We’re currently performing an evaluation of Unimus to managed 500+ network devices and encountered the following issues. As we’re new to Unimus, it is possible that we miss something and would like to have some feedback if it is possible in another way or already on the roadmap.
Authorization:
We're required by NIS2 directive from the EU (https://www.nis-2-directive.com/) to authenticated our Admins via MFA. We're using Passkey (Webauthn) and PIV on Yubikeys (SSH and HTTPS Client Cert) for this for administrative access, therefor we can't use User/Password logins for Unimus. For applications as Unimus this is done most often with a reverse proxy or a Privileged Access Management (PAM) which do the authentication and provides the information to the application e.g. via authorization headers or as a fallback with basic auth (random password). We don't see a possibility to do this currently with Unimus - are we missing something?
We're also required to have an Identity and Access Management (IAM) which defines, which users have access to a given application - for this we normally use the API to create/delete the users to the system and groups for permissions. We were not able to find that functionality - should we write directly to the DB for this?
Backups:
We're using Extreme Networks switches, which allow having policy files (e.g. for ACLs, UPM scripts, ....) on the switch file system which need to be backuped as well. We didn't find a way to accomplish that.
Also, on the Extreme Networks a "show configuration" is not enough to get all information which is required for a restore in all cases (e.g. physical destruction). We've configured the following flow
Code: Select all
show configration
show switch
show management
show version
show slot
show ports transceiver information detail | include "Port|Media|Vendor|Part|Serial|transceiver"
The way commands are seperated right now (using three # lines) is very hard to parse reliably. for once, extreme switches include this exact style in the config export between each section, and because it's on three lines, each with not very many distinct characters, using a regex is cumbersome and failure-prone.
Device Tags:
We were not able to find a way to add tags to devices via the API (vice versa). A tag for all access switches in a given site/location, we need this to group targets for config push. Did we miss something?
Config Push:
Multiple tags on a device are OR combined, how can we set them to be combined as an AND. For example: We need devices tagged with roles AND sites AND devicetype AND something else.
Why is there no filter for vendor or platform? For example: We run access switches from different vendors. If the targets are selected by a tag "access switch" the command syntax will not work. As a workaround, we wanted to tag them while adding them via the API, but then we are at the problem described in "Device Tags". What are we missing? How do others use this?
Discovery:
Most of our devices are supported, but we have some Linux based system (like for monitoring of multicast screens in a site or to generated test traffic) for which also the network team is responsible. It's seems that it is not possible to manage unsupported devices. We tried to add a Raspbian, and build a backup flow or config push. This doesn't work, because the discovery has failed.
It would be great to be able to manage Linux based systems. E.g. zip a remote directory and backup it, or send some commands ("apt upgrade"" for example) via config push. And to be able to run this with sudo (like the "enable" config)
Payment Methods:
We are a governmental organization within the EU, and we can't pay via PayPal nor Credit Card. We would need the possibility to pay the invoice by bank transfer?