Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Enabling SSH on Access Points and Limiting Access

I am in the process of configuring a global username and password on our wireless controllers so I can enable ssh on all the access points for troubleshooting. I would also like to secure access by limiting what devices can ssh to the ap's. As a test, I created a standard acl on 1 access point and tied that acl to the vty lines. This accomplishes what I am attempting to do, but it also means that I have to add this acl to every single ap. Is there a way to push the acl and apply it to the vty lines through the controller or Cisco Prime? I did not see anything in either (controller or Cisco Prime lightweight templates) that would allow an acl that would be applied to the vty lines on the access points.

3 REPLIES
Hall of Fame Super Gold

How often do you want to SSH

How often do you want to SSH into a controller-based AP?  Not all the time because all your regular troubleshooting is done on the WLC.  

 

My recommendation is leave SSH to it's default value, DISABLED.  Enable SSH when the need arises and disable when you don't.  

 

If you've got FW, allow the management VLAN to remotely manage your equipment.

New Member

Here's the scenario:Quite

Here's the scenario:

Quite often an ap will disassociate from a controller and have an issue re-joining the controller; however, it might still be accessible on the network. Since enabling ssh requires the ap to be joined to the controller, you have no chance of being able to troubleshoot without console access (need the ap to join the controller to enable ssh and need ssh to troubleshoot why the ap won't join the controller...it's a real chicken egg situation). In our environment having ssh access has eliminated the idea of just RMA'ing a device because it is failing to join a controller (especially helpful for remote locations and locations where the ap's require a boom lift for console access). I agree that the amount of times that it is necessary to ssh to an ap is limited, but it's still saved us some downtime by enabling remote support.

I don't want just anyone to be able to ssh to these devices and that is why I wanted to limit access with an acl on the vty lines, I was just hoping there was an easier way than having to do this on every ap.

Hall of Fame Super Gold

If you have a Firewall, you

If you have a Firewall, you can enable a subnet to allow SSH access to the AP.  

116
Views
0
Helpful
3
Replies
CreatePlease login to create content