We've configured all our WLC5500 devices with a service port interface, which we are using for management and monitoring. Since in our situation the management interface is reachable from Office networks, this means that office clients have the ability to reach the logon screens of the WLC.
Is the only possibility to restrict access to the GUI/SSH ports to place an access ports on the management interface, or am I missing a secret command / button that will let let me disable or restrict device management through the management interface?
In case I'm having to use a ACL on the WLC management interface, are there any known issues with denying access to the http/https/telnet/ssh ports and LWAPs trying to connect?
You've hit it on the nose. you have to have an ACL that blocks the "non-admin" terminals from being able to http/https/telnet/ssh/snmp to the device. so long as you have the permit ip any any at the end of the ACL, you should have no issues, or explicitly allow udp 5246/5247