Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
39710
Views
5
Helpful
2
Replies

Intersight IP Access Management useless?

Go to solution
Risko
Level 1
Level 1

‎08-29-2021 08:43 AM

Hi,

 

I configured IP Access Management in Intersight. I limited it to 1 ip address.

I was surprised when I tested login to Intersight from not allowed/trusted ip address.

 

Window showed this message:

Your IP address 'x.x.x.x' is not in the list of trusted IP addresses that are allowed access to the selected account. As an Account Administrator or User Access Administrator you can add your IP address to the list of trusted IP ranges to unlock access to Intersight.

 

After checking checkbox "I acknowledge adding my ip address to the Trusted ip address list" I was able to login.

 

Makes this sense for anybody?

Can I really limit access to Intersight to only Trusted ip address list?

 

Thank you

Richard

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jvanewyk
Cisco Employee
Cisco Employee

‎09-07-2021 11:07 AM

Intersight account administrators have the privilege to change the IP Access Management rules.

Imagine, in your scenario, that an account admin accidentally limits the IP Access to an incorrect or non-existent IP address range in their network. They need a way to be able to recover – assuming they have the appropriate privileges. If you were to try to log int with a role other than Account Administrator or User Access Administrator, it should fail as appropriate.

To summarize, you can limit the IP access range for all users other than Account Administrators and User Access Administrator.

I hope that this helps.

Jacob Van Ewyk
UCS Management Product Manager

View solution in original post

2 Replies 2

Go to solution
jvanewyk
Cisco Employee
Cisco Employee

‎09-07-2021 11:07 AM

Intersight account administrators have the privilege to change the IP Access Management rules.

Imagine, in your scenario, that an account admin accidentally limits the IP Access to an incorrect or non-existent IP address range in their network. They need a way to be able to recover – assuming they have the appropriate privileges. If you were to try to log int with a role other than Account Administrator or User Access Administrator, it should fail as appropriate.

To summarize, you can limit the IP access range for all users other than Account Administrators and User Access Administrator.

I hope that this helps.

Jacob Van Ewyk
UCS Management Product Manager

Go to solution
Risko
Level 1
Level 1
In response to jvanewyk

‎09-07-2021 11:48 AM

Hi Jacob,

 

thank you for your response.

I understand now that this behavior is by design and you had your reasons for this implementation.

 

I would still prefer if there was no way to add trusted ip by admin trying to log in from anywhere.

Because with this implementation we are forced to use MFA for admin login (if we want to have some security for DC workloads). MFA does not suit everybody.

If this option to add trusted ip by admin from anywhere was not here then, in case of ip lockout, user should open TAC case. This works for e.g. MFA lockout.

 

So I close my question voting for disabling option to add trusted ip by admin from anywhere,

 

Kind regards,

Richard

0 Helpful
Customers Also Viewed These Support Documents