I'm not a fan of using LDAP from network devices, which is because it's harder to set up:
- you typically need an LDAP account (Bind-DN) on (each of) your switches that allows logging in to your LDAP server
- in many organizations the password for the Bind account has to be rotated (which makes sense if you put it in the configuration of each of your switches)
- authorization has to be configured on (each of) the switches, as the LDAP server doesn't do authorization
And with a centralized RADIUS(RadSec)/TACACS+ server you have centralized authorization, centralized logging/auditing, which for most LDAP servers (Windows AD) is much harder to do or manage.
For me, RADIUS should have retired years ago. If you have access to the RADIUS traffic, you can see most information exchanged 'in the clear', including usernames and enforcement attributes. I'm happy with the new discovered vulnerability, but it distracts from the point that RADIUS should not be used without RadSec or on an isolated and secured network segment where users don't have access (or even both to protect against DoS). With that in mind, fixing this vulnerability is not what people should be focused on, get rid of unencrypted RADIUS instead; but LDAP(S) is not the optimal technology in my view.
Before someone asks about TACACS+, that doesn't work for 802.1X and uses DES encryption internally. DES encryption is considered obsolete and should be phased out (for the last 20+ years already).
If others have different views, I'd love to hear those as well.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 16, 2024 10:39 AM
From: Evan Z
Subject: Secure LDAP authentication on CX switches
With the latest RADIUS vulnerability out there and having to update for it, has there been any discussion to getting LDAP authentication for SSH/HTTPS access on CX switches?
I don't think it will ever be implemented on the ProCurve line but with CX being linux-based, I would think this would not be too difficult.