Management Access Deployment Considerations

Before defining an access control configuration as part of a Management Access policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:

  • Unused management protocols should be disabled to reduce a potential attack against managed resources. For example, if a device is only being managed by the Web UI and SNMP, there is no need to enable CLI interfaces.

  • Use management interfaces providing encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide both data privacy and authentication (as opposed to HTTP which does not).

  • By default, SNMPv2 community strings on most devices are set to public for the read-only community string and private for the read-write community string. Legacy devices may use other community strings by default.

  • SNMPv3 should be used for device management, as it provides both encryption and authentication (both unavailable together in HTTP).

  • Enabling SNMP traps can provide alerts for isolated attacks at both small managed radio deployments or distributed attacks occurring across multiple managed sites.

  • Whenever possible, centralized RADIUS management be enabled. This provides better management and control of user names and passwords, and allows administrators to quickly change credentials in the event of a security breach.