ESXi Administration

Version 1
    This document was generated from CDN thread

    Created by: SCOTT PITTS on 20-11-2010 01:34:02 AM
    The biggest problem I have right now is ESXi administration. Our ESX administrators are not the same as Cisco router administrators. This means I must provide them access to the SRE console to add/change/delete users and groups. They also do not know how to use this interface as it is Cisco's and not VMWare's. The ESX-ADMIN user, which is the only login that was provide from Cisco, can not modify the users/group/licenses parameters within the vSphere client. The ESX team here can not lock me from the SRE console as I can session in and have full rights to change permissions. At the same token they can ruin the config of the SRE and take the SRE down as the interface is foreign to them. Normally I would use TACACS command authorization to limit the commands they can enter and limit the commands I can enter. There is also a record of all changes. As the router does support TACACS, I tried that and I get as far as the session command but then everything from that point is hidden. I assume that it is the equivalent to telneting to the SRE itself. I understand what you are trying to do but you are significantly hindering the product with the current approach from the administration aspects.
    Is there a way to resolve these issues with TACACS/RADIUS to keep the two teams seperate and provide access to the resources they need? How will licensing happen with regards to those customers that would like all licenses under there existing VMWare contracts?

    Subject: RE: New Message from SCOTT PITTS in Service Ready Engine Virtualization - S
    Replied by: Anurag Gurtu on 20-11-2010 01:34:02 AM

    We are working on having clear isolated boundaries between IT and Network admin, just like you mentioned below. I will keep in mind the use-case you mentioned and will go over it with engineering.


    Anurag Gurtu, CISSP