Arista EOS AAA configuration for management with Radius protocol and Cisco ISE

Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be Radius.

Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. We are not focusing on network segmentation or security. We are focusing on configuration of AAA with radius protocol from switch management perspective (ssh/telnet). Our topology looks like below -

01 - Network Topology
01 - Network Topology

We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0.

Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator". We will use those two roles. One user after successful authentication from radius server (ISE), will be authorized as "network-admin" and will get read-write access to the switch. For another user after successful authentication, radius server will authorize "network-operator" role and will get read-only access.

Let's start with the configuration part.

Arista Switch Configuration

Below is shown basic IP connectivity and SSH settings of the switch just for reference -

interface Management1
   ip address dhcp
!
management ssh
   idle-timeout 30
   authentication mode password
!

Now we will define the radius server.

!!! Radius server IP address and secret key
radius-server host 192.168.199.49 key test123
!
!!! Radius server is assigned to a group. We will reference this group later.
aaa group server radius rad-grp-01
   server 192.168.199.49
!
!!! Packets destined for radius server, will be sourced from MGMT interface IP address.
ip radius source-interface Management1
!

Now we will configure the AAA part. Our policy looks like below - console port authentication will use locally defined user accounts in the switch; will not go to radius server. For, SSH authentication - the switch tries the local user database first, upon failure will contact radius server for authentication.

!!! Create a local admin user for console authentication.
username admin role network-admin privilege 15 secret admin

!!! Console authentication is done by switch's local user database.
aaa authentication login console local

!!! SSH authentication will be tried against local database, if failed will go to radius server.
aaa authentication login default local group rad-grp-01

!!! Upon successful authentication; the user is logged into the enable (exec) mode directly. No need of typing the command - "enable".
aaa authorization exec default local group rad-grp-01

!!! What kind of user roles; network-admin, network-operator the switch grant to the user and where are those roles defined. More on this later.
aaa authorization commands all default local

!!! Next two commands logs all the user typed commands in different logging facilities (like - syslog, logbuffer etc.)
aaa accounting exec default start-stop logging
aaa accounting commands all default start-stop logging

All the commands are straight forward; except one "aaa authorization commands all default local". To understand this command, we need to explain it more. When the radius/ISE successfully authenticates a user, it will also send a so called Arista-AVPair to the switch, the switch will match this AVPair to it's internal database of user-roles and grants access according to the roles. Be careful - our roles and what access are granted by those roles are defined in the switch locally, the radius server just inform the switch that give the user that particular role by using AVPair.

Cisco ISE Configuration

We will configure our users and groups. We are keeping it simple all users and groups are defined locally in the ISE database. No external database like windows active directory is used.

We have a group named "AristaNetAdminGroup" which has a member user named "netadm01". This user will be granted "network-admin" role by the switch upon successful authentication from the ISE. We have another group named "AristaNetOperatorGroup" which has a member user named "netopt01". This user will be granted "network-operator" role by the switch upon successful authentication from the ISE.

Let's define those groups and users. For keeping it short; I will only show how to create the group "AristaNetAdminGroup" and the user "netadm01".

02 - Creating User Identity Groups


03 - Creating Network Access User

After creating the necessary groups and users. We will create a custom radius dictionary for Arista and this dictionary will have a attribute for sending user-roles to the switch. The dictionary is created under "Dictionaries->System->Radius->Radius Vendors->Arista" in the ISE.

04 - Creating Arista Radius Dictionary


05 - Creating Attribute in Arista Radius Dictionary



Now we will create a "Network Device Profile" in ISE and bind our custom created radius dictionary with the profile.


06 - Creating Netowrk Device Profile

We will create a Network Device Group. Later on we will add our Arista switch to this group.


07 - Creating Netowrk Device Groups

At last we will add our switch as a radius client in Cisco ISE.

08 - Creating Netowrk Devices

Now comes the part of creating policy set in ISE. Arista uses PAP for radius communication. So, will create a Allowed protocol list which uses PAP.



09 - Allowed Protocol PAP

We will create two authorization profile which will send the required/necessary AVPair to the switch upon successful authentication.


10 - Authorization Profile Admin



11 - Authorization Profile Operator

It is now time to bind together everything with a ISE policy set.


12 - Policy Set Arista AAA

Our policy set works like this - with PAP protocol when a device type is Arista-Switches, try to authenticate either against user group AristaNetAdminGroup and authorize Arista-Admin access or against user group AristaNetOperatorGroup and authorize Arista-Operator access. Otherwise deny access.

Verification

First we will look into the two user roles defined in the locally in the switch.

Arista-Sw-01#show users roles
The default role is network-operator

role: network-admin
        10 permit command .*
role: network-operator
        10 deny mode exec command configure|bash|python-shell|\|
        20 permit mode exec command .*

Now we can test whether everything works between the switch and Cisco ISE by the command below (radius group - rad-grp-01, username - netopt01, password - test123) -

Arista-Sw-01#test aaa group rad-grp-01 netopt01 test123
User was successfully authenticated.

Now we will actually try to do a login over SSH and verify from the switch.

We can use either "show users detail" or "show aaa sessions"; both commands will give the same output.

Arista-Sw-01#show aaa sessions
Session Username Roles            TTY   State  Duration  Auth     Remote Host   
------- -------- ---------------- ----- ------ --------- -------- ------------- 
8       admin       network-admin    ttyS0 E      2:16:10   local                  
17     netadm01 network-admin    vty4   E      0:00:10   unknown  192.168.199.1

No network troubleshooting is interesting, without debugging. Let's activate Arista's tracing facility to debug AAA/Radius. How Arista's tracing works is not covered here, only the commands are shown.

Arista-Sw-01#show agent names | egrep -i aaa
Aaa

Arista-Sw-01#show trace Aaa | egrep -i radius
AaaPlugin::RadiusAaa enabled  ............
Radius               enabled  ............

Arista-Sw-01(config)#trace Aaa enable AaaPlugin::RadiusAaa all
Arista-Sw-01(config)#trace Aaa enable Radius all

Arista-Sw-01(config)#trace Aaa filename flash:radius.txt

Arista-Sw-01#show trace Aaa | egrep -i radius
Tracing sent to flash:/radius.txt
AaaPlugin::RadiusAaa enabled  0123456789cf
Radius                       enabled  0123456789cf

Arista-Sw-01#bash tail -f /mnt/flash/radius.txt
9105 AaaPlugin::RadiusAaa 3 authenticating user netopt01
9105 Radius               8 Counter authnAcceptsReceived set to 9
9105 Radius               1 AVPair: vendor 0 attribute 1
9105 Radius               1 AVPair: vendor 0 attribute 25
9105 Radius               1 AVPair: vendor 30065 attribute 1
9105 Radius               1 AVPair: vendor 30065 attribute 1
9105 Radius               3 privilege level 15 roles ['network-operator']
9105 Radius               3 auth status 0
9105 AaaPlugin::RadiusAaa 5 User privilege level: 15
9105 AaaPlugin::RadiusAaa 5 User roles: ['network-operator']25

We can see the one user named netopt01 has logged into the switch and received privilege level 15 and role network-operator.

Form the user session (netopt01) if we try to do - "configure" it will be rejected by the switch as per network roles defined -

Arista-Sw-01#configure
% Authorization denied for command 'configure terminal'

Let's see the logs from the Cisco ISE regrading policy set, authorization profile etc. -

13 - Cisco ISE Radius Log

That's it for today.


Comments

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)