This chapter summarizes management policy commands in the CLI command structure. A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles.
A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.
Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI, and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.
To enhance security, administrators can apply various restrictions as needed to:
Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed.
Access points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP.
It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.
Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:
<DEVICE>(config)#management-policy <POLICY-NAME>
To commit a management-policy, at least one admin user account must always be present in the management-policy:
<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all <DEVICE>(config-management-policy-<POLICY-NAME>)#
nx9500-6C8809(config-management-policy-test)#? Management Mode commands: aaa-login Set authentication for logins allowed-locations Add allowed locations banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session (GUI or CLI) ipv6 IPv6 Protocol no Negate a command or set its defaults passwd-retry Lockout user if too many consecutive login failures privilege-mode-password Set the password for entering CLI privilege mode rest-server Enable rest server for device on-boarding functionality restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ssh t5 T5 configuration telnet Enable telnet user Add a user account clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-management-policy-test)#