Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Passwords in CX Template Groups

This thread has been viewed 13 times
  • 1.  Passwords in CX Template Groups

    Posted Feb 14, 2024 10:57 AM

    We use template groups exclusively for our distribution layer switches, I have a few questions regarding what people do with passwords/keys:

    How do you manage multiple passwords in template variable files? 

    • I know if you name the variable field as password, it'll obfuscate the password in the central UI, but what if you would like to set more than one password in the template?
    • Is there a way to define multiple passwords and have them obfuscated in the UI?
    • Although, it's really not that secure when downloading the variable file the password is shown in plaintext.

    What about TACACS/RADIUS/OSPF keys, how are you passing them in via variables?  Do you avoid passing in plain text keys?

    How are people managing password changes for devices that are provisioned via Templates? 

    I haven't had a chance to try this yet, but can you change the local/admin password of a switch via the central API?  If so, does the variable file get updated with the changed password?

    Any comments or advice is appreciated.



  • 2.  RE: Passwords in CX Template Groups

    Posted Feb 15, 2024 03:08 AM

    Template variables are per Serial Numbers. Each serial number has it's own variable set. You can have separate password/secret for each switch. It's best practice to have passwords hashed so you won't use plain passwords in templates.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------



  • 3.  RE: Passwords in CX Template Groups

    Posted Feb 15, 2024 02:11 PM

    Here is example of variables for a switch. You can add your password variable into each switch section and it can have it's own value as per switch.

     "SG0XXXXXXX": {
          "_sys_hostname": "sw-edge1",
          "_sys_lan_mac": "xx:xx:xx:xx:xx:xx",
          "_sys_serial": "SG0XXXXXXX",
          "mgmt_vlan" : "3",
          "mgmt_ip" : "10.1.3.x/24",
          "mgmt_gw" : "10.1.3.1",
          "vlan_ap" : "4",
          "port_ap" : "1/1/2,1/1/10-1/1/12",
          "vlan_ap_trunk_list" : "11-15"
            }
      }


    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------



  • 4.  RE: Passwords in CX Template Groups

    Posted Feb 22, 2024 11:01 AM

    Thanks, I was aware of variables being per serial number, my question was surrounding multiple passwords/keys for the same serial number.  But I suppose ensuring they are all are encrypted is probably the best bet.

    Thanks




  • 5.  RE: Passwords in CX Template Groups

    Posted Feb 22, 2024 11:22 AM

    Hi Victor.

    Just use different variable names and use it in template so you can have different passwords/secrets in the same serial number. 

    For example if you have several RADIUS servers, you can create a separate variable for each radius server and have different secrets for different radius servers etc...

    But in any c ase encrypted passwords/secrets are preferred.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------