Thank you.

Best Regards

Marco

Re: MSM720 - Accessable Controller Management through Guest WLAN

JunB — Fri, 08 Aug 2014 05:34:51 GMT

Thank you all. This is of great help.

Can I ask one question please? Your help is greatly appreciated.

How do I change the local hostname of the html login page for public access? The default is : http://wireless.hp.internal:8080.

Thank you in advance for your help.