Posted on December 9, 2016 9:48 pm
 |  Asked by syavash azarmi
 |  1523 views
« Back to Previous Page
0
0
Print Friendly, PDF & Email

I have been struggling to get arista auth/autorizaiton on MS NPS and wasnt successful.

i am using the following VSAs:

ATTRIBUTE / Arista-AVPair / 1 / string
ATTRIBUTE / Arista-User-Priv-Level / 2 / integer
ATTRIBUTE / Arista-User-Role / 3 / string
ATTRIBUTE / Arista-CVP-Role / 4 / string

and

• Arista Vendor number: 30065
• Attribute: Arista-AVPair 1 string
• “shell:priv-lvl=<privilege level of a user, 0-15>”
• “shell:roles=<list of roles for a user>”

 

but cant find the config that works.

any comment or help would be much appreciated.

thanks
4
Posted by Manuel Lai
Answered on December 14, 2016 3:59 pm

Hi Syavash
There are a couple of things to check when configuring Microsoft NPS to authenticate Arista devices:

If you want to use Active Directory as a user database:
1)The user should have network permissions on Active Directory:
AD Users and Computers/User Properties/Dial-in/Allow Access
2)When using CHAP authentication, Password encryption must be activated:
AD Users and Computers/User Properties/Account/Account Options/Store password using reversible encryption
3)NPS must be registered in AD:
NPS/right click on NPS(Local)/Register Server in Active Directory

Create a New Radius Client (right click on Radius Client/New) with particular attention to the Friendly Name (Used later on policy conditions) and the Shared Secret (configured on the Arista device)

Policies
While creating the NPS Policies (Right click on Network Policies/New) make sure you select the right conditions, i.e:
Select the user group on Windows Groups.
Type the Client Friendly Name as configured before.
On Constraints panel, select protocols (i.e. CHAP,PAP/SPAP)
Standard Radius Attributes, Service Type= NAS Prompt
On Settings panel/Add/Vendor:Custom/Vendor Specific/Add/Enter Vendor Code:30065 and click “Yes it conforms”
Click on Configure Attributes/Attribute format:String Attribute Value:shell:cvp-roles=network-admin (that’s for CVP)

I hope this will help you. In case you are still having issues, please contact support@arista.com
Regards
0
Posted by Saul Suarez
Answered on October 5, 2017 4:12 pm

This works with one addition on Windows Server 2016 Network Policy Services, CVP version 2017.2.0

* make sure to set Authentication and Authorization settings on CVP portal to RADIUS
« Back to Previous Page

Post your Answer

You must be logged in to post an answer.