I have two E-400 working in a LAN using fast roaming via 802.11r. This works fine.
I manage them via GUI, not cnMaestro.
Both E-400 run with a fixed IP adress. There is only VLAN1 in use, I do not have a switch with VLAN capabilities.
I see a problem with the network option "Management Access": It is set to "Allow from Wired" on both devices.
But (of course) when my laptop is logged in to one of the E-400 accesspoints, then I can configure the other accesspoint, because the routing goes from WLAN through accesspoint A via wired LAN to accesspoint B and then I can configure accesspoint B, even if I am in the wireless LAN.
So I guess the E-400 should consider this roaming setup in any way. Or is there a tricky possiblility to refuse this behaviour via the "routing" configuration (second tab in network setup)? If yes, this could work with my setup, but it wouldn't work if using DHCP instead of a fixed IP address in the E-400s, would it?
Anyway - I think this security setting should be mentionend in the user guide?
You are right, the behaviour should be enhanced in future releases to also handle these other cases of management access. In the meantime ACLs could be used as a configuration workaround to achieve the same effect:
If your E400s will always use those two IP addresses (& not changed by DHCP server) you can create ACL rules to block access: under WLAN configuration, add 3 rules:
- in the 'in' direction 2 rules to block any access to those 2 IP addresses
- 1 rule to allow access to everything else
this ACL will apply only to traffic from the wireless side, you can still connect-to and manage the APs from the wired side. Since the ACL applies right at the radio-in interface, it will prevent hte issue you are seeing where AP2 can be accessed from the wired side by a client connected on AP1.
Alternately if the IPs can change, permit access to the default gateway IP address, deny access to all other addresses on that subnet, permit access to all other traffic (broadcasts, DHCP etc). Note that this will also prevent a wireless client from connecting to another wireless client (since there is one VLAN on that network.
Please share you network toplogy (inluding, IP address and default gateway details) and AP1 and AP2 configuration, we shall be able to suggest appropriate ACLs to prevent AP2 access from wireless clients connected to AP1.
Answer from our side for long terms solution will be management ACL on APs.