Reply
Highlighted
Accepted Solution

Using serial remote console with access list restriction

vjockheck
Techie
Posts: 8
1408     0

Hello infoblox community,

 

for security reasons we have to restrict the use of the ssh remote console to specific IP-addresses. This of course is no problem. We simply added a set af ACEs within the groups properties. But If I do so I´m not able to login to the appliance using the serial connection via a console server anymore. Login is denied. This is the log message:

 

2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console[]: info Local authentication succeeded for user test-con
2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console[]: info User group =  labs
2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console[]: info Access from unknown IP for user group labs is denied, rejecting...

 

Is there a solution to grant access to the serial console while using a access list in parallel.

 

We are using NIOS 8.2.6

 

kind regards

 

Volker

 

Re: Using serial remote console with access list restriction

TTiscareno Community Manager
Community Manager
Posts: 340
1409     0

To verify this, I tested with the following:

 

  1. In the Grid Properties -> Security tab, set "Restrict GUI/API Access" to "Set of ACEs"
  2. Added a bogus IPv4 network which is not in use on my network at all.
  3. Enabled the option "Access Restrictions Apply to Remote Console".

 

After saving this change, I effectively locked myself out of the appliance via both the GUI and SSH, but was still able to access the appliance using the serial/VM console (as was expected). I used the "set security" command and entered "n" at the prompt to enable security, disabling that access restriction and restoring my access.

 

Can you confirm the steps that you followed to encounter this behavior?

 

To provide additional information- even though you are coming in via a remote connection, it uses the same subsystem as the local serial console and is why you see "serial_console[]" in the logs. I suspect that your terminal/console server is still attempting to connect via SSH and is why you are seeing this failure. Your log snippet here is cut off so we cannot say definitively what is occurring but I would recommend adding your terminal/console servers IP addresses as allowed interfaces and see if that corrects this issue for you.

 

Regards,

Tony

Re: Using serial remote console with access list restriction

vjockheck
Techie
Posts: 8
1409     0

Hi TTiscareno,


thanks for your reply.

We do not set the access restriction within the grid properties. We need to set access restriction for admin groups. I did the following:

1.) Created a Named_ACL and added a couple of networks
2.) Administration -> Groups -> Edit group -> "Allow access from" -> Named ACL -> Add previously created ACL
3.) Grid Properties -> Security tab -> "Access Restrictions Apply to Remote Console" -> True
(This seems to have no impact. If I set it to false I´m still not able to login via serial_console)

Grid Properties -> Security tab, set "Restrict GUI/API Access"  is set to "Allow any".


I tried to add the IP of the console server to the ACL. Unfortunetly this does not solve the problem. Due to the fact that the access is denied because of "unknown IP" I think that th console server is not using ssh.
I would be pleased for further solution suggestions


kind regards
Volker

Re: Using serial remote console with access list restriction

TTiscareno Community Manager
Community Manager
Posts: 340
1409     0

Is the Superusers option enabled in the group in question? If you refer to the NIOS Administrators Guide, you will find the following:

 

Superuser – Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In addition, only superusers can create admin groups.


Limited-Access – Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot access the appliance through the console.

 

Re: Using serial remote console with access list restriction

vjockheck
Techie
Posts: 8
1409     0

Yes. The superuser option is enabled. If I remove the ACL I´m able to connect to the appliance using the serial console. The question is how can I restrict superuser access with a ACL without losing the possibilty to connect via the serial console.

 

kind regards

Volker

 

Re: Using serial remote console with access list restriction

TTiscareno Community Manager
Community Manager
Posts: 340
1409     0

I was able to reproduce the behavior that you reported here, and what is happening does make sense. When you restrict access to a specific network, that applies to all connections to NIOS; however, there is no separate setting to allow access to the serial console.

 

As a next step, I would recommend opening a case with Infoblox Support to open a feature request. This should ask for the ability to include access to the local (serial) console of an Infoblox appliance in named ACL's and in ACE's. An alternative to this would be to change the behavior to not apply these restrictions to the local (serial) console.

 

Regards,

Tony

Re: Using serial remote console with access list restriction

vjockheck
Techie
Posts: 8
1409     0

Hello TTiscareno,

 

thank you for your efforts. I will open a case.

 

 

kind regards

Volker

 

Re: Using serial remote console with access list restriction

Guru
Posts: 179
1409     0

Hi;

 

Does the admin have to be a member of a "super user" admin group to be able to back up? can he do that being a member of a non "super user" group? if so what is the read/write access needed?

 

Kindly

Wasfi

Showing results for 
Search instead for 
Do you mean 

Recommended for You