The management interface is the
default interface for in-band management of the controller and connectivity to
enterprise services such as AAA servers. It is also used for communications
between the controller and access points. The management interface has the only
consistently “pingable” in-band interface IP address on the controller. You can
access the GUI of the controller by entering the management interface IP
address of the controller in the address field of your browser.
For CAPWAP, the controller
requires one management interface to control all inter-controller
communications and one AP-manager interface to control all controller-to-access
point communications, regardless of the number of ports.
If the service port is
in use, the management interface must be on a different supernet from the
service-port interface.
Note |
To prevent or block a wired or wireless client from accessing the management network on a controller (from the wireless client
dynamic interface or VLAN), the network administrator must ensure that only authorized clients gain access to the management
network through proper CPU ACLs, or use a firewall between the client dynamic interface and the management network.
|
Do not map a guest WLAN to
the management interface. If the EoIP tunnel breaks, the client could obtain an
IP and be placed on the management subnet.
Do not configure wired
clients in the same VLAN or subnet of the service port of the controller on the
network. If you configure wired clients on the same subnet or VLAN as the
service port, it is not possible to access the management interface of the
controller.
Authentication
Type for Management Interfaces
For any type of management access to the controller, be it SSH, Telnet, or HTTP, we recommend that you use any one authentication type, which can be TACACS+, RADIUS, or Local,
and not a mix of these authentication types. Ensure that you take care of the following:
-
Authentication type (TACACS+, RADIUS, or Local), must be the same for all management access and for all AAA authentication
and authorization parameters.
-
The method list must be explicitly specified in the HTTP authentication.