Unleashed connection to ICX

  • 1
  • Question
  • Updated 4 months ago
  • Answered
Just updated my AP in my local test system here to 200.8.10.3.243, attached to an ICX 7150-C08P (also updated to 8.0.92).  In the Unleashed interface, we can now get status from the ICX switch, which is a nice feature.  When I tried to set this up today, it won't let me login, tells me my username & password is incorrect.  SSH is enabled (should be by default on 8.0.90) , and I assigned it credentials.  when I login to the switch via SSH through putty it connects just fine.  Any ideas on why it should fail via the unleashed interface?
Photo of KC Luchsinger

KC Luchsinger

  • 11 Posts
  • 1 Reply Like

Posted 5 months ago

  • 1
Photo of Russ B

Russ B

  • 2 Posts
  • 2 Reply Likes
Glad I searched first and found someone else banging their head against the keyboard re: this feature.

First, any Ruckus employees reading this: this feature is poorly implemented, buggy as hell and to the wider community, broken. 

The good news is, assuming you've got a decent head on your shoulders, you can get the feature working irrespective of Ruckus's dodgy code.

After reading the manual and immediately recognising this feature was never properly QA-ed, I jumped onto `Debug Info` under `Administration --> Diagnostics --> Debug Info` and checked a new tick box that appears in this release `Network Management (ICX)`. 



After a few minutes I reviewed the output from the `Logs` tab, specifically, `To show current system logs, click here`. You could also elect to download the tarball via `Save System Log`. 

Here's what Unleashed is trying to do and why it'll never succeed by itself (but you can fix it until Ruckus do). 

In the manual for Unleashed 200.8 it states the easiest way to get this feature to work is to ensure that you factory reset the switch (or the switch is in out of the box brand new). 

Knowing the only way to access a factory reset device is via serial, that was enough info to know that this feature was never going to work.

The Unleashed master will attempt to the following:

1. Discover the switch and its management IP address via LLDP.
2. Login via SSH with the username / password of **super** and **sp-admin**.
3. If this combo fails, it tries **unleashed** as the password. 
4. If the user **super** does not exist the Unleashed GUI will never ask you to "Approve" the switch(es) its trying to log into. This a misnomer, since by default "Auto Approve" is enabled in the Unleashed GUI and it's actually prompting you to enter a set of credentials that will work. 
5. Assuming it gets this far, it removes the **super** user since it's default and shouldn't exist in the first place. It then creates a user/password identical to the primary Unleashed admin. If the username already exists, Fastiron will just change that user's password to match the Unleashed admin.
6. Unleashed checks to see if you've enabled snmp server in Fastiron via a grep of the running config.
7. Unleashed attempts the command `show running-config | include snmp-server enable vlan` then at some point runs the command `snmp-server community <Unleashed ID> ro` where `<Unleashed ID>` is a string comprising `un` folllowed by 25 numbers (generated when you first configure Unleashed and can be regenerated if neccessary, under what circumstances I have no idea). 
8. Assuming all the above works, the Unleashed master can now access the read-only SNMPv2 community string and grab a bunch of run-of-the-mill SNMP read-only data and display a pretty graphical representation of your Fastiron ICX. 

I assume that because you can also backup the config and do some other things like "Reset Port" which I haven't tested, the Unleashed master will attempt to access your ICX(es) via the privileged user it created in the above process.

Now here's why this will never, ever, work for anyone automatically. 

1. SSH is disabled out of the box.
2. Accessing the switch in its factory default state immediately enforces you to change the password of the **super** user. The moment you do that, you cannot change it back to **sp-admin**. Fastiron will throw a console error with `Error: Cannot create local user with default password`. 
3. Yes, you *can* change it to **unleashed** but how would you know to do that other than debugging? Unleashed also assumes you have `aaa authentication login privilege-mode` enabled so whatever user it logs in as will immediately be in priv exec mode. 
4. Enabling SSH requires generating the public/private key pair via `crypto key generate rsa`. 
5. Once enabled, you need a management IP address configured that's on the same subnet as your Unleashed master.
6. LLDP is disabled out of the box, so you need to enable that. If the switch is on a different subnet to your Unleashed master you also need to configure LLDP to advertise its management IP address via `lldp advertise management-address ipv4 <some IP address> ports <all ports that are directly/indirectly connected to your Unleashed master, or potential masters>`.
7. SNMP is disabled out of the box, so you need to enable that. Because Unleashed gets a <NULL> response from its grep of "snmp-server" it never actually commits any config to enable it and even if it did, grepping for `snmp-server` does **not** tell you if the SNMP server is enabled. 

It is counter intuitive but Fastiron has always required you to run `snmp-server` without anything proceeding to actually start the process, which isn't included in `show run` and you can only see the SNMP server status via `#show snmp ser | inc Status` which returns `Status: Enabled` or `Status: Disabled` if factory default. 

To enable SNMPv2, at a minimum, you need to have committed:


`snmp-server community public ro`


`snmp-server`

---

So what this all amounts to is a feature implemented by someone who poorly understands Fastiron, and further, sucks at writng error handling routines as Unleashed will, assuming LLDP is enabled on your ICX, fail forever trying to connect. 

To get this feature to work is pretty simple when it comes down to it, ignoring the debacle above. Simply ensure the following:

1. Create a user (or change the password if the user you'd be created matches the one you use for Unleashed) with the same password as you use to login to Unleashed (via the GUI or CLI).
2. Enable LLDP and advertise the management IP address if it's on a different subnet, ensuring Unleashed has SSH/SNMP access to your ICX. 
3. Enable the SNMP server on ICX (do not create the public ro community I listed above, that is an example only and often the default for most devices - it's bad practise at best and a security risk at worst). Exact config snippet:

``
snmp-server enable
snmp-server community ro <your unleashed ID>
snmp-server 
``
4. Assuming you don't have SSH enabled, enable it by generating a RSA public/private key pair for the ICX (`crypto key generate rsa modulus 2048`). 
5. If you've disabled password authentication and use public key authentication only, too bad, enable it again via `(config)#ip ssh password-authentication yes`.
6. If the **super** user exists for whatever reason, nuke it via `(config)#no user super`.
7. Set up AAA so it automatically puts any user that has the privileges enabled (in this case, the Unleashed user) into priv exec mode via `aaa authentication login privilege-mode`.
8. Finally, save your config `write memory`.

If it all goes well you'll get something like this in the Unleashed GUI after a little while:


Photo of Russ B

Russ B

  • 2 Posts
  • 2 Reply Likes
Well, I didn't realise the forum didn't support markdown so all my codeblocks, emphasis and other punctuation is broken. Apologies.
Photo of KC Luchsinger

KC Luchsinger

  • 11 Posts
  • 1 Reply Like
Thanks for the info, I'll try and get mine to work this way when I get a minute
Photo of tam ch

tam ch

  • 1 Post
  • 0 Reply Likes
Can ruckus fix the issue on next Unleashed firmware?