I'm looking to integrate our clusters into AD so that when we log into the CLI/GUI we can do so with our AD logons. Maybe I'm missing something but the only thing I can see in the documentation is that you can set up a domain tunnel from a data vserevr. This isn't what I'm after as when you log onto the CLI to admin the filer you login to the cluster vserver. I've not really seen much mentioned of RADUIS apart from using that as the authentication method for CHAPS using ISCSI.
Could anyone point me in the right direction of getting ontap 8.3.2 working with AD lognos for the cluster level CLI.
On our clusters, we setup dedicated domain tunnel vservers. The CLI functions of the domain need to pass thru this vserver. The reason why we chose to dedicate a vserver was for our svm-dr and all that, we didn't want to remember to move the domain tunnel.
That's part one, and then on security login you need to create your group which you want SSH access too.
How does that work then? So you have a dedicated vserver just for the domain tunnell. Lets call that VS_TUN. Your cluster mgmt IP lives in your cluster vserver. Lets call that VS_CLUS.
So when I want to log into the cluster CLI to create a volume in any of the vservers I'd log onto the cluster mgmt IP which lives in VS_CLUS. Doesn't that mean you cant do the AD logon piece otherwise you'd be logging onto a data vserver where you wouldn't have full control over the cluster?
But If I log into any SVM other than the Cluster SVM I can only control that SVM that I've logged into. I get how the ad auth works with the tunnel on those SVM's but I want to know if there is a way to logon to the cluster SVM and have an AD tunnel or similar setup.
As JGPSHNTAP says this is how it works - the "tunnel" part of the domain-tunnel is a key concept to keep in mind. The cluster SVM talks to AD via the configured data SVM, through the domain-tunnel. With ONTAP 9.3, we also support two factor authentication via this method (2FA)
This is now working thanks. I guess what I wasn't clear about is that the tunnel has to be attached to a data SVM but then this allows domain authentication to work on any SVM on that cluster. I thought that if you set the tunnel up, on SVM01 then it only enabled domain authentication on that SVM.