08-20-2018 12:50 AM
Hello infoblox community,
for security reasons we have to restrict the use of the ssh remote console to specific IP-addresses. This of course is no problem. We simply added a set af ACEs within the groups properties. But If I do so I´m not able to login to the appliance using the serial connection via a console server anymore. Login is denied. This is the log message:
2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console: info Local authentication succeeded for user test-con
2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console: info User group = labs
2018-08-20T09:30:42+02:00 user ib01.labs.test.com serial_console: info Access from unknown IP for user group labs is denied, rejecting...
Is there a solution to grant access to the serial console while using a access list in parallel.
We are using NIOS 8.2.6
Solved! Go to Solution.
08-20-2018 09:05 AM
To verify this, I tested with the following:
- In the Grid Properties -> Security tab, set "Restrict GUI/API Access" to "Set of ACEs"
- Added a bogus IPv4 network which is not in use on my network at all.
- Enabled the option "Access Restrictions Apply to Remote Console".
After saving this change, I effectively locked myself out of the appliance via both the GUI and SSH, but was still able to access the appliance using the serial/VM console (as was expected). I used the "set security" command and entered "n" at the prompt to enable security, disabling that access restriction and restoring my access.
Can you confirm the steps that you followed to encounter this behavior?
To provide additional information- even though you are coming in via a remote connection, it uses the same subsystem as the local serial console and is why you see "serial_console" in the logs. I suspect that your terminal/console server is still attempting to connect via SSH and is why you are seeing this failure. Your log snippet here is cut off so we cannot say definitively what is occurring but I would recommend adding your terminal/console servers IP addresses as allowed interfaces and see if that corrects this issue for you.
08-21-2018 12:20 AM
thanks for your reply.
We do not set the access restriction within the grid properties. We need to set access restriction for admin groups. I did the following:
1.) Created a Named_ACL and added a couple of networks
2.) Administration -> Groups -> Edit group -> "Allow access from" -> Named ACL -> Add previously created ACL
3.) Grid Properties -> Security tab -> "Access Restrictions Apply to Remote Console" -> True
(This seems to have no impact. If I set it to false I´m still not able to login via serial_console)
Grid Properties -> Security tab, set "Restrict GUI/API Access" is set to "Allow any".
I tried to add the IP of the console server to the ACL. Unfortunetly this does not solve the problem. Due to the fact that the access is denied because of "unknown IP" I think that th console server is not using ssh.
I would be pleased for further solution suggestions
08-21-2018 09:21 AM
Is the Superusers option enabled in the group in question? If you refer to the NIOS Administrators Guide, you will find the following:
Superuser – Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In addition, only superusers can create admin groups.
Limited-Access – Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot access the appliance through the console.
08-21-2018 10:43 PM
Yes. The superuser option is enabled. If I remove the ACL I´m able to connect to the appliance using the serial console. The question is how can I restrict superuser access with a ACL without losing the possibilty to connect via the serial console.
08-23-2018 10:11 AM
I was able to reproduce the behavior that you reported here, and what is happening does make sense. When you restrict access to a specific network, that applies to all connections to NIOS; however, there is no separate setting to allow access to the serial console.
As a next step, I would recommend opening a case with Infoblox Support to open a feature request. This should ask for the ability to include access to the local (serial) console of an Infoblox appliance in named ACL's and in ACE's. An alternative to this would be to change the behavior to not apply these restrictions to the local (serial) console.
2 weeks ago
Does the admin have to be a member of a "super user" admin group to be able to back up? can he do that being a member of a non "super user" group? if so what is the read/write access needed?