Solved: Re: IOS-XE 9800 SSH to APs

Johannes Luther · ‎04-06-2021

Hello wireless experts,

I understand, that the AP SSH access is configured on an "AP profile" level.

Typically (and best practice), the SSH access to the APs is not enabled:

AP Profile Name               : default-ap-profile
...
Device Management :
  Telnet                      : DISABLED
  SSH                         : DISABLED

So what if I want to enable SSH access for a single AP for troubleshooting purposed?

Do I really need to create a new AP profile, assign it to a site tag and assign my AP in question to this site tag?!

First of all: This is disruptive as far as I know (AP rejoins WLC) ... secondly this is a litte bit of a configuration overload, just to temporarily turn on SSH access.

So is there any way to enable SSH on a "per AP" basis for IOS-XE (C9800)

Scott Fella · ‎02-09-2022

I understand, but that is why I asked. I'm assuming you don't want to run debugs using the remote commands due to the format and other noise? I just don't see why you would not just enable ssh to the profile and then disable it when you are done. The other option is to have console connection to each of your ap's if you want to run those commands without having to toggle SSH on and off or change the tags. I personally would just toggle SSH on and off, because its quick and I don't have to have the ap reboot. I don't expect Cisco to change that feature as its baked into a profile.

-Scott
*** Please rate helpful posts ***

View solution in original post

jayage · ‎02-08-2022

Someone out there who can offer a more elegant solution to this issue?

JPavonM · ‎02-08-2022

No you cannot,

AP remote access is managed by the WLC, so basically is you're assigning an AP profile to the AP with SSH that is disabled, then you need to change it to enable, or move the AP to a different profile, there is no other way.

HTH

Scott Fella · ‎02-08-2022

What specifically are you trying to accomplish with ssh? What commands would you use..."show <command>". What I have always done is just enable ssh on the current site tag and then remove it when I'm done. There is no disassociation when making this change.

If the plan is to just run some show commands, then use the following:

terminal monitor
ap name <ap-name> remote enable
ap name <ap-name> remote command "show whatever"
ap name <ap-name> remote disable
terminal no monitor

-Scott
*** Please rate helpful posts ***

Johannes Luther · ‎02-08-2022

Hey @Scott Fella ,

I'm aware of the remote debugging of access points using the commands above.

However, not all use-cases are covered. Examples:

- Enabling specific debugs (example: debug traffic wired ip capture or debug capwap client qos)

- AP client tracing (although this may be enabled via the WLC as well)

There may be some more examples

Scott Fella · ‎02-09-2022

I understand, but that is why I asked. I'm assuming you don't want to run debugs using the remote commands due to the format and other noise? I just don't see why you would not just enable ssh to the profile and then disable it when you are done. The other option is to have console connection to each of your ap's if you want to run those commands without having to toggle SSH on and off or change the tags. I personally would just toggle SSH on and off, because its quick and I don't have to have the ap reboot. I don't expect Cisco to change that feature as its baked into a profile.

-Scott
*** Please rate helpful posts ***

Johannes Luther · ‎02-09-2022

Yeah, that's the consequence. Enable the SSH access for all APs during the debug time.

Scott Fella · ‎02-09-2022

That is what I have done.. I have tried to enable it and then SSH then disable it, but that ends my SSH session right away. I do have console to AP's that I do testing on, so that is my other option. You can always request a feature and see if they implement it.

-Scott
*** Please rate helpful posts ***

jasonm002 · ‎09-01-2022

OP is right, this is a feature of AireOS that needs to come back for the 9800.