Restricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.
Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access).
Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.
Interface | Description | IP Address | Management |
---|---|---|---|
VLAN10 | Services | Yes | Yes |
VLAN70 | Guest | Yes | No |
By default, management services are accessible on both VLAN10 and VLAN70. By restricting access to VLAN10, the controller only accepts management sessions on VLAN10. Management access on VLAN70 is longer available.
Administrators can secure access to a controller or service platform by disabling less secure interfaces. By default, the CLI, SNMP and FTP disable interfaces that do not support encryption or authentication. However, Web management using HTTP is enabled. Insecure management interfaces such as Telnet, HTTP and SNMP should be disabled, and only secure management interfaces, like SSH and HTTPS should be used to access the controller or service platform managed network.
Access type | Encryption | Authentication | Default state |
---|---|---|---|
Telnet | No | Yes | Deactivated |
SNMPv2 | No | No | Activated |
SNMPv3 | Yes | Yes | Activated |
HTTP | No | Yes | Deactivated |
HTTPS | Yes | Yes | Deactivated |
FTP | No | Yes | Deactivated |
SSHv2 | Yes | Yes | Deactivated |
To set an access control configuration for the Management Access policy:
Setting | Description |
---|---|
Activate Telnet | Select the toggle button to activate Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is not selected by default. Select telnet for a user to activate Remote CLI login |
Telnet port | Set the port on which Telnet connections are made (1 - 65,535). The default port is 23. Change this value using the spinner control next to this field or by entering the port number in the field |
Setting | Description |
---|---|
Enable SSH | Select the toggle button to activate SSH device access. The Weak MAC Algo (Algorithm) option is enabled by default. |
Activate SSHv2 | SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is not selected by default |
SSHv2 port | Set the port on which SSH connections are made. The default port is 22. Change this value using the spinner control next to this field or by entering the port number in the field |
Setting | Description |
---|---|
Enable HTTP | Select Enable HTTP to activate HTTP device access. HTTP provides limited authentication and no encryption |
Enable HTTPS | Select Enable HTTPS to activate HTTPS device access. HTTPS (Hypertext Transfer Protocol Secure) is more secure than plain HTTP. HTTPS provides both authentication and data encryption |
Note
If the a RADIUS server is not reachable, HTTPS or SSH management access to the controller or service platform may be deniedSetting | Description |
---|---|
Idle Session Timeout | Specify an inactivity timeout for management connects (in seconds) between 1 - 4,320. The default setting is 30 |
Message of the Day | Type a message no longer than 255 characters to be displayed at login for clients connecting via Telnet or SSH |
Setting | Description |
---|---|
Activate FTP | Select the toggle button to activate FTP (File Transfer Protocol) device access. FTP is the standard protocol for transferring files over a TCP or IP network. FTP requires administrators enter a valid username and password authenticated locally on the controller. FTP access is not activated by default |
Username | Specify a username required when logging in to the FTP server. The username cannot exceed 32 characters |
Password | Specify a password required when logging in to the FTP server. Reconfirm the password in the field provided to ensure it has been entered correctly. The password cannot exceed 63 characters |
Root Directory | Provide the complete path to the root directory in the root directory field. The default setting has the root directory set to flash:/ |
Setting | Description |
---|---|
Filter Type | Select a filter type for access restriction. Options include IP access list, Source Address, or None. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field |
IP Access List | If the selected filter type is IP access list, select an access list from the drop-down list box. IP based firewalls function like Access Control Lists (ACLs) to filter or mark packets based on the IP from which they arrive, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you do not have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security |
Source Hosts | If the selected filter type is Source Address, type an IP Address or IP Addresses for the source hosts. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field |
Source Subnets | If the selected filter type is Source Address, type a source subnet or subnets for the source hosts. To restrict management access to specific subnets, select Source Address as the filter type and provide the allowed addresses within the Source Subnets field |
Logging Policy | If the selected filter is Source Address, select a logging policy for administrative access. Options includes None, Denied Only, or All |
Setting | Description |
---|---|
Role | Select a user role to set account lockout. The options
are:
Note: You can set account lockout for multiple roles.
After specifying the role, set the Lockout Time and
Number of Password Attempts.
User-account lockout is individually applied to each account within the specified role. For example, consider the ‘monitor‘ role having two users: ‘user1‘ and ‘user2‘. The Number of Password Attempts and Lockout Time is set at ‘5‘ attempts and ‘10‘ minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active |
Lockout Time | Specify the maximum time for which an account remains locked. Specify a value from 0 to 600 minutes. The value ‘0‘ indicates that the account is permanently locked |
Number of Password Attempts | Specify the maximum number of consecutive, failed attempts allowed before an account is locked. Specify a value from 1 to 100 |
Action | Use the action option to delete a user lockout setting |