Wired Intelligent Edge

 View Only
  • 1.  Secure LDAP authentication on CX switches

    Posted Jul 16, 2024 10:39 AM

    With the latest RADIUS vulnerability out there and having to update for it, has there been any discussion to getting LDAP authentication for SSH/HTTPS access on CX switches?

    I don't think it will ever be implemented on the ProCurve line but with CX being linux-based, I would think this would not be too difficult.



  • 2.  RE: Secure LDAP authentication on CX switches

    Posted Jul 17, 2024 02:29 AM

    This would be great. We considered using RADIUS for SSH / HTTPS but with PAP or CHAP authentication we decided to user local users instead.

    A LDAPS implementation would be great. I think Cisco has it implemented, why not Aruba CX? :)




  • 3.  RE: Secure LDAP authentication on CX switches

    Posted Jul 17, 2024 06:43 AM

    I'm not a fan of using LDAP from network devices, which is because it's harder to set up:
    - you typically need an LDAP account (Bind-DN) on (each of) your switches that allows logging in to your LDAP server
    - in many organizations the password for the Bind account has to be rotated (which makes sense if you put it in the configuration of each of your switches)
    - authorization has to be configured on (each of) the switches, as the LDAP server doesn't do authorization

    And with a centralized RADIUS(RadSec)/TACACS+ server you have centralized authorization, centralized logging/auditing, which for most LDAP servers (Windows AD) is much harder to do or manage.

    For me, RADIUS should have retired years ago. If you have access to the RADIUS traffic, you can see most information exchanged 'in the clear', including usernames and enforcement attributes. I'm happy with the new discovered vulnerability, but it distracts from the point that RADIUS should not be used without RadSec or on an isolated and secured network segment where users don't have access (or even both to protect against DoS). With that in mind, fixing this vulnerability is not what people should be focused on, get rid of unencrypted RADIUS instead; but LDAP(S) is not the optimal technology in my view.

    Before someone asks about TACACS+, that doesn't work for 802.1X and uses DES encryption internally. DES encryption is considered obsolete and should be phased out (for the last 20+ years already).

    If others have different views, I'd love to hear those as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------