FAQ---SSH/telnet login on the FAT AP is not possible from the wireless side

Publication Date:  2016-08-31 Views:  367 Downloads:  0
Issue Description



The administrator of the WLAN network described in Figure 1 requires management access from the wireless side.  The FAT AP has been configured to allow ssh/telnet access for the admin user and the ssh connection is successful when is initiated from the wired side of the network.

When the SSH connection is initiated from the STA connected to the Wi-Fi, the connection times out “port 22: Connection timed out”.

Figure 1 WLAN service configuration networking on a small-scale network 



(AP6010DN FAT V200R005C10SPCa00)



interface Vlanif101

 ip address

 dhcp select interface


interface Wlan-Bss1

 port hybrid pvid vlan 101

 port hybrid untagged vlan 101



 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password irreversible-cipher %@%@e+'.%imJ9.j<g12!ETVRX;]nZONr/vTv-!YND!H1t`|3;]qX%@%@

 local-user admin privilege level 3

 local-user admin service-type telnet ssh


 ssh user admin authentication-type all

 ssh client first-time enable

 stelnet server enable


user-interface vty 0 4

 authentication-mode aaa

 user privilege level 3

 protocol inbound all



 wmm-profile name wmm id 1

 traffic-profile name traffic id 1

 security-profile name security id 1

 service-set name test id 1

  Wlan-Bss 1

  ssid test

  traffic-profile id 1

  security-profile id 1

 radio-profile name radio id 1

  wmm-profile id 1


interface Wlan-Radio0/0/0

 radio-profile id 1

 service-set id 1 wlan 1






By design, The AP does not allow ssh/telnet management connections from the wireless side due to security reasons.


The AP offers the alternative to configure a new VAP on the AP which will allow only management access as telnet/ssh. The configuration can be made by using the type ap-management command in the service-set view to change the type of the service set for management ( vap-profile in V2R6 version or later)

Note that in the case where a vap is configured for AP management, the STAs that will connect to the new VAP will only have access to the AP management but not to the network resources. 


# Create a new VAP for a SSID “management” which will allow only AP management


[AP]vlan 102

[AP] interface vlanif 102

[AP-Vlanif101] ip address 24

[AP-Vlanif101] dhcp select interface

[AP-Vlanif101] quit

[AP] interface wlan-bss 2

[AP-Wlan-Bss1] port hybrid pvid vlan 102

[AP-Wlan-Bss1] port hybrid untagged vlan 102

[AP-Wlan-Bss1] quit 

[AP] wlan

[AP-wlan-view] service-set name management id 2

[AP-wlan-service-set-test]ssid  management

[AP-wlan-service-set-test]type ap-management

AP-wlan-service-set-test] wlan-bss 2

[AP-wlan-service-set-test] security-profile name security

[AP-wlan-service-set-test] traffic-profile name traffic

[AP-wlan-service-set-test] quit

[AP] interface wlan-radio 0/0/0

[AP-Wlan-Radio0/0/0] radio-profile name radio

[AP-Wlan-Radio0/0/0] service-set name management

[AP-Wlan-Radio0/0/0] quit