Issues while performing product evaluation

General discussion of anything Unimus
Post Reply
DVT
Posts: 3
Joined: Mon Aug 19, 2024 12:39 pm

Wed Aug 21, 2024 1:30 pm

Hi @all

We’re currently performing an evaluation of Unimus to managed 500+ network devices and encountered the following issues. As we’re new to Unimus, it is possible that we miss something and would like to have some feedback if it is possible in another way or already on the roadmap.

Authorization:
We're required by NIS2 directive from the EU (https://www.nis-2-directive.com/) to authenticated our Admins via MFA. We're using Passkey (Webauthn) and PIV on Yubikeys (SSH and HTTPS Client Cert) for this for administrative access, therefor we can't use User/Password logins for Unimus. For applications as Unimus this is done most often with a reverse proxy or a Privileged Access Management (PAM) which do the authentication and provides the information to the application e.g. via authorization headers or as a fallback with basic auth (random password). We don't see a possibility to do this currently with Unimus - are we missing something?

We're also required to have an Identity and Access Management (IAM) which defines, which users have access to a given application - for this we normally use the API to create/delete the users to the system and groups for permissions. We were not able to find that functionality - should we write directly to the DB for this?


Backups:

We're using Extreme Networks switches, which allow having policy files (e.g. for ACLs, UPM scripts, ....) on the switch file system which need to be backuped as well. We didn't find a way to accomplish that.

Also, on the Extreme Networks a "show configuration" is not enough to get all information which is required for a restore in all cases (e.g. physical destruction). We've configured the following flow

Code: Select all

show configration
show switch
show management
show version
show slot
show ports transceiver information detail | include "Port|Media|Vendor|Part|Serial|transceiver"
Which puts all output into one file. As we need to parse the config for compliance we would net a separator between the different commands or multiple files. If multiple files is not possible, maybe a user-definable separator line at the beginning of each command output in the backup would be possible?
The way commands are seperated right now (using three # lines) is very hard to parse reliably. for once, extreme switches include this exact style in the config export between each section, and because it's on three lines, each with not very many distinct characters, using a regex is cumbersome and failure-prone.

Device Tags:
We were not able to find a way to add tags to devices via the API (vice versa). A tag for all access switches in a given site/location, we need this to group targets for config push. Did we miss something?

Config Push:
Multiple tags on a device are OR combined, how can we set them to be combined as an AND. For example: We need devices tagged with roles AND sites AND devicetype AND something else.

Why is there no filter for vendor or platform? For example: We run access switches from different vendors. If the targets are selected by a tag "access switch" the command syntax will not work. As a workaround, we wanted to tag them while adding them via the API, but then we are at the problem described in "Device Tags". What are we missing? How do others use this?

Discovery:

Most of our devices are supported, but we have some Linux based system (like for monitoring of multicast screens in a site or to generated test traffic) for which also the network team is responsible. It's seems that it is not possible to manage unsupported devices. We tried to add a Raspbian, and build a backup flow or config push. This doesn't work, because the discovery has failed.
It would be great to be able to manage Linux based systems. E.g. zip a remote directory and backup it, or send some commands ("apt upgrade"" for example) via config push. And to be able to run this with sudo (like the "enable" config)


Payment Methods:

We are a governmental organization within the EU, and we can't pay via PayPal nor Credit Card. We would need the possibility to pay the invoice by bank transfer?
User avatar
Tomas
Posts: 1274
Joined: Sat Jun 25, 2016 12:33 pm

Mon Aug 26, 2024 11:51 pm

Hi, and apologies for the longer wait on the answer here. I wanted to discuss with the team before replying here. We will be investing a sizable development effort on NIS2-related features and functions in the upcoming releases, so this is a well-timed post :)
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Authorization:
We're required by NIS2 directive from the EU (https://www.nis-2-directive.com/) to authenticated our Admins via MFA. We're using Passkey (Webauthn) and PIV on Yubikeys (SSH and HTTPS Client Cert) for this for administrative access, therefor we can't use User/Password logins for Unimus. For applications as Unimus this is done most often with a reverse proxy or a Privileged Access Management (PAM) which do the authentication and provides the information to the application e.g. via authorization headers or as a fallback with basic auth (random password). We don't see a possibility to do this currently with Unimus - are we missing something?

