Configuring 802.1X Authentication During Switch Setup


An Arista switch can be connected to an out-of-band network for management purposes using the dedicated management interface.


Starting from NetVisor OS release 6.1.0, it is possible to use the switch-setup-modify command to configure the standard IEEE 802.1X authentication (as a supplicant) on the switch management interface. The interface needs to be connected to an authenticator device and cannot be part of a LAG for this feature to work.


An external network device used for out-of-band connectivity may be capable of running the IEEE 802.1X standard as an authenticator. In such cases, for security purposes the network administrator may want to enable the IEEE 802.1X authentication exchange between the switch management interface (as a supplicant) and the external authenticator.


Once the management interface is configured as supplicant and comes up, it sends out a special 802.1X message (EAPoL Start) to start the authentication process. If the authentication of the configured credentials is successful, then the interface is authorized. Before the interface is authenticated, only 802.1X packets are allowed and all other traffic is dropped on the authenticator device.


Note: In NetVisor OS release 6.1.0 support was added for the EAP-MD5 authentication method only. In addition, NetVisor OS supports the 802.1X-2001 version of the standard for interoperability with older authenticators as well as the 802.1X-2004 version.


802.1X can be configured during a fresh switch install or later using the switch-setup-modify and switch-setup-show commands.


However, the 802.1X configuration requires the creation of a host profile before the feature can be enabled. That cannot be achieved within the switch-setup-modify command, so a two-step process is required.


First, a host profile needs to be created like so:


CLI (network-admin@switch) > eap-host-profile-create name profile1 mode md5 identity user1 password 

password for user identity: 

confirm password for user identity: 


The profile can be created with local (or cluster) scope and then verified with the command:


CLI (network-admin@switch) > eap-host-profile-show

switch  name          mode identity    scope 

------- ------------- ---- ----------- ----- 

switch  profile1      md5  user1       local


Then 802.1X can be enabled with the switch-setup-modify command by specifying the newly created profile plus an additional parameter such as the standard version to use:


CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004 


CLI (network-admin@switch) > switch-setup-show

switch-name:               switch

mgmt-dot1x-enable:         true

mgmt-dot1x-version:        802.1X-2004

mgmt-dot1x-profiles:       profile1

mgmt-dot1x-status:         CONNECTING

mgmt-ip:                   10.14.8.90/23

mgmt-ip-assignment:        static

mgmt-ip6:                  fe80::660e:94ff:fe4c:de/64

mgmt-ip6-assignment:       autoconf

mgmt-link-state:           up

mgmt-link-speed:           1g

in-band-ip:                192.168.3.55/24

in-band-ip6:               fe80::640e:94ff:fe03:faf8/64

in-band-ip6-assign:        autoconf

gateway-ip:                10.14.8.1

dns-ip:                    10.135.2.13

dns-secondary-ip:          10.20.4.1

domain-name:               pluribusnetworks.com

ntp-server:                10.135.2.13

ntp-secondary-server:      10.20.4.1

ntp-tertiary-server:       2.ubuntu.pool.ntp.org

timezone:                  America/Los_Angeles

date:                      2021-04-09,03:37:57

hostid:                    436207619

location-id:               1

enable-host-ports:         yes

banner:                    * Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system.     *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI, you agree to the terms of the Arista Networks  *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.arista.com/eula or by using the command "eula-show"

 

The mgmt-dot1x-status line in the output can have one of these values:


  • AUTHENTICATED (authentication successful and port authorized)
  • CONNECTING (connecting to the authenticator, check periodically for updates)
  • UNKNOWN (unknown condition that can occur in corner cases)
  • HELD (authentication failed on the authentication backend server)


After connecting, if the credentials are correctly configured both in the backend's database and in the supplicant's profile, the port gets authenticated as shown below:


CLI (network-admin@switch) > switch-setup-show

switch-name:               switch

mgmt-dot1x-enable:         true

mgmt-dot1x-version:        802.1X-2004

mgmt-dot1x-profiles:       profile1

mgmt-dot1x-status:         AUTHENTICATED

mgmt-ip:                   10.14.8.90/23

mgmt-ip-assignment:        static

mgmt-ip6:                  fe80::660e:94ff:fe4c:de/64

mgmt-ip6-assignment:       autoconf

mgmt-link-state:           up

mgmt-link-speed:           1g

in-band-ip:                192.168.3.55/24

in-band-ip6:               fe80::640e:94ff:fe03:faf8/64

in-band-ip6-assign:        autoconf

gateway-ip:                10.14.8.1

dns-ip:                    10.135.2.13

dns-secondary-ip:          10.20.4.1

domain-name:               pluribusnetworks.com

<snip>


The same two-step process can be used during a fresh switch install like so:


Netvisor OS Command Line Interface 6.1

        By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?

        By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?

        By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES or NO?

        By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: 

YES or NO?

        By ANSWERING "YES" TO THIS PROMPT YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS OF THE PLURIBUS NETWORKS END USER LICENSE AGREEMENT (EULA) AND AGREE TO THEM. [YES | NO | EULA]?: YES

Switch setup required:

        Switch Name (switch): 

        network-admin Password: 

        Re-enter Password: 

        Mgmt IP/Netmask (10.14.8.90/23): 

        Mgmt IPv6/Netmask: 

        In-band IP/Netmask (192.168.3.55/24): 

        In-band IPv6/Netmask: 

        Gateway IP (10.14.8.1): 

        Gateway IPv6: 

        Primary DNS IP (10.135.2.13): 

        Secondary DNS IP (10.20.4.1): 

        Domain name (pluribusnetworks.com): 

        Automatically Upload Diagnostics (yes): 

        Enable host ports by default (yes): 


Switch Setup:

        Switch Name          : switch

        Mgmt 802.1x cfg      : no

        Mgmt 802.1x profiles : 

        Mgmt 802.1x status   : 

        Switch Mgmt IP       : 10.14.8.90/23

        Switch Mgmt IPv6     : fe80::660e:94ff:fe4c:de/64

        Switch In-band IP    : 192.168.3.55/24

        Switch In-band IPv6  : fe80::640e:94ff:fe03:faf8/64

        Switch Gateway       : 10.14.8.1

        Switch IPv6 Gateway  : ::

        Switch DNS Server    : 10.135.2.13

        Switch DNS2 Server   : 10.20.4.1

        Switch Domain Name   : pluribusnetworks.com

        Switch NTP Server    : 10.135.2.13

        Switch Timezone      : America/Los_Angeles

        Switch Date          : 2021-04-09,04:00:14

        Enable host ports    : yes

        Analytics Store      : optimized

Fabric required. Please use fabric-create/join/show

Connected to Switch switch; nvOS Identifier:0x1a000003; Ver: 6.1.0-6010018092


CLI (network-admin@switch) > eap-host-profile-create name profile1 mode md5 identity user1 password 

password for user identity: 

confirm password for user identity: 


CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-enable mgmt-dot1x-profiles profile1 mgmt-dot1x-version 802.1X-2004 


Note: If you try to delete a profile that is in use, you will get an error message:


CLI (network-admin@switch) > eap-host-profile-delete name profile1

eap-host-profile-delete: EAP Host profile profile1 is currently used


If you need to delete it, you can create and assign another profile first, then you can delete the old one:


CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-profiles profile2


CLI (network-admin@switch) > eap-host-profile-delete name profile1


CLI (network-admin@switch) > eap-host-profile-show

switch  name          mode identity    scope 

------- ------------- ---- ----------- ----- 

switch  profile2      md5  user1       local


802.1X can be disabled with the following command:


CLI (network-admin@switch) > switch-setup-modify mgmt-dot1x-disable

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south