Management Policy

This chapter summarizes management policy commands in the CLI command structure. A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles.

A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.

Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI, and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.

To enhance security, administrators can apply various restrictions as needed to:

  • Restrict SNMP, CLI and Web UI access to specific hosts or subnets.
  • Disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.
  • Provide authentication for management users.
  • Apply access restrictions and permissions to management users.

Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed.

Access points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP.

It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.

Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:

<DEVICE>(config)#management-policy <POLICY-NAME>

To commit a management-policy, at least one admin user account must always be present in the management-policy:

<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all
<DEVICE>(config-management-policy-<POLICY-NAME>)#
nx9500-6C8809(config-management-policy-test)#?
Management Mode commands:
  aaa-login                Set authentication for logins
  allowed-locations        Add allowed locations
  banner                   Define a login banner
  ftp                      Enable FTP server
  http                     Hyper Text Terminal Protocol (HTTP)
  https                    Secure HTTP
  idle-session-timeout     Configure idle timeout for a configuration session
                           (GUI or CLI)
  ipv6                     IPv6 Protocol
  no                       Negate a command or set its defaults
  passwd-retry             Lockout user if too many consecutive login failures
  privilege-mode-password  Set the password for entering CLI privilege mode
  rest-server              Enable rest server for device on-boarding
                           functionality
  restrict-access          Restrict management access to the device
  snmp-server              SNMP
  ssh                      Enable ssh
  t5                       T5 configuration
  telnet                   Enable telnet
  user                     Add a user account

  clrscr                   Clears the display screen
  commit                   Commit all changes made in this session
  do                       Run commands from Exec mode
  end                      End current mode and change to EXEC mode
  exit                     End current mode and down to previous mode
  help                     Description of the interactive help system
  revert                   Revert changes
  service                  Service Commands
  show                     Show running system information
  write                    Write running configuration to memory or terminal

nx9500-6C8809(config-management-policy-test)#