cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1316
Views
0
Helpful
15
Replies

Does it can be possible to block access right to Mobility Express Web interface for the person connected to the AP?

Elrick Landon
Level 1
Level 1

Hi to all,

 

I use C3702e (autonomous mode) and C1852e (Mobility Express) device to have Wifi are in my house.

I notice that C1852e use Mobility Express, it seems that all setup can be done through webinterface.

But for security reason, i don't want to allow someone to be able to reach it through the AP in WIFI.

Does it can be possible to block 1852e web interface access for the personne connected to this AP ?

 

Best Regards.

 

 

15 Replies 15

patoberli
VIP Alumni
VIP Alumni
Yes this is possible. But even better, if you use 8.5.151.0 (or many other, newer versions, but I recommend that specific one), you can convert the 3702 to lightweight and join it to the 1852. That way you can manage both from the 1851 ME interface and roaming will also start to work correctly.

To you management question, you can disable management over wireless either under the SSID configuration or via CLI:
config network mgmt-via-wireless disable

Please note, some older versions had some bugs in that regard, which is another reason you might want to upgrade to either 8.5.151.0 or maybe 8.8.125.0.

I use 3702e and 1852e to have wifi "everywhere" in my house.

Each AP has the same name, the goal is to don't loose connection if move from one AP to another when i move from first floor to second.

If i change my 3702e from Autonomous mode to lightweight, i think that i will loose this possibility?

If remember in lightweight mode, two AP can have this possibility?

 

What does it bring to manage 3702 from 1852?

 

I use the command line (didn't fiond option from WebUI).

It avoid anyone who is connected to AP in Wifi or from the LAN used by the AP.

I was thinking that it just limit person connected through Wifi, but it's the same for wired person on the same LAN.

It can be usefull when the setup is finished.

 

Many thanks in advance for your advise.

I just checked the manuals again. To connect the 3700 with the 1850 series, you need to be running 8.8.125.0 on both (or any older 8.8 release):

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_cisco_mobility_express_8_8/b_cisco_mobility_express_8_8_chapter_00.html

 

Currently you actually loose the connection, because you can't seamlessly roam between the two APs (they don't know of the used crypto keys, that are exchanged in the WPA2 encryption), unless you don't use any encryption.

Hi,

 

I purchase new AP C9120AXE converted to EWC.

This command does no more work to avoid access to management UI via wireless : config network mgmt-via-wireless disable

 

Do you know the new command to use please ?

 

Many thanks in advance.

If you are new to the IOS-XE wireless, I suggest you take a look at the command reference guide. There is also a guide that helps translate what was in AireOS to IOS-XE.
Your command is in config mode:
wireless mgmt-via-wireless
-Scott
*** Please rate helpful posts ***

I retrieve the command with this page https://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/command_mapping/b_migr_3se_5700_mg/b_migr_32se_5700_mg_chapter_010.html

 

Previous command = config network mgmt-via-wireless disable

New command (IOS XE) = no wireless mgmt-via-wireless

 

I make 

> conf t

> no wireless mgmt-via-wireless

> exit

> wr mem

> copy run start

 

No effect and i don't retrieve the command with show conf.... 

Is there a subtlety? a particular way to use it?
I don't have error when i enter it after a "conf t".

 

Please advise.

The command is specified here: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-guide/b_wl_16_12_cg/best-practices.html

If it doesn’t work then open a Tac case.
-Scott
*** Please rate helpful posts ***

I already see this web link.

How can i open a Tac case ?

Does i need to have licence to open Tac case ?

I reply to myselft :)

I need contact to open Tac Case, so it's dead to go any further.

So this bug will never be solved unless someone tells them about it or discovers it.
It's huge that something like that would go unnoticed.

 

Look under the support section. You need a support contract but it doesn’t hurt to try to open one.

https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/trouble/5_0_1/tb501a.pdf
-Scott
*** Please rate helpful posts ***

I have tried it on my 9800 and 9130 EWC:
9130-EWC-01#show run | in wireless mgmt-via-wireless
wireless mgmt-via-wireless
-Scott
*** Please rate helpful posts ***

No present at all if i fo a show conf ... 

No reaction when i enter it like this wireless mgmt-via-wireless OR no wireless mgmt-via-wireless

If i do a show run | in wireless mgmt-via-wireless, it's didn't return anything because it's not present.

I have both C9120AXE, same things, i use the lastest firmware/IOS

Well I’m on 17.3.1 on the 9130 EWC. Now even with this enabled to allow, I’m not able to access the management. My EWC in my home lab is on the same subnet as the clients get placed on. I have to connect to an ssid on my 980” to be able to access the EWC. Try the latest 16.x version. If I recall, it was working back then. Or maybe try 17.2.x.
-Scott
*** Please rate helpful posts ***

I don't have the courage to downgrade the firmware to fix this bug.

I'm surprised that a security setting like this doesn't work.
I'll do without it and hope that future updates will fix this problem.

My IOS version was 17.3.1 too.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: