04-06-2021 06:04 AM - edited 07-05-2021 01:06 PM
Hello wireless experts,
I understand, that the AP SSH access is configured on an "AP profile" level.
Typically (and best practice), the SSH access to the APs is not enabled:
AP Profile Name : default-ap-profile
... Device Management : Telnet : DISABLED SSH : DISABLED
So what if I want to enable SSH access for a single AP for troubleshooting purposed?
Do I really need to create a new AP profile, assign it to a site tag and assign my AP in question to this site tag?!
First of all: This is disruptive as far as I know (AP rejoins WLC) ... secondly this is a litte bit of a configuration overload, just to temporarily turn on SSH access.
So is there any way to enable SSH on a "per AP" basis for IOS-XE (C9800)
Solved! Go to Solution.
02-09-2022 06:51 AM
I understand, but that is why I asked. I'm assuming you don't want to run debugs using the remote commands due to the format and other noise? I just don't see why you would not just enable ssh to the profile and then disable it when you are done. The other option is to have console connection to each of your ap's if you want to run those commands without having to toggle SSH on and off or change the tags. I personally would just toggle SSH on and off, because its quick and I don't have to have the ap reboot. I don't expect Cisco to change that feature as its baked into a profile.
02-08-2022 03:02 AM
Someone out there who can offer a more elegant solution to this issue?
02-08-2022 07:14 AM
No you cannot,
AP remote access is managed by the WLC, so basically is you're assigning an AP profile to the AP with SSH that is disabled, then you need to change it to enable, or move the AP to a different profile, there is no other way.
HTH
02-08-2022 08:57 AM
What specifically are you trying to accomplish with ssh? What commands would you use..."show <command>". What I have always done is just enable ssh on the current site tag and then remove it when I'm done. There is no disassociation when making this change.
If the plan is to just run some show commands, then use the following:
terminal monitor ap name <ap-name> remote enable ap name <ap-name> remote command "show whatever" ap name <ap-name> remote disable terminal no monitor
02-08-2022 10:43 PM
Hey @Scott Fella ,
I'm aware of the remote debugging of access points using the commands above.
However, not all use-cases are covered. Examples:
- Enabling specific debugs (example: debug traffic wired ip capture or debug capwap client qos)
- AP client tracing (although this may be enabled via the WLC as well)
There may be some more examples
02-09-2022 06:51 AM
I understand, but that is why I asked. I'm assuming you don't want to run debugs using the remote commands due to the format and other noise? I just don't see why you would not just enable ssh to the profile and then disable it when you are done. The other option is to have console connection to each of your ap's if you want to run those commands without having to toggle SSH on and off or change the tags. I personally would just toggle SSH on and off, because its quick and I don't have to have the ap reboot. I don't expect Cisco to change that feature as its baked into a profile.
02-09-2022 07:08 AM
Yeah, that's the consequence. Enable the SSH access for all APs during the debug time.
02-09-2022 07:16 AM
That is what I have done.. I have tried to enable it and then SSH then disable it, but that ends my SSH session right away. I do have console to AP's that I do testing on, so that is my other option. You can always request a feature and see if they implement it.
09-01-2022 12:08 PM
OP is right, this is a feature of AireOS that needs to come back for the 9800.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide