InformationIn cases where configuring a dedicated Management VLAN is too restrictive, such as when management stations are on a different subnet from the switch management IP address, it is possible to identify up to 10 authorized IP addresses or address groups that are allowed management access to the switch through the network, with both access levels and methods configurable.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionHere, two authorized endpoints (10.100.1.10 and 10.100.1.11) are configured as an authorized manager and operator, respectively, with different access methods permitted:
switch(config)# ip authorized-manager 10.100.1.10 255.255.255.255 access manager access-method all
switch(config)# ip authorized-manager 10.100.1.11 255.255.255.255 access operator access-method web
Access methods that can be configured include SSH, Telnet, Web, SNMP, and TFTP. Only one access method (or all at once) can be specified per instance of the command; to allow multiple access methods for a given authorized IP address/range, the command must be run multiple times:
switch(config)# ip authorized-manager 10.100.1.12 255.255.255.255 access manager access-method ssh
switch(config)# ip authorized-manager 10.100.1.12 255.255.255.255 access manager access-method web
Once configured, only those addresses identified will be granted access to the switch over the network, using the specified methods. Some addresses can be limited to operator access while others are granted full manager status.
It is important to keep in mind that this is not a fool-proof access control method; IP spoofing will defeat this protection, as will an authorized workstation whose security has been compromised. It also does not protect against unauthorized access through the serial console. It is strongly recommended that this feature be used in conjunction with a role-based authentication scheme, such as RADIUS or TACACS+.