EAP Host Profiles
EAP Host Profiles
There are features and functions used in Arista NetVisor UNUM and Insight Analytics that are common throughout the user interface (UI). Please refer to the Common Functions section for more information on the use of these functions and features.
EAP (Extensible Authentication Protocol) is an authentication framework supporting multiple authentication schemes. EAP customarily runs directly over data link layers such as the Point-to-Point Protocol (PPP) or IEEE 802.x, without requiring Internet Protocol.
An Arista switch can be connected to an out-of-band network for management purposes using the dedicated management interface.
Starting from NetVisor OS release 6.1.0, it is possible to use the switch-setup-modify command to configure the standard IEEE 802.1X authentication (as a supplicant) on the switch management interface. The interface needs to be connected to an authenticator device and cannot be part of a LAG for this feature to work.
An external network device used for out-of-band connectivity may run the IEEE 802.1X standard as an authenticator. In such cases, for security purposes, the network administrator may want to enable the IEEE 802.1X authentication exchange between the switch management interface (as a supplicant) and the external authenticator.
Once the management interface is configured as a supplicant and comes up, it sends out a special 802.1X message (EAPoL Start) to start the authentication process. If the authentication of the configured credentials is successful, then the interface is authorized. Before the interface is authenticated, only 802.1X packets are allowed, and all other traffic is dropped on the authenticator device.
To set management access authentication, use the EAP Host Profiles feature.
The general process involves creating the authentication profile and then enabling the profile.
Technical Note: Use NetVisor UNUM to create the profile.
Enabling profiles is performed via the CLI console.
Enable the profile using the switch-setup-modify command by specifying the newly created profile plus an additional parameter such as the standard version to use:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004
Caution: When using EAP Host Profiles, the TOR (Top-of-Rack) switch must have 802.1x enabled otherwise the management link will fail resulting in a loss of SSH connectivity. Arista Networks recommends enabling and successfully testing a single profile on a non Seed Switch before proceeding with the other switches in the Fabric.
Creating the Profile
Selecting Manager → Fabric → Communication → EAP Host Files displays the EAP Host Profiles dashboard with a list of any existing Host Profile entries.
Select the applicable Fabric from the left-hand navigation bar and the dashboard updates showing all Host Profile entries from all switches within the Fabric.
Note: If no entries exist a "No Data Exists" message is displayed. You must first configure an entry on a switch. Prerequisite settings and configuration may be required.
The dashboard displays a list of existing Host Profile entries by Fabric. Additional parameters include: Switch, Name, Mode, Identity, and Scope.
Manager Communication EAP Host Profiles Dashboard
Create a Host Profile
To create a host profile, click Create a Host Profile and enter the requisite information for:
•Switch / FRG – Name of Fabric Resource Group (FRG), switch or All switches.
•Name – The name for the profile.
•Mode – EAP Authentication mode (drop-down).
•Identity – The name of the user identity.
•Password – Enter a password for the entity.
Additional fields include:
•Scope – local or cluster (drop-down).
Manager Communication EAP Host Profiles - Create a Host Profile
Modify a Host Profile
Modify a host profile by selecting Edit using the Cog icon.
Enter the updated information.
Manager Communication EAP Host Profiles - Modify a Host Profile
Click Save or Cancel to return to the previous screen without making any changes.
The dashboard displays the new information.
Manager Communication EAP Host Profiles Updated Dashboard
Delete a Host Profile
Delete an entry by selecting Delete using the Cog icon.
Manager Communication EAP Host Profiles - Delete
Click OK to continue or Cancel to return to the previous screen without making any changes.
Enabling the Profile
Enabling profiles is performed via the CLI console.
Enable the profile using the switch-setup-modify command by specifying the newly created profile plus an additional parameter such as the standard version to use:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004