So early this morning, I upgraded our cnMaestro from 1.4.0 > 1.6.0 > 1.6.1 > 1.6.2. That I can't go straight from 1.4.0 to 1.6.1 OVF, or that I have to re-deploy OVFs from scratch to begin with and can't simply "apt-get install cnmaestro" or the like (the OVF is freaking based on Ubuntu after all!) are both frustrating and time-consuming, but whatever. The deed is done.
Release notes indicate that not only do more recent versions of cnMaestro On-Premises add support for external AAA, but the most recent version even adds RADIUS support to the mix! Been waiting for this for a while! Rock on!
Unfortunately, the reality of the situation quickly set in as I wasted several hours before I got this to work. After configuring the Authentication Servers, I repeatedly failed to log in with my RADIUS credentials. I spent gobs of time doing packet captures on both sides only to prove to myself that cnMaestro wasn't even SENDING any RADIUS requests to the configured server, and I couldn't find any logs on the cnMaestro VM instance that could help me to diagnose the issue. Finally, in an act of pure desperation, I finally replaced the FQDN of our primary RADIUS server in the inaptly-named "IP Address/Hostname" field with the IP address instead, and voila: everything started working.
So apparently AAA RADIUS support in cnMaestro DOESN'T support specifying RADIUS server names as FQDN and REQUIRES it to be an IP address?!? Is this a bug, or is the documentation just completely silent on this issue (or did I miss something somewhere in my reading)? If this is a "feature", why wouldn't you support specifying RADIUS servers by FQDN instead of IP?? Boggles the mind.
I also still cannot figure out how to specify a failover AAA server. Regardless of what I try, it seems as though "Secondary Authentication" can ONLY be "Local". If this is the case, then what exactly is the point of allowing someone to define more than one AAA server?!?!?! It's pretty standard for most RADIUS clients (or clients of any AAA protocol, really) to allow one to configure at LEAST 2 servers: one primary and one secondary/failover. And then if both of those are unavailable, fall back to local accounts. But if cnMaestro even supports this, I can't figure out how to configure it.
Help me, Obi-Wan Kenobi. You're our only hope.
-- Nathan