Opened 5 years ago

Closed 5 years ago

#198 closed (fixed)

No adminstative/privileged access for ExoGENI rack switches

Reported by: lnevers@bbn.com Owned by: somebody
Priority: major Milestone:
Component: AM Version: SPIRAL6
Keywords: Cc:
Dependencies:

Description

This was missed in testing the GPO and RENCI racks administrative access.

Having administrative access to the head node allows user to login to the management and dataplane switches, but does not allows "enable" access (Turn on privileged commands):

lnevers@uh-hn ~]$ id
uid=2107(lnevers) gid=2000(nonrenci) groups=2000(nonrenci),2501(uhadmins),9510(bbnadmins)

[lnevers@uh-hn ~]$ ssh lnevers@uh-8264.uh.xo
Enter radius password: 

IBM Networking Operating System RackSwitch G8264.

uh-8264.uh.xo>ena

Enable access using (oper) credentials restricted to admin accounts only.
uh-8264.uh.xo>exit

...

[lnevers@uh-hn ~]$ ssh lnevers@uh-8052.uh.xo
Enter radius password: 

IBM Networking Operating System RackSwitch G8052.

uh-8052.uh.xo>ena

Enable access using (oper) credentials restricted to admin accounts only.
uh-8052.uh.xo>

Change History (6)

comment:1 Changed 5 years ago by lnevers@bbn.com

  1. Should an administrative account have administrative access on switches?
  1. Found different behavior on UFL rack:
    • The management switch fails as with other racks:
         ufl-8052.ufl.xo>ena
      
         Enable access using (oper) credentials restricted to admin accounts only.
         ufl-8052.ufl.xo>
      
    • The OpenFlow switch reject the connections:
         [lnevers@ufl-hn ~]$  ssh ufl-8264.ufl.xo
         Enter radius password: 
         Connection closed by 192.168.110.4
      

comment:2 Changed 5 years ago by lnevers@bbn.com

Still no "enable" access on all switches except on the switch ufl-8264, where it still rejects connections

[lnevers@ufl-hn ~]$ ssh ufl-8264.ufl.xo
Enter radius password: 
Connection closed by 192.168.110.4
[lnevers@ufl-hn ~]$ 

(ufl-8264.ufl.xo login works)

comment:3 Changed 5 years ago by jonmills@renci.org

I've made some updates to the Radius config, which I am hopeful will clear up these issues.

comment:4 Changed 5 years ago by lnevers@bbn.com

Still not able to get admistrative (enable) access on the Houston rack:

[lnevers@uh-hn ~]$ ssh lnevers@uh-8264.uh.xo
Enter radius password: 
IBM Networking Operating System RackSwitch G8264.
uh-8264.uh.xo>ena
Enable access using (oper) credentials restricted to admin accounts only.
uh-8264.uh.xo>

also same lack of enable access on UFL rack:

[lnevers@ufl-hn ~]$ ssh ufl-8264.ufl.xo
Enter radius password: 
IBM Networking Operating System RackSwitch G8264.
ufl-8264.ufl.xo>ena
Enable access using (oper) credentials restricted to admin accounts only.
ufl-8264.ufl.xo>

Additionally, I am no longer able to login to head node fiu-hn.exogeni.net, seems my account is no longer enabled at the site.

comment:5 Changed 5 years ago by lnevers@bbn.com

Verified enable access to Houston Rack switch:

[lnevers@uh-hn ~]$ ssh lnevers@uh-8264.uh.xo
Enter radius password: 
IBM Networking Operating System RackSwitch G8264.
uh-8264.uh.xo>ena
Enable privilege granted.
uh-8264.uh.xo#     

and UFL:

[lnevers@ufl-hn ~]$ ssh ufl-8264.ufl.xo
Enter radius password: 
IBM Networking Operating System RackSwitch G8264.
ufl-8264.ufl.xo>ena
Enable privilege granted.
ufl-8264.ufl.xo#

Waiting on login access at FIU head node.

comment:6 Changed 5 years ago by lnevers@bbn.com

Resolution: fixed
Status: newclosed

Was able to get enable access on FIU, UFL and UH rack switches to complete New Site Administrative tests. Issue is resolved closing ticket.

Note: See TracTickets for help on using tickets.