cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

39097
Views
5
Helpful
2
Replies
Risko
Beginner

Intersight IP Access Management useless?

Hi,

 

I configured IP Access Management in Intersight. I limited it to 1 ip address.

I was surprised when I tested login to Intersight from not allowed/trusted ip address.

 

Window showed this message:

Your IP address 'x.x.x.x' is not in the list of trusted IP addresses that are allowed access to the selected account. As an Account Administrator or User Access Administrator you can add your IP address to the list of trusted IP ranges to unlock access to Intersight.

 

After checking checkbox "I acknowledge adding my ip address to the Trusted ip address list" I was able to login.

 

Makes this sense for anybody?

Can I really limit access to Intersight to only Trusted ip address list?

 

Thank you

Richard

1 ACCEPTED SOLUTION

Accepted Solutions
jvanewyk
Cisco Employee

Intersight account administrators have the privilege to change the IP Access Management rules.

Imagine, in your scenario, that an account admin accidentally limits the IP Access to an incorrect or non-existent IP address range in their network. They need a way to be able to recover – assuming they have the appropriate privileges. If you were to try to log int with a role other than Account Administrator or User Access Administrator, it should fail as appropriate.

To summarize, you can limit the IP access range for all users other than Account Administrators and User Access Administrator.

I hope that this helps.

Jacob Van Ewyk
UCS Management Product Manager

View solution in original post

2 REPLIES 2
jvanewyk
Cisco Employee

Intersight account administrators have the privilege to change the IP Access Management rules.

Imagine, in your scenario, that an account admin accidentally limits the IP Access to an incorrect or non-existent IP address range in their network. They need a way to be able to recover – assuming they have the appropriate privileges. If you were to try to log int with a role other than Account Administrator or User Access Administrator, it should fail as appropriate.

To summarize, you can limit the IP access range for all users other than Account Administrators and User Access Administrator.

I hope that this helps.

Jacob Van Ewyk
UCS Management Product Manager

Hi Jacob,

 

thank you for your response.

I understand now that this behavior is by design and you had your reasons for this implementation.

 

I would still prefer if there was no way to add trusted ip by admin trying to log in from anywhere.

Because with this implementation we are forced to use MFA for admin login (if we want to have some security for DC workloads). MFA does not suit everybody.

If this option to add trusted ip by admin from anywhere was not here then, in case of ip lockout, user should open TAC case. This works for e.g. MFA lockout.

 

So I close my question voting for disabling option to add trusted ip by admin from anywhere,

 

Kind regards,

Richard