Certificate-Based TerminAttr Authentication

Arista/EOS switches use TerminAttr for streaming network data to CVP in the following network configurations:
  • Firewalls or dynamic NAT is deployed between CloudVision and EOS devices
  • Multi-Factor Authentication (MFA) or One-Time-Passwords (OTPs) are used for authentication
Note: When terminattr authentication is enabled,CVP does not require EAPI-over-HTTPS connections. Any CVP authenticated user is also authenticated with the devices that CVP manages.

Each TerminAttr connection must be authenticated using either shared keys or certificate. The certificate-based TerminAttr authentication provides the following additional security features:

  • Eliminates the shared key from the switch's configuration
  • Uniquely authenticates each TerminAttr connection between the switch and CVP
Note: Third party devices can use only the shared key authentication. The minimum required version of TerminAttr to use this feature is v1.6.1.
The following sections describes configuring devices with certificate-based TerminAttr authentication:

Enabling Certificate-Based TerminAttr Authentication

When on-boarding a device through Zero Touch Provisioning (ZTP) or direct import, the certificate-based TerminAttr authentication uses a temporary token to enroll client certificates from CVP. The SYS_TelemetryBuilderV3 generates the TerminAttr configuration that uses certificate-based TerminAttr authentication.

Note: Cerificate-based TerminAttr authentication is used as the default method as of version 2021.2.0, but can be changed to shared key if needed.Shared key authentication support is not supported in version 2023.1.0 and newer.

Perform the following steps to enable certificate-based TerminAttr authentication:

  1. In CloudVision portal, click the gear icon at the upper right corner of the page.

    The system displays the Settings screen.

  2. Under the Cluster Management pane, enable Device authentication via certificates using the toggle button.
    Figure 1. Enable Device Authentication via Certificates

Switching the Authentication from Certificates to Shared Keys

Perform the following steps for switching the authentication from certificates to shared keys:

  1. Disable the Device authentication via certificates option on the settings page.

    See Enabling Certificate-Based TerminAttr Authentication.

  2. Regenerate the configlets for all devices using SYS_TelemetryV3 builder.

    The generated configlets starts using shared key authentication.

  3. Execute resulting tasks.

Switching the Authentication from Shared Keys to Certificates

Perform the following steps for switching the authentication from shared keys to certificates:

Note: As of version 2021.2.0, Certificate Authentication is enabled by default for all new on-prem installations. For previous releases, the TerminAttr certificate authentication can be turned ON by enabling the Device authentication via certificates setting in the Settings page.
Note: No action is required if the setting is no longer visible in a cluster running version 2022.2 or newer.If the setting is visible in a cluster running version 2022.2 release or newer, then a warning will be displayed during the upgrade process to warn about this deprecated feature. CloudVision users are encouraged to move all the devices to use certificate authentication.
Figure 2. General Settings

The following procedure will enable certificate-based authentication for TerminAttr when there are devices already devices provisioned.

  1. Select Devices and the Device Registration tab.Within Device Onboarding select Onboard Provisioned EOS Devices.
    Figure 3. Devices - Device Registration
  2. If you have a large list, the Auth Type column can be sorted by selecting the column header.
  3. Select all the devices with“Auth Type as Ingest Key and then select Register n devices.
  4. The Auth Type of the device will change to Certificates.
  5. The device needs to be reconciled because it is out of compliance.Go to Provisioning and select Network Provisioning.A topographical view of your device will be displayed.
  6. Select the device that is out of compliance (yellow in color).Click on Manage and thenConfiglet.
  7. Select SYS_TelemetryBuilderV4 and then click Generate to generate the configuration.When complete click Validate. ( If VRF is used on the management interface then select VRF before generating the configuration ).
  8. Click Save.The configuration is applied and the device will be compliant now.

Reboarding Existing Devices

You must reboard a device when the certificate-based TerminAttr authentication fails due to missing or invalid client certificates.

Perform the following steps to reboard devices:

  1. In CloudVision portal, click the Devices tab.

    The system displays the Inventory screen.

    Figure 4. Inventory Screen
  2. Select Onboard Devices from the Add Device drop-down menu at the upper right corner of the Inventory screen.

    The system displays the Onboard Devices pop-up window.

  3. Click the Existing Device Registration tab at the lower end of the Onboard Devices pop-up window.
    Figure 5. Existing Device Registration Tab
    Note: To view all devices, disable the Show only inactive devices option using the toggle button.
  4. Select the required device.
  5. Click Register n Device(s) where n is the count of selected devices.

    The system refreshes the selected device with new certificates, returns to the last provisioning state, and resumes streaming to CVP.

Re-ZTP On-Boarded Devices

Manual intervention is required to re-ZTP on-boarded devices after enabling the certificate-based TerminAttr authentication. This prevents unauthorized or malicious software from spoofing previously on-boarded devices.

Perform the following steps to re-ZTP devices:

  1. In CloudVision portal, click the Devices tab.

    The system displays the Inventory screen.

  2. Select Re-ZTP Devices from the Add Device drop-down menu at the upper right corner of the Inventory screen.

    The system displays the Re-ZTP Devices pop-up window.

    Figure 6. Re-ZTP Devices Pop-Up Window
    Note: To view all devices, disable the Show only inactive devices option using the toggle button.
  3. Select the required device.
  4. (Optional) Click the time next to Global ZTP Deadline and configure the preferred time to re-ZTP selected devices.
  5. Click Grant ZTP Access to n Device(s) where n is the count of selected devices.

    Devices must complete their re-ZTP before the enrollment window closes.