TACACS+ RBAC Support

Role-based access control (RBAC) is an approach to regulating access to network resources based on the roles of individual users. Each user has one or more roles. Each role has its own rules which indicate the allowed and denied commands under specified mode. Commands authorization of a user is performed based on these rules. TACACS+ RBAC allows users to configure roles on TACACS servers and rules on switches, which is a much more scalable solution than local RBAC. Roles can be set and modified on the server side once and applied to all switches who connect to the server, instead...
Continue reading →

Common AAA Requirements

This article describes sample configuration for most common AAA requirements. It covers default behavior of EOS and a basic configuration guide with respect to Authentication and Authorization through local, RADIUS and TACACS+. The article also includes sample TACACS+ config files and RADIUS dictionary files. Authentication SSH Authentication To have users locally authenticated, configure by entering the command: Arista(config)#aaa authentication login default local Other methods available are TACACS+ and RADIUS. Console Authentication By default console login will derive authentication method from the command “aaa authentication login default “. To configure authentication method for console login different than the default method, configure:...
Continue reading →

Securing eAPI

Introduction In this article we will talk about a few tips to secure our eAPI access, for example, HTTPS, changing port, certificate, ACL, on-box, AAA, vrf etc. Turning on/off eAPI First of all, the most secure way is turning off eAPI, which is by default. myswitch#configure myswitch(config)#management api http-commands myswitch(config-mgmt-api-http-cmds)#shutdown To turn eAPI on by “no shutdown”, by default the HTTPS protocol is running and HTTP is turned off for secure purpose, because HTTP send user and password in clear text. HTTP can be used by “protocol http”, however, we recommend using HTTPS. Both HTTP and HTTPS can be used concurrently. myswitch#configure terminal myswitch(config)#management api http-commands...
Continue reading →

Using AAA to log all commands from users on Arista EOS

Introduction Some users of Arista Networks EOS may want to log all commands executed on a switch. This article explains how to use AAA without TACACS or RADIUS to provide accounting of all commands to the system log. The log can then be sent off to a syslog server or even sent to Splunk using the Arista EOS splunk extension. For more information about the Splunk app for Arista EOS click here. Setup First, it is important to create a user account for each switch administrator. Without a separate account for each administrator it will be impossible to retain accurate...
Continue reading →

Introduction to Managing EOS Devices – Setting up Management

Note: This article is part of the Introduction to Managing EOS Devices series: https://eos.arista.com/introduction-to-managing-eos-devices/      1) Setting Up Management The following management tools are available on Arista EOS for all platforms: VRF-aware management Telnet and SSH Syslog and Console Logging SNMP Versions 1 and 3 NTP DNS Local and remote user control (AAA) TACACS+, RADIUS sFlow XMPP eAPI   Note: in the following configuration examples, the commands in square brackets are optional: [optional]   1.1) VRF Aware Management As of release 4.10.1, EOS supports the ability to constrain management functions to a VRF. This enables the user to separate management based functions...
Continue reading →