What is NFM-P NE security?

Access management
CAUTION 

CAUTION

Service Disruption

The NFM-P cannot obtain a secret value from an NE during resynchronization. It is recommended that you use only the NFM-P to configure a shared authentication secret.

Do not configure a shared authentication secret directly on a managed NE using another interface, for example, a CLI, or the NFM-P cannot synchronize the security policy with the NE.

You can use the NFM-P to configure security for managed-device access that includes the following:

  • device user accounts, profiles, and passwords

  • RADIUS, TACACS+, and LDAP authentication for NFM-P user accounts

  • MAFs

  • CPM filters

  • DoS protection

  • DDoS protection

  • X.509 authentication

  • TCP enhanced authentication

General rules

An NFM-P site user profile specifies which CLI commands or command groups are permitted or denied on a managed device. A profile can be associated with multiple NFM-P user accounts, and each user account can have up to eight associated profiles.

The following general rules apply to NFM-P security management for devices.

  • The authentication settings on a device override any settings distributed by the NFM-P. For example, if you use the NFM-P to configure a user account with SHA authentication, and then distribute the account to a device that uses MD5 authentication, the account authentication type changes to MD5.

  • MAFs and CPM filters must be manually distributed to a managed device.

  • An operator can limit the type of managed device access per user, for example, allowing FTP access, but denying console, Telnet, and SNMP access.

  • A user profile is independent of a user account, and is not in effect until associated with a user account.