topic Re: Backup/Restore radius secret in Network Platform API

Backup/Restore radius secret

francesco.boscarino — Tue, 14 May 2024 06:58:37 GMT

Hi, using API it is not possible to retrieve the secret but it is possible to set one. The same for MQTT Broker settings.

I understand is is for security reason but it is really important to be able to backup and restore passwords using API.

A solution could be to retrieve encrypted (salted, hashed) password with a prefix, like sha256:xxxxxxxxxxxxx and when restoring the endpoint should use the already hashed password if a matching prefix exists or set as plaintext password if not.

This way it would be possible to restore previously saved configurations and security will be always enforced.

Re: Backup/Restore radius secret

daniel_abbatt — Tue, 14 May 2024 07:41:46 GMT

It's a funny one with secrets in the API. On the one hand I understand why they don't allow downloading them but on the other hand if you have permissions to upload a new one and replace it with your own, then why wouldn't you have permissions to download the existing one.

As it currently stands we store various secret separately and when we hit endpoints that require uploading secrets then we apply them from our secret store at that point.

Re: Backup/Restore radius secret

Philip D'Ath — Tue, 14 May 2024 21:04:34 GMT

If this is important, I would use a "secrets" manager.

I've used Amazon AWS Cognito before. You can do things like have the script authenticate the user (to verify they are allowed to retrieve the secret), and then get it. I have used Cognito for storing Meraki API keys as well. And if you want to get tricky, you can also team it up with a lamba script to automatically and regularly rotate the API key. When the API key is no longer stored anywhere except the secrets manager, regularly changing it becomes easy.

https://aws.amazon.com/pm/cognito/

I am quite a fan of the Bitwarden password manager because of its enterprise features. They also do a secrets manager - and they have a *free* plan option as well.

https://bitwarden.com/products/secrets-manager/

Re: Backup/Restore radius secret

francesco.boscarino — Thu, 16 May 2024 08:33:51 GMT

Hi, this is not something related to where store secrets. The issue is that it is not possible to create a backup script which it's able to retrieve all the required information, secrets included. This is to have a working configuration backup which could be restore if required. If the radius secret is missing, it is not possible to restore the radius configuration.

If we can retrieve the secret, also in encrypted form for security, we could later restore the configuration, including the secret (already encrypted).

Re: Backup/Restore radius secret

Philip D'Ath — Thu, 16 May 2024 08:51:49 GMT

I did not explain my answer well.

Correct - you can not retrieve a RADIUS secret. What you could do is store the RADIUS secret in a secrets manager. When you provision or restore a network, always provision the RADIUS secret from the secrets manager.

Re: Backup/Restore radius secret

francesco.boscarino — Thu, 16 May 2024 08:54:07 GMT

You are right but if writing a tool, not only for my configurations, the tool does not have history of the secret, it should retrieve from API and restore if necessary.