topic Re: Limiting Management Access to AP in Aerohive Migrated Content

Limiting Management Access to AP

wies_hays — Mon, 28 Jan 2019 23:07:28 GMT

Hello,

I'm using 12.8.2.2-NGVASEP18.

I'd like to learn about management access to my AP and how to limit it.

https://thehivecommunity.aerohive.com/s/article/How-to-Connect-to-an-AP-using-SSH describes how to connect to an AP via SSH.

But there's also an HTTP/HTTPS web user interface.

I don't want to expose those to anyone but the management systems.

"Device SSH Availability" in the docs (http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-device-ssh-availability.htm) tells me that I have to eneable SSH before I can use it... well, on my device it is not enabled, nor did I enable the WUI. Still I can log in via both.

My questions are:

What is the idea behind the "Device SSH Availability" setting?
How can I limit management (SSH / WUI / whatever there might be) by an ACL?

Probably I can create a firewall policy, but I believe that management access should be handeled by an ACL at first.... how can this be done?

Thank you!

Best regards,

Armin

Re: Limiting Management Access to AP

michael_bernard — Tue, 29 Jan 2019 00:00:46 GMT

The setting for SSH availability in the Global Settings of the HiveManager is intended to enable to Proxy SSH connections through HiveManager to a target AP. Once this option is enabled in the HiveManager, Going into the device configuration of any Aerohive device will show "SSH" under "Additional Device Settings".

The physical Aerohive devices have SSH enabled by default. Regarding restricting SSH access, ideally, Aerohive devices would be placed in their our management VLAN. Client traffic would be segmented off in their own VLAN, with firewall rules preventing clients from access devices in the Aerohive management

Re: Limiting Management Access to AP

wies_hays — Tue, 29 Jan 2019 18:19:47 GMT

Hi Michael,

thank you for clarifying this.

Unfortunately we don't have a Management VLAN on which a gateway could filter out unwanted management access.

On all of our other devices we set up ACLs which limit management connection attempts.

So, on HiveOS devices this cannot be done?

Can you please confirm that the only way to limit management access is through the firewall on that HiveOS device?

Thank you!

Best regards,

Armin

Re: Limiting Management Access to AP

reinhardg — Mon, 24 Feb 2020 21:12:23 GMT

We have the same challenge: It's not possible to disable SSH-access to the APs. Our env is: Hivemanager 19.5.1.7-NGVA, AP550 with HiveOS 10.0r8. We unchecked "Enable SSH" in the corresponding Traffic Filter, we unchecked "Enable SSH" in the Optional Settings of the AP and we unchecked "Enable SSH" under SSH Availability in the Global Settings. The AP still accepts SSH-connections. What else has to be done?

Re: Limiting Management Access to AP

mlee — Mon, 22 Jun 2020 21:21:46 GMT

We’re looking to do something similar at the moment.
Our APs are accessible internally via HTTP/HTTPS, and want to turn that off, so they’re only accessible via SSH or through Aerohive.
Is this even possible?

Re: Limiting Management Access to AP

Ash_Finch — Fri, 26 Jun 2020 19:22:03 GMT

Yes, you can turn off the Web access by going into the policy > additional settings > management options > tick “Disable WebUI without disabling CWP”