Configuring 802.1X Authentication During Switch Setup
An Arista switch can be connected to an out-of-band network for management purposes using the dedicated management interface.
Starting from NetVisor OS release 6.1.0, it is possible to use the switch-setup-modify command to configure the standard IEEE 802.1X authentication (as a supplicant) on the switch management interface. The interface needs to be connected to an authenticator device and cannot be part of a LAG for this feature to work.
An external network device used for out-of-band connectivity may be capable of running the IEEE 802.1X standard as an authenticator. In such cases, for security purposes the network administrator may want to enable the IEEE 802.1X authentication exchange between the switch management interface (as a supplicant) and the external authenticator.
Once the management interface is configured as supplicant and comes up, it sends out a special 802.1X message (EAPoL Start) to start the authentication process. If the authentication of the configured credentials is successful, then the interface is authorized. Before the interface is authenticated, only 802.1X packets are allowed and all other traffic is dropped on the authenticator device.
Note: In NetVisor OS release 6.1.0 support was added for the EAP-MD5 authentication method only. In addition, NetVisor OS supports the 802.1X-2001 version of the standard for interoperability with older authenticators as well as the 802.1X-2004 version.
802.1X can be configured during a fresh switch install or later using the switch-setup-modify and switch-setup-show commands.
However, the 802.1X configuration requires the creation of a host profile before the feature can be enabled. That cannot be achieved within the switch-setup-modify command, so a two-step process is required.
First, a host profile needs to be created like so:
CLI (network-admin@switch) > eap-host-profile-create name profile1 mode md5 identity user1 password
password for user identity:
confirm password for user identity:
The profile can be created with local (or cluster) scope and then verified with the command:
CLI (network-admin@switch) > eap-host-profile-show
switch name mode identity scope
------- ------------- ---- ----------- -----
switch profile1 md5 user1 local
Then 802.1X can be enabled with the switch-setup-modify command by specifying the newly created profile plus an additional parameter such as the standard version to use:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004
CLI (network-admin@switch) > switch-setup-show
switch-name: switch
mgmt-dot1x-enable: true
mgmt-dot1x-version: 802.1X-2004
mgmt-dot1x-profiles: profile1
mgmt-dot1x-status: CONNECTING
mgmt-ip: 10.14.8.90/23
mgmt-ip-assignment: static
mgmt-ip6: fe80::660e:94ff:fe4c:de/64
mgmt-ip6-assignment: autoconf
mgmt-link-state: up
mgmt-link-speed: 1g
in-band-ip: 192.168.3.55/24
in-band-ip6: fe80::640e:94ff:fe03:faf8/64
in-band-ip6-assign: autoconf
gateway-ip: 10.14.8.1
dns-ip: 10.135.2.13
dns-secondary-ip: 10.20.4.1
domain-name: pluribusnetworks.com
ntp-server: 10.135.2.13
ntp-secondary-server: 10.20.4.1
ntp-tertiary-server: 2.ubuntu.pool.ntp.org
timezone: America/Los_Angeles
date: 2021-04-09,03:37:57
hostid: 436207619
location-id: 1
enable-host-ports: yes
banner: * Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system. *
* ACCESS RESTRICTED TO AUTHORIZED USERS ONLY *
* By using the Netvisor(R) CLI, you agree to the terms of the Arista Networks *
* End User License Agreement (EULA). The EULA can be accessed via *
* http://www.arista.com/eula or by using the command "eula-show"
The mgmt-dot1x-status line in the output can have one of these values:
- AUTHENTICATED (authentication successful and port authorized)
- CONNECTING (connecting to the authenticator, check periodically for updates)
- UNKNOWN (unknown condition that can occur in corner cases)
- HELD (authentication failed on the authentication backend server)
After connecting, if the credentials are correctly configured both in the backend's database and in the supplicant's profile, the port gets authenticated as shown below:
CLI (network-admin@switch) > switch-setup-show
switch-name: switch
mgmt-dot1x-enable: true
mgmt-dot1x-version: 802.1X-2004
mgmt-dot1x-profiles: profile1
mgmt-dot1x-status: AUTHENTICATED
mgmt-ip: 10.14.8.90/23
mgmt-ip-assignment: static
mgmt-ip6: fe80::660e:94ff:fe4c:de/64
mgmt-ip6-assignment: autoconf
mgmt-link-state: up
mgmt-link-speed: 1g
in-band-ip: 192.168.3.55/24
in-band-ip6: fe80::640e:94ff:fe03:faf8/64
in-band-ip6-assign: autoconf
gateway-ip: 10.14.8.1
dns-ip: 10.135.2.13
dns-secondary-ip: 10.20.4.1
domain-name: pluribusnetworks.com
<snip>
The same two-step process can be used during a fresh switch install like so:
Netvisor OS Command Line Interface 6.1
By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?
By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?
By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?
By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?:
YES or NO?
By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES
Switch setup required:
Switch Name (switch):
network-admin Password:
Re-enter Password:
Mgmt IP/Netmask (10.14.8.90/23):
Mgmt IPv6/Netmask:
In-band IP/Netmask (192.168.3.55/24):
In-band IPv6/Netmask:
Gateway IP (10.14.8.1):
Gateway IPv6:
Primary DNS IP (10.135.2.13):
Secondary DNS IP (10.20.4.1):
Domain name (pluribusnetworks.com):
Automatically Upload Diagnostics (yes):
Enable host ports by default (yes):
Switch Setup:
Switch Name : switch
Mgmt 802.1x cfg : no
Mgmt 802.1x profiles :
Mgmt 802.1x status :
Switch Mgmt IP : 10.14.8.90/23
Switch Mgmt IPv6 : fe80::660e:94ff:fe4c:de/64
Switch In-band IP : 192.168.3.55/24
Switch In-band IPv6 : fe80::640e:94ff:fe03:faf8/64
Switch Gateway : 10.14.8.1
Switch IPv6 Gateway : ::
Switch DNS Server : 10.135.2.13
Switch DNS2 Server : 10.20.4.1
Switch Domain Name : pluribusnetworks.com
Switch NTP Server : 10.135.2.13
Switch Timezone : America/Los_Angeles
Switch Date : 2021-04-09,04:00:14
Enable host ports : yes
Analytics Store : optimized
Fabric required. Please use fabric-create/join/show
Connected to Switch switch; nvOS Identifier:0x1a000003; Ver: 6.1.0-6010018092
CLI (network-admin@switch) > eap-host-profile-create name profile1 mode md5 identity user1 password
password for user identity:
confirm password for user identity:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004
Note: If you try to delete a profile that is in use, you will get an error message:
CLI (network-admin@switch) > eap-host-profile-delete name profile1
eap-host-profile-delete: EAP Host profile profile1 is currently used
If you need to delete it, you can create and assign another profile first, then you can delete the old one:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-profiles profile2
CLI (network-admin@switch) > eap-host-profile-delete name profile1
CLI (network-admin@switch) > eap-host-profile-show
switch name mode identity scope
------- ------------- ---- ----------- -----
switch profile2 md5 user1 local
802.1X can be disabled with the following command:
CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-disable