I am in the process of configuring a global username and password on our wireless controllers so I can enable ssh on all the access points for troubleshooting. I would also like to secure access by limiting what devices can ssh to the ap's. As a test, I created a standard acl on 1 access point and tied that acl to the vty lines. This accomplishes what I am attempting to do, but it also means that I have to add this acl to every single ap. Is there a way to push the acl and apply it to the vty lines through the controller or Cisco Prime? I did not see anything in either (controller or Cisco Prime lightweight templates) that would allow an acl that would be applied to the vty lines on the access points.
Quite often an ap will disassociate from a controller and have an issue re-joining the controller; however, it might still be accessible on the network. Since enabling ssh requires the ap to be joined to the controller, you have no chance of being able to troubleshoot without console access (need the ap to join the controller to enable ssh and need ssh to troubleshoot why the ap won't join the controller...it's a real chicken egg situation). In our environment having ssh access has eliminated the idea of just RMA'ing a device because it is failing to join a controller (especially helpful for remote locations and locations where the ap's require a boom lift for console access). I agree that the amount of times that it is necessary to ssh to an ap is limited, but it's still saved us some downtime by enabling remote support.
I don't want just anyone to be able to ssh to these devices and that is why I wanted to limit access with an acl on the vty lines, I was just hoping there was an easier way than having to do this on every ap.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...