As rseibert mentions, this is enabled on the interface itself.
But this may be a setting you want to revisit on the primary device instead of the seconday. As a best practice you should enable mgmt on interfaces only where is it required and restrict the mgmt access using manager ip (which this setup is doing).
this reduces the potential attack surface area to only that which is absolutely required on the device.