Administrative Access Control

© 2020 Cisco and/or its affiliates. All rights reserved. 
Page 64 of 76
also be extended to provide RBAC for administrators through the use of AD groups. The use of an external 
directory or data store can also provide a single point to grant or revoke credentials, not only for administrative 
access control to multiple infrastructure devices, but for access to other resources within the organization.
Where possible, the selection of a strong password—consisting of a minimum length, and combination of letters, 
numbers, and/or special characters—should be enforced. Where possible, a maximum number of unsuccessful 
attempts to access the device, before the account is disabled for a period of time, should also be enforced.
Successful and unsuccessful attempts should be logged either locally or to a central logging server. This helps 
mitigate against (and/or alert appropriate network operations staff about) brute force attempts to gain access to 
infrastructure devices. Where multiple levels of administrative access are supported, it is recommended you 
enforce them, with administrators having the minimum access level required for performing their respective 
tasks. It is also recommended that you limit the number of concurrent logins from a single username.
It may be advantageous to limit where access to the wireless infrastructure device is initiated from and what 
protocols are allowed. You can accomplish this in multiple ways. For example, you can deploy the 
management interface of WLAN controllers on a separate VLAN (and therefore a separate IP subnet) from 
wireless client traffic. In such a deployment, an access-control list (ACL) deployed on the Layer 3 switch 
adjacent to the WLAN controller can limit access to the management interface. This shifts the CPU burden of an 
ACL off the WLAN controller to the Layer 3 switch. Alternatively, you can configure a CPU ACL on the WLAN 
controller to filter management protocols. You can also disallow management of the WLAN controller via a 
wireless device, a method that may also provide additional security if the intention is to manage the wireless 
infrastructure from a central network operations center.
Access to wireless infrastructure devices should be via secure protocols such as HTTPS and SSHv2 where 
possible. Access via non-encrypted protocols such as HTTP and Telnet should be disabled where possible.
This protects the confidentiality of the information within the management session. When using SNMP, it is 
recommended that you enable SNMPv3 where possible. SNMPv2c relies on a shared community string that is 
sent in clear text across the network. Take caution when using SNMPv2c, particularly when using SNMP for 
read/write access. SNMPv3 uses unique credentials (userid/password) and can also provide encryption and 
data authentication services to SNMP traffic. 

Download 2,16 Mb.

Do'stlaringiz bilan baham: