First the disclaimer: I am a software (Linux, OpenStack, etc.) person not a networking person. Perhaps that's causing me to miss something that's incredibly obvious to folks that are more immersed in this field.
Anyway, I have recently taken over responsibility for my team's small lab - 2 blade chassis with 16 blades, 2 pizza-box servers, and 3 switches. To date, we've used the classic lab "security" technique of a single, shared root/admin password. Changing this is my current project.
I've set up LDAP authentication for our servers, CMCs, and BMCs, and I've also got the switches authenticating SSH logins via FreeRADIUS. One of the switches is a Juniper EX4600, and I've been able to set the "class" of RADIUS-authenticated users by configuring FreeRADIUS to send an appropriate Juniper-Local-User-Name VSA.
The other two switches are stacked Dell S3048-ONs. According to Dell's documentation, I should be able to set the privilege level of a RADIUS-authenticated user by sending a Force10-avpair VSA. Note however, that the numeric ID of that VSA is not documented anywhere. I've tried using 1, which is used for both Cisco-avpair and DellEMC-avpair (the latter according to Wireshark); using ID 1, the VSA has no effect.
Dell support has thus far proven to be utterly clueless. They've tried to pawn me off by claiming that they don't support FreeRADIUS (what RADIUS server do they support?), and they've referred me to documentation for an ancient Powerconnect switch that uses a totally different NOS. (The Service-Type RADIUS attribute in that document didn't work either.)
This whole situation leads me back to my original question - Am I just crazy to expect this to work?
And some corollaries:
- Is centralized authentication not normally used in the networking world?
- Does anyone actually use Dell/Force 10 gear? (I know it's not the most common brand out there, but they keep making it, so someone must be buying it, right?)
- Is Dell/Force 10 gear really just hot garbage?
Thoughts, rants, shared pain, etc. all appreciated ...
No comments:
Post a Comment