Arista EOS AAA configuration for management with Radius protocol and Cisco ISE

Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be Radius.

Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. We are not focusing on network segmentation or security. We are focusing on configuration of AAA with radius protocol from switch management perspective (ssh/telnet). Our topology looks like below -

01 - Network Topology
01 - Network Topology

We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0.

Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator". We will use those two roles. One user after successful authentication from radius server (ISE), will be authorized as "network-admin" and will get read-write access to the switch. For another user after successful authentication, radius server will authorize "network-operator" role and will get read-only access.

Let's start with the configuration part.

Arista Switch Configuration

Below is shown basic IP connectivity and SSH settings of the switch just for reference -

interface Management1
   ip address dhcp
!
management ssh
   idle-timeout 30
   authentication mode password
!

Now we will define the radius server.

!!! Radius server IP address and secret key
radius-server host 192.168.199.49 key test123
!
!!! Radius server is assigned to a group. We will reference this group later.
aaa group server radius rad-grp-01
   server 192.168.199.49
!
!!! Packets destined for radius server, will be sourced from MGMT interface IP address.
ip radius source-interface Management1
!

Now we will configure the AAA part. Our policy looks like below - console port authentication will use locally defined user accounts in the switch; will not go to radius server. For, SSH authentication - the switch tries the local user database first, upon failure will contact radius server for authentication.

!!! Create a local admin user for console authentication.
username admin role network-admin privilege 15 secret admin

!!! Console authentication is done by switch's local user database.
aaa authentication login console local

!!! SSH authentication will be tried against local database, if failed will go to radius server.
aaa authentication login default local group rad-grp-01

!!! Upon successful authentication; the user is logged into the enable (exec) mode directly. No need of typing the command - "enable".
aaa authorization exec default local group rad-grp-01

!!! What kind of user roles; network-admin, network-operator the switch grant to the user and where are those roles defined. More on this later.
aaa authorization commands all default local

!!! Next two commands logs all the user typed commands in different logging facilities (like - syslog, logbuffer etc.)
aaa accounting exec default start-stop logging
aaa accounting commands all default start-stop logging

All the commands are straight forward; except one "aaa authorization commands all default local". To understand this command, we need to explain it more. When the radius/ISE successfully authenticates a user, it will also send a so called Arista-AVPair to the switch, the switch will match this AVPair to it's internal database of user-roles and grants access according to the roles. Be careful - our roles and what access are granted by those roles are defined in the switch locally, the radius server just inform the switch that give the user that particular role by using AVPair.

Cisco ISE Configuration

We will configure our users and groups. We are keeping it simple all users and groups are defined locally in the ISE database. No external database like windows active directory is used.

We have a group named "AristaNetAdminGroup" which has a member user named "netadm01". This user will be granted "network-admin" role by the switch upon successful authentication from the ISE. We have another group named "AristaNetOperatorGroup" which has a member user named "netopt01". This user will be granted "network-operator" role by the switch upon successful authentication from the ISE.

Let's define those groups and users. For keeping it short; I will only show how to create the group "AristaNetAdminGroup" and the user "netadm01".

02 - Creating User Identity Groups


03 - Creating Network Access User

After creating the necessary groups and users. We will create a custom radius dictionary for Arista and this dictionary will have a attribute for sending user-roles to the switch. The dictionary is created under "Dictionaries->System->Radius->Radius Vendors->Arista" in the ISE.

04 - Creating Arista Radius Dictionary


05 - Creating Attribute in Arista Radius Dictionary



Now we will create a "Network Device Profile" in ISE and bind our custom created radius dictionary with the profile.


06 - Creating Netowrk Device Profile

We will create a Network Device Group. Later on we will add our Arista switch to this group.


07 - Creating Netowrk Device Groups

At last we will add our switch as a radius client in Cisco ISE.

08 - Creating Netowrk Devices

Now comes the part of creating policy set in ISE. Arista uses PAP for radius communication. So, will create a Allowed protocol list which uses PAP.



09 - Allowed Protocol PAP

We will create two authorization profile which will send the required/necessary AVPair to the switch upon successful authentication.


10 - Authorization Profile Admin



11 - Authorization Profile Operator

It is now time to bind together everything with a ISE policy set.


12 - Policy Set Arista AAA

Our policy set works like this - with PAP protocol when a device type is Arista-Switches, try to authenticate either against user group AristaNetAdminGroup and authorize Arista-Admin access or against user group AristaNetOperatorGroup and authorize Arista-Operator access. Otherwise deny access.

Verification

First we will look into the two user roles defined in the locally in the switch.

Arista-Sw-01#show users roles
The default role is network-operator

role: network-admin
        10 permit command .*
role: network-operator
        10 deny mode exec command configure|bash|python-shell|\|
        20 permit mode exec command .*

Now we can test whether everything works between the switch and Cisco ISE by the command below (radius group - rad-grp-01, username - netopt01, password - test123) -

Arista-Sw-01#test aaa group rad-grp-01 netopt01 test123
User was successfully authenticated.

Now we will actually try to do a login over SSH and verify from the switch.

We can use either "show users detail" or "show aaa sessions"; both commands will give the same output.

Arista-Sw-01#show aaa sessions
Session Username Roles            TTY   State  Duration  Auth     Remote Host   
------- -------- ---------------- ----- ------ --------- -------- ------------- 
8       admin       network-admin    ttyS0 E      2:16:10   local                  
17     netadm01 network-admin    vty4   E      0:00:10   unknown  192.168.199.1

No network troubleshooting is interesting, without debugging. Let's activate Arista's tracing facility to debug AAA/Radius. How Arista's tracing works is not covered here, only the commands are shown.

Arista-Sw-01#show agent names | egrep -i aaa
Aaa

Arista-Sw-01#show trace Aaa | egrep -i radius
AaaPlugin::RadiusAaa enabled  ............
Radius               enabled  ............

Arista-Sw-01(config)#trace Aaa enable AaaPlugin::RadiusAaa all
Arista-Sw-01(config)#trace Aaa enable Radius all

Arista-Sw-01(config)#trace Aaa filename flash:radius.txt

Arista-Sw-01#show trace Aaa | egrep -i radius
Tracing sent to flash:/radius.txt
AaaPlugin::RadiusAaa enabled  0123456789cf
Radius                       enabled  0123456789cf

Arista-Sw-01#bash tail -f /mnt/flash/radius.txt
9105 AaaPlugin::RadiusAaa 3 authenticating user netopt01
9105 Radius               8 Counter authnAcceptsReceived set to 9
9105 Radius               1 AVPair: vendor 0 attribute 1
9105 Radius               1 AVPair: vendor 0 attribute 25
9105 Radius               1 AVPair: vendor 30065 attribute 1
9105 Radius               1 AVPair: vendor 30065 attribute 1
9105 Radius               3 privilege level 15 roles ['network-operator']
9105 Radius               3 auth status 0
9105 AaaPlugin::RadiusAaa 5 User privilege level: 15
9105 AaaPlugin::RadiusAaa 5 User roles: ['network-operator']25

We can see the one user named netopt01 has logged into the switch and received privilege level 15 and role network-operator.

Form the user session (netopt01) if we try to do - "configure" it will be rejected by the switch as per network roles defined -

Arista-Sw-01#configure
% Authorization denied for command 'configure terminal'

Let's see the logs from the Cisco ISE regrading policy set, authorization profile etc. -

13 - Cisco ISE Radius Log

That's it for today.


Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more