This chapter summarizes management policy commands in the CLI command structure. A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles.
A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.
Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI, and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.
To enhance security, administrators can apply various restrictions as needed to:
Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed.
Access points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP.
It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.
Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:
<DEVICE>(config)#management-policy <POLICY-NAME>
To commit a management-policy, at least one admin user account must always be present in the management-policy:
<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all <DEVICE>(config-management-policy-<POLICY-NAME>)#
vx9000-3C6F18(config)*#management-policy test-cw
vx9000-3C6F18(config-management-policy-test-cw)*#?
Management Mode commands:
aaa-login Set authentication for logins
allowed-locations Add allowed locations
banner Define a login banner
flash-ui Enable FLASH UI
ftp Enable FTP server
http Hyper Text Terminal Protocol (HTTP)
https Secure HTTP
idle-session-timeout Configure idle timeout for a configuration session
(GUI or CLI)
ipv6 IPv6 management access restriction
no Negate a command or set its defaults
nova Enable NOVA UI
passwd-retry Lockout user if too many consecutive login failures
privilege-mode-password Set the password for entering CLI privilege mode
rest-server Enable rest server for device on-boarding
functionality
restrict-access Restrict management access to the device
snmp-server SNMP
ssh Enable ssh
t5 T5 configuration
telnet Enable telnet
user Add a user account
clrscr Clears the display screen
commit Commit all changes made in this session
do Run commands from Exec mode
end End current mode and change to EXEC mode
exit End current mode and down to previous mode
help Description of the interactive help system
revert Revert changes
service Service Commands
show Show running system information
write Write running configuration to memory or terminal
vx9000-3C6F18(config-management-policy-test-cw)*#