Introduction
How do I disable http at the AP level with 5508 running 7.4.100.0.
Scenario
Use running controller 5508 with 7.4.100.0, with 76 3602I AP's connected. Each AP responds to an HTTP request, asking for username and password at the AP. How to disable this and not disable https:// at the WLC?
This is the IP of the AP, not the controller. user only want to allow SSH to the AP's, for diagnostic support when necessary. User have other 5508's running 7.0.98.0, 7.0.240.0, and 7.3.116.0, and they do not do this.
NOTE:-
Only an AP that is in OEAP mode should respond to an HTTP/S request
Solution
CSCuf66202 HTTP port 80 open on Access Points when controller is 7.4.100.0
To be fixed in the 7.4 MR1 release, due out this summer. In general, lightweight AP's are not supposed to have TCP port 80 open, unless they are operating in OEAP mode.
As far as manually configuring "no ip http server" on the AP - this does not survive a reboot. TAC has asked for a general purpose way to configure lightweight AP's:
CSCsy17873 support general purpose method of configuring AP's
This has not been committed ... if people in the field think this would be useful, please communicate that to your friendly neighborhood Cisco sales team.
CSCuf66202 is not fixed in 7.4.100.60. It will be fixed in the next CCO release of 7.4 ("7.4 MR1"), as well as in the 7.5 release. If you require a fix sooner, you should ask your TAC engineer to open a BU escalation ticket and request an escalation build with the fix.
Additional Information
You can enable or disable the single modes (SSH and Telnet) at the AP itself.
Wireless --> All AP's --> "Access Point" --> Advanced --> activate the mode you need.
For the WLC itself you can disable or enable it via the way :-
Open telnet session of your WLC and follow the below steps
1. Go to the Management section
2. Click on HTTP-HTTPS
3. Chose appropriate option to enable or disable to HTTP feature.
As a temporary solution, this below mentioned command can be run on individual AP but this will not be saved on AP's and once AP reboots this has to be repeated on all AP's. This behavior is only noticed in 7.4.100.0. Enable SSH to the AP via WLC:-
In case of Autonomus AP - How to enable or disable the web interface
The web browser command in the CLI is
"ip http server" for port 80 HTTP
"ip http secure-server" for port 443 HTTPS
ENABLE
ap(config)#ip http server
ap(config)#ip http secure-server
DISABLE - You negate the command with "no"
ap(config)#no ip http server
ap(config)#no ip http secure-server
Reference
This document was generated from the following discussion: How do I disable http at the AP level with 5508 running 7.4.100.0