Solved: Wism 4404 remote manage WLCs

Jacob Berger · ‎09-29-2013

i am able to manage the WLCs by https:\\IP from one vlan but not from another.

i dont see any rule on FWSM blocking the attempt so i guess its being blocked on WLC Level

is there a setting which allows/denys managment from specific vlan/ip ?

thanks

Scott Fella · ‎10-07-2013

Do you have this enabled?

config network mgmt-via-wireless

Again, if your wireless dynamic interfaces are on wired user subnet's, you can run into the issue your seeing. So either you enable management-via-wireless, make sure your wireless is separate from your wired subnet's or you just use the dynamic interface ip to access the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Rasika Nayanajith · ‎09-29-2013

Are you able to ping WLC management IP from the vlan you cannot https ? Check your switch SVI where WLC management subnet defined to see any ACL applied ?

Rasika

Stephen Rodriguez · ‎09-29-2013

Are you trying to access the WLC from a subnet that you have a dynamic interface configured for?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Jacob Berger · ‎09-29-2013

Yes

Abhishek Abhishek · ‎10-04-2013

Yes, there is a setting which allows/denys managment from specific vlan/ip

Abha Jha · ‎10-04-2013

If your PC is not on the same vlan as the management interface, can you

initiate the command:

> config network mgt-via-dynamic-interface enable

Jacob Berger · ‎10-05-2013

i configed the command but still no access (was disabled and now enabled)

Scott Fella · ‎10-05-2013

Typically you should have your wireless separate from your wired devices. The question is, are you trying to access the WLC from a wireless or wired client. config network mgmt-via-wireless enable allows you to access the WLC management IP from a wireless client. So let us know if you are trying from a wireless or wired client also.

Here is a link that explains it better.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t3

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Jacob Berger · ‎10-05-2013

i am using a wired client

i can connect from a user vlan that is not in the dynamic list

but not from a user vlan that is dynamic

i tried the command that Jha Abha gave but still nothing

Scott Fella · ‎10-06-2013

Well, what code are you running? I know there was a bug on a certain version of code back then. You might want to look it up in the bug toolkit. The command that they posed was so you can use the IP address of the dynamic interface IP to access the WLC. So if you enabled that, try to access the WLC using the ip of the dynamic interface.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Jacob Berger · ‎10-07-2013

OK

tried again with the above command to dynamic interface IP and works.

my question now is:

whats blocking me from connecting to the managment IP from the dynamic Interface VLAN

but is allowing me to connect from a vlan now configured on WLC?

and why is the above command set to diabled as default (whats the security risk?)

Scott Fella · ‎10-07-2013

Do you have this enabled?

config network mgmt-via-wireless

Again, if your wireless dynamic interfaces are on wired user subnet's, you can run into the issue your seeing. So either you enable management-via-wireless, make sure your wireless is separate from your wired subnet's or you just use the dynamic interface ip to access the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Jacob Berger · ‎10-07-2013

OK

didnt think that i would need config network mgmt-via-wireless (thought it detect wired or wireless connections , not just subnets)

i think i will work with the dynamic IP

whats the security risk with network mgmt-via-dynamic-interface enable ?

Scott Fella · ‎10-07-2013

The risk is, some don't want to allow access in general to the WLC on the wireless no matter what. Others want that ability in case they need to troubleshoot. So the risk is the same for either the management interface or the dynamic interface... users can http/https to the ip address (if they know it) and try to login (which they most likely can't). I typically like to manage the WLC's on the wireless, but thats me:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***