We're also required to have an Identity and Access Management (IAM) which defines, which users have access to a given application - for this we normally use the API to create/delete the users to the system and groups for permissions. We were not able to find that functionality - should we write directly to the DB for this?
We would like to understand your auth model more in depth, to see how to accommodate it in Unimus. We would love reach out directly (if that's OK with you) to discuss this more in depth, as it's a topic better discussed directly rather than through public forum posts.
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Backups:

We're using Extreme Networks switches, which allow having policy files (e.g. for ACLs, UPM scripts, ....) on the switch file system which need to be backuped as well. We didn't find a way to accomplish that.

Also, on the Extreme Networks a "show configuration" is not enough to get all information which is required for a restore in all cases (e.g. physical destruction). We've configured the following flow

...

Which puts all output into one file. As we need to parse the config for compliance we would net a separator between the different commands or multiple files. If multiple files is not possible, maybe a user-definable separator line at the beginning of each command output in the backup would be possible?
The way commands are seperated right now (using three # lines) is very hard to parse reliably. for once, extreme switches include this exact style in the config export between each section, and because it's on three lines, each with not very many distinct characters, using a regex is cumbersome and failure-prone.
We do plan to introduce the concept of multiple "files" for backup into Unimus, but it's a rather complex topic. The way the current config timeline is constructed gets messy quickly with multiple files. For example, currently you see config revisions, but with multiple files, each file may have different revisions at different times. This basically requires 2 views, a "per-devices view", where you see changes across all config files, and a "per-config-file view", where you can see each individual config changing over time.

We want to build this, but it will take a lot of UI and dev work to make this good and user-friendly.
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Device Tags:
We were not able to find a way to add tags to devices via the API (vice versa). A tag for all access switches in a given site/location, we need this to group targets for config push. Did we miss something?
Tags themselves are already in the API, but handling of tags on devices is indeed missing. We are working on APIv3 (each release has something for the API), but sadly the "Devices" endpoint in v3 is the biggest one (where tag management will be located). This is planned, but will take a bit more time to make it into a release.
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Config Push:
Multiple tags on a device are OR combined, how can we set them to be combined as an AND. For example: We need devices tagged with roles AND sites AND devicetype AND something else.

Why is there no filter for vendor or platform? For example: We run access switches from different vendors. If the targets are selected by a tag "access switch" the command syntax will not work. As a workaround, we wanted to tag them while adding them via the API, but then we are at the problem described in "Device Tags". What are we missing? How do others use this?
These are very good points. We are planning to rework how Config Push targeting works (the UX is a bit convoluted at the moment). I will talk with our Product Owner to see if we can priority this and include options like and/or and other types of targeting into the rework.
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Discovery:

Most of our devices are supported, but we have some Linux based system (like for monitoring of multicast screens in a site or to generated test traffic) for which also the network team is responsible. It's seems that it is not possible to manage unsupported devices. We tried to add a Raspbian, and build a backup flow or config push. This doesn't work, because the discovery has failed.
It would be great to be able to manage Linux based systems. E.g. zip a remote directory and backup it, or send some commands ("apt upgrade"" for example) via config push. And to be able to run this with sudo (like the "enable" config)
We plan to add a generic Linux driver. Together with Custom Backup Flows, managing any Linux distro / machine will become supported.
DVT wrote:
Wed Aug 21, 2024 1:30 pm
Payment Methods:

We are a governmental organization within the EU, and we can't pay via PayPal nor Credit Card. We would need the possibility to pay the invoice by bank transfer?
This is indeed possible, quite a few of our gov and enterprise customers with requirements like these deal with our sales directly. If you contact our sales, my colleagues will be happy to work with you on a formal purchase process.
DVT
Posts: 3
Joined: Mon Aug 19, 2024 12:39 pm

Tue Aug 27, 2024 6:49 am

We would like to understand your auth model more in depth, to see how to accommodate it in Unimus. We would love reach out directly (if that's OK with you) to discuss this more in depth, as it's a topic better discussed directly rather than through public forum posts.
Sure, no problem - I'll send you a PM with my contact info.
We do plan to introduce the concept of multiple "files" for backup into Unimus, but it's a rather complex topic. The way the current config timeline is constructed gets messy quickly with multiple files. For example, currently you see config revisions, but with multiple files, each file may have different revisions at different times. This basically requires 2 views, a "per-devices view", where you see changes across all config files, and a "per-config-file view", where you can see each individual config changing over time.
One problem we face is that we have two kinds of files .. the ones on the file system and the ones that are the result of a command. For the second we can work around with separators, for the first the function to perform a scp or sftp is missing in Unimus.
Post Reply