CAUTION Service Disruption

The NFM-P cannot obtain a secret value from an NE during resynchronization. It is recommended that you use only the NFM-P to configure a shared authentication secret.

Do not configure a shared authentication secret directly on a managed NE using another interface, for example, a CLI, or the NFM-P cannot synchronize the security policy with the NE.

You can use the NFM-P to configure security for managed-device access that includes the following:

• device user accounts, profiles, and passwords

• RADIUS, TACACS+, and LDAP authentication for NFM-P user accounts

• MAFs

• CPM filters

• DoS protection

• DDoS protection

• X.509 authentication

• TCP enhanced authentication

An NFM-P site user profile specifies which CLI commands or command groups are permitted or denied on a managed device. A profile can be associated with multiple NFM-P user accounts, and each user account can have up to eight associated profiles.

The following general rules apply to NFM-P security management for devices.

• The authentication settings on a device override any settings distributed by the NFM-P. For example, if you use the NFM-P to configure a user account with SHA authentication, and then distribute the account to a device that uses MD5 authentication, the account authentication type changes to MD5.

• MAFs and CPM filters must be manually distributed to a managed device.

• An operator can limit the type of managed device access per user, for example, allowing FTP access, but denying console, Telnet, and SNMP access.

• A user profile is independent of a user account, and is not in effect until associated with a user account.