Wireless Access

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Yep!  That's how I have it configured currently.

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

I really never need to configure radius server to access gui. What you are describing is like you have the rule to prevent access to the gui like this

or you can't access 10.x.x.x network from 192.168.x.x. Can you ping VC IP when you are connected to wifi.

Best, Gorazd

Yep!  That's how I have it configured currently.

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Here are my configured rules for Role1 and the network configuration.  The VC IP is pingable from wireless clients.

I really never need to configure radius server to access gui. What you are describing is like you have the rule to prevent access to the gui like this

or you can't access 10.x.x.x network from 192.168.x.x. Can you ping VC IP when you are connected to wifi.

Best, Gorazd

Yep!  That's how I have it configured currently.

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Any special reason to use Downloadable roles?

Best, Gorazd 

Here are my configured rules for Role1 and the network configuration.  The VC IP is pingable from wireless clients.

I really never need to configure radius server to access gui. What you are describing is like you have the rule to prevent access to the gui like this

or you can't access 10.x.x.x network from 192.168.x.x. Can you ping VC IP when you are connected to wifi.

Best, Gorazd

Yep!  That's how I have it configured currently.

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

Nope, I tried having that setting turned on and off, doesn't affect anything for me

Any special reason to use Downloadable roles?

Best, Gorazd 

Here are my configured rules for Role1 and the network configuration.  The VC IP is pingable from wireless clients.

I really never need to configure radius server to access gui. What you are describing is like you have the rule to prevent access to the gui like this

or you can't access 10.x.x.x network from 192.168.x.x. Can you ping VC IP when you are connected to wifi.

Best, Gorazd

Yep!  That's how I have it configured currently.

Use internal server so it will use your locally defined users for authentication.

No worries!  Yes, they do.  The client subnet has both wired and wireless clients, and the wired clients have no trouble accessing the management IP.

This post is obviously very old and for a 7205 controller instead of an Instant AP virtual controller, but at the bottom it implies that having a AAA/RADIUS server configured is what is necessary to get wireless clients to be able to access the web GUI.  I don't have a RADIUS server spun up, but I can try to get one going if that would fix the issue.

Just a stupid question. Do client subnet 192.168.1.0/24 has access to AP management network 10.27.7.0?

Best, Gorazd

Ahh gotcha, they all get "Role1", which has one access rule: "Allow any to all destinations".

DHCP is provided by a Palo Alto firewall.

User roles are not the same as users. User roles can be found under Configuration / Security / Roles. To see what role your client get assigned look into Dashboard / Clients.

Do you use local dhcp provided by AP or external DHCP?

Best, Gorazd

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

I think this is expected behavior. What may happen is that if the client is in a different VLAN than your management, the traffic will go out, through your firewall, but returned directly as the client is connected to the AP (asymmetric routing). This configuration is 'local-routing' and a kind of optimization. You may try to set 'deny-local-routing' on the SSID, which may only be available through the CLI.

To enter a manual command via the CLI:

configure  wlan ssid-profile <ssid_profile>    deny-local-routing   exitcommit apply

This would explain why of you are on the other AP, you can reach the VC as in that case the VC and client are not on the same AP, and your traffic is similar to other wired traffic.

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025

I think this is expected behavior. What may happen is that if the client is in a different VLAN than your management, the traffic will go out, through your firewall, but returned directly as the client is connected to the AP (asymmetric routing). This configuration is 'local-routing' and a kind of optimization. You may try to set 'deny-local-routing' on the SSID, which may only be available through the CLI.

To enter a manual command via the CLI:

configure  wlan ssid-profile <ssid_profile>    deny-local-routing   exitcommit apply

This would explain why of you are on the other AP, you can reach the VC as in that case the VC and client are not on the same AP, and your traffic is similar to other wired traffic.

Thanks for the follow up!

Under Configuration -> Security -> Users, I did not have a single user configured.  I just created a test user, but I do not see any way in the Instant GUI to allow access to management for that test user.

A quick aside: I just bought an AP-515 and have that added to the virtual controller (10.27.7.102).  I just tried to access the management for that AP, and I can access the web GUI.  

Original Message:
Sent: Sep 11, 2025 03:51 AM
From: GorazdKikelj
Subject: Wired clients cannot access web GUI or SSH but wired clients on same network can

What are the user role rules? The access to resources is allowed/deny by role configuration.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2025