Re: Shut off wireless admin access on AP

MrTone123 · ‎04-22-2011

Hi:

Can anyone tell me how to shut of wireless admin access on a 1131 AP?

I only want to be able to administer the device via the wired LAN.

I need to shut of http, ssh, and telnet.

I haven't been able to find anything in the GUI.

Anyone know the CLI commands?

Thanks,

Tony

Surendra BG · ‎04-22-2011

Hi,

Configure the Login username and password as what ever you want for CONSOLE , TELNET , WEB GUI... so that only u know the password and others doesnot know..

BTW, if u want to disable TELNET, WEBGUI then the only option left for you to access the device is by CONSOLE cable.. just configure console clogin and this will do it for you!!

Here is the link which wil give you better Idea!!

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap5-admin.html

and there are more possibilitites that you may lock out the device if we disable telnet and WEB GUI just incase if you forget ur console credentials!!

Or another option is to use TACACS

Lemme know if this answered ur question and please dont forget to rate the post if this was helpful!!

Regards

Surendra

Regards
Surendra BG

MrTone123 · ‎04-22-2011

Hi Surendra:

Thanks for your response.

I'm still a bit unclear....

Is there a way to allow http/telnet/ssh from the wired LAN, but not from the wireless LAN?

I can do this on my cheap, home Linksys router, so is there a way to do this on this Cisco AP?

I have passwords set, and I'm using the local user database for authentication.

Thanks for your help,

Tony

Surendra BG · ‎04-22-2011

wat configuration do we do on the Linksys?

Regards

Surendra

Regards
Surendra BG

Surendra BG · ‎04-22-2011

the time you issue

NO IP HTTP server and no ip http secure-server , we will not be able to access the HTTP and HTTPS access!!

Regards

Surendra

Regards
Surendra BG

dmantill · ‎04-23-2011

LOL

ok, no there is no way as far as I remember on the aIOS units or autnomous units.

The most that you can do is setting up an ACL on the BVI interface allowing the HTTP, HTTPS, TELNET and SSH traffric from an specific IP range, or mac address, or set an ACL on the radio interface blocking that same traffic HTTP, HTTPS, TELNET, SSH to the BVI Ip or interface... other than than... I cant remember having that feature on the autonomous units.. However I think I have heard of something related :-s but cannot tell you if it is real or something buzzing me in my mind. LOL

Let me know if you have any idea.

(basically I think it is not possible to set only wired management since, if it is in the same vlan as the BVI you might want to use the FSP option and see if it works, that just block traffic between "clients" that are connected to the same vlan... that might work, but I havent test it... and it is hard to accomplish thsi because you might connect to another SSID that isnt in the same as the native vlan, and that traffic will hit the local wired router and will appear as a "wired" packet back again.. or it will fail if some other client connect to a different AP but attempts to connect to the AP thru HTTP... it will still look like a packet incomming from the wired network... ) Let me know if you have any other ideas ...

MrTone123 · ‎04-23-2011

dmantill:

Thank you for your reply!

Of course, access-lists to the rescue!

The wireless network is 192.168.x.x, while the wired network is 10.x.x.x, so an ACL on the http server and vty lines should do the trick. I wil give it a try on Monday.

Thanks for the help!

Tony