Frustrating cnMaestro On-Premises AAA bugs

So early this morning, I upgraded our cnMaestro from 1.4.0 > 1.6.0 > 1.6.1 > 1.6.2.  That I can't go straight from 1.4.0 to 1.6.1 OVF, or that I have to re-deploy OVFs from scratch to begin with and can't simply "apt-get install cnmaestro" or the like (the OVF is freaking based on Ubuntu after all!) are both frustrating and time-consuming, but whatever.  The deed is done.

Release notes indicate that not only do more recent versions of cnMaestro On-Premises add support for external AAA, but the most recent version even adds RADIUS support to the mix!  Been waiting for this for a while!  Rock on!

Unfortunately, the reality of the situation quickly set in as I wasted several hours before I got this to work.  After configuring the Authentication Servers, I repeatedly failed to log in with my RADIUS credentials.  I spent gobs of time doing packet captures on both sides only to prove to myself that cnMaestro wasn't even SENDING any RADIUS requests to the configured server, and I couldn't find any logs on the cnMaestro VM instance that could help me to diagnose the issue.  Finally, in an act of pure desperation, I finally replaced the FQDN of our primary RADIUS server in the inaptly-named "IP Address/Hostname" field with the IP address instead, and voila: everything started working.

So apparently AAA RADIUS support in cnMaestro DOESN'T support specifying RADIUS server names as FQDN and REQUIRES it to be an IP address?!?  Is this a bug, or is the documentation just completely silent on this issue (or did I miss something somewhere in my reading)?  If this is a "feature", why wouldn't you support specifying RADIUS servers by FQDN instead of IP??  Boggles the mind.

I also still cannot figure out how to specify a failover AAA server.  Regardless of what I try, it seems as though "Secondary Authentication" can ONLY be "Local".  If this is the case, then what exactly is the point of allowing someone to define more than one AAA server?!?!?!  It's pretty standard for most RADIUS clients (or clients of any AAA protocol, really) to allow one to configure at LEAST 2 servers: one primary and one secondary/failover.  And then if both of those are unavailable, fall back to local accounts.  But if cnMaestro even supports this, I can't figure out how to configure it.

Help me, Obi-Wan Kenobi.  You're our only hope.

-- Nathan

Hi Nathan,

TACACS and Radius servers currently are not supporting the Hostname . Since this field is common for all authentication server types like LDAP/AD also, which support Hostname it was showing the same for Radius/TACACS  server also and we have a bug for it already. 

On the fallback scenario currently we do not support Secondary and teritiary fallback servers. We are supporting only fallback to local authentication. We will support the secondary and Teritiary servers feature in the upcoming releases and this is already tracked using feature request.

2 Likes

Thanks for the response.  Sorry if I came off strong...I wasted so much time banging my head on this problem with zero leads from the docs.  It's good to hear that these issues are being addressed, though it would have been nice if the misleading "Hostname" field had been called out in the release notes.

Thanks again,

-- Nathan

2 Likes

Hi Nathan,

We appreciate your effort and the issue you pointed, completely agree with you.

I have asked the team to document it clearly, we will update our release notes and help documents in the next release.

Thanks again for your time and giving us valuable feedback to improve the product.

Regards,

Rupam

3 Likes