FAQ---SSH/telnet login on the FAT AP is not possible from the wireless side

Publication Date:  2016-08-31 Views:  369 Downloads:  0
Issue Description


Scenario:

 

The administrator of the WLAN network described in Figure 1 requires management access from the wireless side.  The FAT AP has been configured to allow ssh/telnet access for the admin user and the ssh connection is successful when is initiated from the wired side of the network.


When the SSH connection is initiated from the STA connected to the Wi-Fi, the connection times out “port 22: Connection timed out”.


Figure 1 WLAN service configuration networking on a small-scale network 

 


 Configuration:

(AP6010DN FAT V200R005C10SPCa00)

 

#

interface Vlanif101

 ip address 192.168.11.1 255.255.255.0

 dhcp select interface

#

interface Wlan-Bss1

 port hybrid pvid vlan 101

 port hybrid untagged vlan 101

 

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password irreversible-cipher %@%@e+'.%imJ9.j<g12!ETVRX;]nZONr/vTv-!YND!H1t`|3;]qX%@%@

 local-user admin privilege level 3

 local-user admin service-type telnet ssh

#

 ssh user admin authentication-type all

 ssh client first-time enable

 stelnet server enable

#

user-interface vty 0 4

 authentication-mode aaa

 user privilege level 3

 protocol inbound all

#

wlan

 wmm-profile name wmm id 1

 traffic-profile name traffic id 1

 security-profile name security id 1

 service-set name test id 1

  Wlan-Bss 1

  ssid test

  traffic-profile id 1

  security-profile id 1

 radio-profile name radio id 1

  wmm-profile id 1

#

interface Wlan-Radio0/0/0

 radio-profile id 1

 service-set id 1 wlan 1

#

return

 

 

Solution

By design, The AP does not allow ssh/telnet management connections from the wireless side due to security reasons.

 

The AP offers the alternative to configure a new VAP on the AP which will allow only management access as telnet/ssh. The configuration can be made by using the type ap-management command in the service-set view to change the type of the service set for management ( vap-profile in V2R6 version or later)


Note that in the case where a vap is configured for AP management, the STAs that will connect to the new VAP will only have access to the AP management but not to the network resources. 

Example

# Create a new VAP for a SSID “management” which will allow only AP management

 

[AP]vlan 102

[AP] interface vlanif 102

[AP-Vlanif101] ip address 192.168.12.1 24

[AP-Vlanif101] dhcp select interface

[AP-Vlanif101] quit

[AP] interface wlan-bss 2

[AP-Wlan-Bss1] port hybrid pvid vlan 102

[AP-Wlan-Bss1] port hybrid untagged vlan 102

[AP-Wlan-Bss1] quit 

[AP] wlan

[AP-wlan-view] service-set name management id 2

[AP-wlan-service-set-test]ssid  management

[AP-wlan-service-set-test]type ap-management

AP-wlan-service-set-test] wlan-bss 2

[AP-wlan-service-set-test] security-profile name security

[AP-wlan-service-set-test] traffic-profile name traffic

[AP-wlan-service-set-test] quit

[AP] interface wlan-radio 0/0/0

[AP-Wlan-Radio0/0/0] radio-profile name radio

[AP-Wlan-Radio0/0/0] service-set name management

[AP-Wlan-Radio0/0/0] quit

END