HPE Community
BladeSystem - General
1753428 Members
4832 Online
108793 Solutions
New Discussion

2 Factor Authentication on C3000 and C7000 enclosures.

 
spursfan
New Member

‎04-12-2018 07:22 AM

‎04-12-2018 07:22 AM

2 Factor Authentication on C3000 and C7000 enclosures.

New to a site and new to enclosures and I've been tasked with 2 Factor Authentication on the C3000 and C7000 enclosures. The firmware goes all the way from 3.31 to 4.60

1) Can it be done?

2) Is there a minimum firware level to have 2 Factor Authentication

3) Tricks to update firmware? Or follow the next version until I'm up to a baseline.

Keep in mind that I'm asking this from a novice persepective as far as enclosures and firmware.

Thanks

0 Kudos
Reply
1 REPLY 1
Bill Hassell
Honored Contributor

‎04-15-2018 11:41 PM - edited ‎04-15-2018 11:43 PM

‎04-15-2018 11:41 PM - edited ‎04-15-2018 11:43 PM

Re: 2 Factor Authentication on C3000 and C7000 enclosures.

1) Can it be done?

Yes, both C3000 and c7000 can be setup for 2 factor authentication.

2) Is there a minimum firware level to have 2 Factor Authentication

Probably. However there are many convoluted firmware issues, all the enclosures should be updated to the latest.
BUT: Because there MANY models of blades, each with their own firmware that can must be compatible.

3) Tricks to update firmware? Or follow the next version until I'm up to a baseline.

With so many compatibility issues with all the components in enclosures, the upgrade task could take a week of research and many outages for both the enclosures as well as the blades. To avoid unplanned downtime, I would rethink the firmware upgrades just for 2 factor.

Access to the enclosure and blades for service (bad disk, RAM, blade replacement) can be a disaster if authentication can't be provided. The risk to business in losing access to multiple systems should be analyzed carefully. Most requirements for improved security are due to the very poor practice of connecting iLO (console) ports to the company network. EVERY server, switch, disk array, router, etc, should have their console access on a separate, unrouted network. Access to this restricted network would then be through a gateway box (with appropriate authentication requirements). 

This separate network also avoids security audit issues where older machines do not have any way to have their network issues fixed. Auditors will likely find Java, telnet, ssh, SSL, etc issues but the manufacturer no longer provides upgrades. By keeping access to the iLO/consoles on an isolated network, business continuity is protected and the equipment can be serviced.



Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.