• Tag : security


How to Auto-Detect Hotspot SSIDs via Wireless Manager

Introduction There is a high probability of encountering Hotspot SSIDs in an enterprise environment. If a client probes for a well-known Hotspot SSID, it is at risk of connecting to a Hotspot AP, potentially without the user knowing about it. Also, if an enterprise AP broadcasts a Hotspot SSID, such an AP may attract undesirable Clients to connect to it, which may lead to network disruption. This article describes how to Add/Delete Hotspot SSIDs on the Wireless Manager. The system detects the authorized clients in the WLAN that issues “Probe Requests” with the specified hotspot SSIDs and accordingly sends a...
Continue reading →

How to Configure and Assign User Access Roles via RADIUS / NPS

Introduction This article describes how to authenticate users and assign different access roles via RADIUS server (NPS) integration with on-premises Wireless Manager. Prerequisites Administrative access to on-premises Wireless Manager. RADIUS server with Administrator privileges Configured correct shared secret and RADIUS client on the RADIUS server Solution Configure ‘Superuser’ Access Role Log in to NPS with Administrator credentials. Under NPS expand Policies and click Network Policies folder. On the Overview tab, enter the appropriate information. Go to Conditions tab, add Windows Domain Admin group. Go to Constraints tab and enable Authentication Method (PAP) as Wireless Manager communicates with the RADIUS server...
Continue reading →

How to Export Events and Audit Logs to an ArcSight Server

Introduction This article explains the process to add an ArcSight server for the export of Events and Audit logs. Prerequisites Administrative access to Wireless Manager. Information about the ArcSight server destination like IP address and port. Solution This article applies to the on-premises Wireless Manager servers running software version 8.9. If you wish to use Syslog instead, please refer to the Syslog Integration article. Access the configuration by navigating to Configuration → ESM integration → ArcSight Integration The service is enabled by default and you can add a new ArcSight syslog destination by selecting “Add ArcSight Server”. Enter IP address...
Continue reading →

Securing eAPI

Introduction In this article we will talk about a few tips to secure our eAPI access, for example, HTTPS, changing port, certificate, ACL, on-box, AAA, vrf etc. Turning on/off eAPI First of all, the most secure way is turning off eAPI, which is by default. myswitch#configure myswitch(config)#management api http-commands myswitch(config-mgmt-api-http-cmds)#shutdown To turn eAPI on by “no shutdown”, by default the HTTPS protocol is running and HTTP is turned off for secure purpose, because HTTP send user and password in clear text. HTTP can be used by “protocol http”, however, we recommend using HTTPS. Both HTTP and HTTPS can be used concurrently. myswitch#configure terminal myswitch(config)#management api http-commands...
Continue reading →

Securing EOS CLI

Objective This Tech Tip is intended to provide Arista EOS users with the configuration guidelines and best practices to enable secure management plane protocols according to IT industry security standards. It is not the objective of this document to set the foundations or rules of a company security policy or a password policy. Note: This document is not intended to set company security or password policy. Ultimate responsible to define and apply an end-to-end IT security policy is the responsibility of the end user and must take into account any regulations directly related with company activities. Arista EOS includes a wide...
Continue reading →

Restricting access to the switch

In this article we demonstrate how you can enable your Arista switch to restrict access to various network services. By default, Arista EOS implements a control-plane ACL to restrict the packets going to the CPU.  This is done for security purposes, but in its default configuration is very permissive.  As such, it is recommended that the sources which can access the switch be restricted using the methods described below. To view the default ACL issue the following command: Arista#sh ip access-lists default-control-plane-acl IP Access List default-control-plane-acl [readonly] statistics per-entry 10 permit icmp any any [match 4, 11 days, 20:46:23 ago]...
Continue reading →

Automatic MD5 Verification of EOS image

Introduction This article describes how EOS can be extended in order to check the integrity of software images. The extension described below adds the ability to automatically download the MD5 sum of an EOS image and check its integrity.  This is done by adding an optional verify parameter to the existing copy command. When verify is specified, the switch will first attempt to copy the requested EOS image (e.g. EOS-4.12.5.swi), and then it will try to retrieve an MD5 sum for the same resource (e.g. EOS-4.12.5.swi.md5sum). Assuming both files are successfully downloaded, the MD5 sum of the software image will be...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: