Upgrades and Downgrades
This chapter describes the procedures for upgrading or downgrading the switch software.
This chapter describes the procedures for upgrading or downgrading the switch software.
Upgrading or downgrading the Arista Extensible Operating System (EOS) is accomplished by replacing the EOS image and reloading the switch. Depending on the switch model and the software change being made, it may be possible to minimize (or virtually eliminate) downtime and packet loss during an upgrade.There are two upgrade methods for the EOS:
Smart System Upgrade: SSU significantly decreases downtime and packet loss during upgrades. SSU is available on selected platforms, and is ideal for leaf switches and other non-redundant deployments.
Standard Upgrades and Downgrades: In those cases where an accelerated upgrade is not needed or not an option (such as for software downgrades and on unsupported platforms), performing a standard upgrade or downgrade using the steps described here will minimize downtime and packet loss.
Smart System Upgrade (SSU) significantly reduces reload time by streamlining and optimizing the reload procedure for upgrades, and by continuing to send LACP PDUs while the CPU is rebooting, keeping port channels operational during the reload. SSU leverages protocols capable of graceful restart to minimize traffic loss during upgrade.
Before upgrading the EOS image, ensure thatcopies of the currently running EOS version and the running-config file are available in case of corruption during the upgrade process. To copy the running-config file, use the copy running-config command. In this example, running-config is copied to a file in the flash drive on the switch.
switch# copy running-config flash:/cfg_06162014
Copy completed successfully.
switch#
Determine the size of the new EOS image. Then verify that there is enough space available on the flash drive for two copies of this image, plus a recommended 240MB (if available) for diagnostic information in case of a fatal error. Use the dir command to check the “bytes free” figure.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
606638080 bytes total (602841088 bytes free)
Ensure that the switch has a management interface configured with an IP addresses and default gateway.See Assigning a Virtual IP Address to Access the Active Ethernet Management Port and Configuring a Default Route to the Gateway. Confirm that the switch can be reached through the network by using the command and pinging the default gateway.
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch#ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Verify that the switch configuration is valid for SSU by using the show reload fast-boot command. If parts of the configuration are blocking execution of SSU, an error message will be displayed explaining what they are. For SSU to proceed, the configuration conflicts must be corrected before issuing the reload fast-boot command.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
For hitless restart of BGP and MP-BGP, BGP graceful restart must first be enabled using the graceful-restart command. The default restart time value (300 seconds) is appropriate for mostconfigurations.
The BGP configuration mode in which the graceful-restart command is issued determines which BGP connections will restart gracefully.
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# graceful-restart
switch(config-router-bgp)#
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# vrf purple
switch(config-router-bgp-vrf-purple)# graceful-restart
switch(config-router-bgp-vrf-purple)# exit
switch(config-router-bgp)#
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# address-family ipv6
switch(config-router-bgp-af)# graceful-restart
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
The target image must be copied to the file system on the switch, typically onto the flash drive. After verifying that there is space for two copies of the image plus an optional 240MB for diagnostic information, use the copy command to copy the image to the flash drive, then confirm that the new image file has been correctly transferred.
These command examples transfer an image file to the flash drive from various locations.
Command
copy usb1:/sourcefile flash:/destfile
Example
sch# copy usb1:/EOS-4.14.4.swi flash:/EOS-4.14.4.swi
Command
copy ftp:/ftp-source/sourcefile flash:/destfile
Example
switch# copy ftp:/user:password@10.0.0.3/EOS-4.14.4.swi flash:/EOS-4.14.4.swi
Command
copy scp://scp-source/sourcefile flash:/destfile
Example
switch# copy scp://user@10.1.1.8/user/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy http://http-source/sourcefile flash:/destfile
Example
switch# copy http://10.0.0.10/EOS-4.14.4.swi flash:/EOS-4.14.4.swi
Once the file has been transferred, verify that it is present in the directory, then confirm the MD5 checksum using the verify command. The MD5 checksum is available from the EOS download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.14.2.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS4.13.1.swi
606638080 bytes total (208281186 bytes free)
switch# verify /md5 flash:EOS-4.14.4.swi
verify /md5 (flash:EOS-4.14.4.swi) =c277a965d0ed48534de6647b12a86991
switch#
After transferring and confirming the desired image file, use the boot system command to update the boot-config file to point to the new EOS image.
This command changes the boot-config file to point to the image file located in flash memory at EOS-4.14.4.swi.
switch# configure terminal
switch(config)# boot system flash:/EOS-4.14.4.swi
Use the show boot-config command to verify that the boot-config file is correct:
switch(config)# show boot-config
Software image: flash:/EOS-4.14.4.swi
Console speed: (not set)
Aboot password (encrypted): $1$ap1QMbmz$DTqsFYeauuMSa7/Qxbi2l1
Save the configuration to the startup-config file with the write command.
switch# write
After updating the boot-config file, verify that your configuration supports SSU (if you have not already done so) by using the show reload fast-boot command. If parts of the configuration are blocking execution of SSU, an error message will be displayed explaining what they are.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
Then start the SSU process using the reload fast-boot command to reload the switch and activate the new image. The CLI will identify any changes that must be made to the configuration before starting SSU, prompt to save any modifications to the system configuration, and request confirmation before reloading.
switch# reload fast-boot
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
Before making any configuration changes to the switch after reload, verify that the SSU process is complete using the command show boot stages log. If the process is complete, the last message should be “Hitless boot stages complete.”
switch# show boot stages log
Timestamp Delta Begin Msg
2022-10-03 12:42:06 000.000000 Asu Hitless boot stages started
2022-10-03 12:42:06 000.001592 stage CriticalAgent started
2022-10-03 12:42:06 000.001834 event CriticalAgent:PhyEthtool completed
[ . . . ]
2022-10-03 12:43:02 056.316874 stage BootSanityCheck is complete
2022-10-03 12:43:02 056.317491 Asu Hitless boot stages complete
switch#
Completion of the SSU process may also be verified by checking the syslog for the following message:
LAUNCHER-6-BOOT_STATUS: 'reload fast-boot' reconciliation complete
To verify whether the SSU upgrade was successful, use the show reload cause command. If a fatal error occurred during the upgrade process, the switch will have completely rebooted and the fatal error will be displayed along with the directory in which diagnostic information can be found. If the SSU upgrade has succeeded, it will read “Hitless reload requested by the user.”
switch# show reload cause
Reload Cause 1:
-------------------
Fatal error occurred during Asu Hitless boot. (stageMgr - LinkStatusUpdate timed out)
Reload Time:
------------
Reload occurred at Sun Oct 02 12:06:37 2022 PDT.
Recommended Action:
-------------------
The system rebooted due to a fatal error.
If the problem persists, contact your customer support representative.
Debugging Information:
-------------------------------
/mnt/flash/persist/fatalError-2022-10-02_120637
switch#
switch# show reload cause
Reload Cause 1:
-------------------
Hitless reload requested by the user.
Reload Time:
------------
Reload occurred at Mon Oct 03 13:29:31 2022 PDT.
Recommended Action:
-------------------
No action necessary.
Debugging Information:
-------------------------------
None available.
switch#
The show version command confirms whether the correct image is loaded. The Software image version line displays the version of the active image file.
switch# show version
switch#show version
Arista DCS-7050QX-32-F
Hardware version: 02.00
Serial number: JPE14071098
System MAC address: 001c.7355.556f
Software image version: 4.14.5F-2353054.EOS4145F
Architecture: i386
Internal build version: 4.14.5F-2353054.EOS4145F
Internal build ID: e8748ea7-916d-4217-878f-4bfe2adc7122
Uptime: 4 minutes
Total memory: 3981328 kB
Free memory: 1342408 kB
switch#
Standard software upgrades and downgrades on Arista switches are accomplished by installing a different EOS image and reloading the switch. On switches with redundant supervisors, the EOS image must be installed on both supervisors. Using the procedure described below will minimize packet loss during a standard upgrade or downgrade.
Before upgrading the EOS image, ensure thatcopies of the currently running EOS version and the running-config file are available in case of corruption during the upgrade process. To copy the running-config file, use the copy running-config command. In this example, running-config is copied to a file in the flash drive on the switch.
switch# copy running-config flash:/cfg_06162014
Copy completed successfully.
switch#
Determine the size of the new EOS image. Then verify that there is enough space available on the flash drive for two copies of this image, plus a recommended 240MB (if available) for diagnostic information in case of a fatal error. Use the dir command to check the “bytes free” figure.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
606638080 bytes total (602841088 bytes free)
Ensure that the switch has a management interface configured with an IP addresses and default gateway.See Assigning a Virtual IP Address to Access the Active Ethernet Management Port and Configuring a Default Route to the Gateway. Confirm that the switch can be reached through the network by using the command and pinging the default gateway.
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch#ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Verify that the switch configuration is valid for SSU by using the show reload fast-boot command. If parts of the configuration are blocking execution of SSU, an error message will be displayed explaining what they are. For SSU to proceed, the configuration conflicts must be corrected before issuing the reload fast-boot command.
switch# show reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
For hitless restart of BGP and MP-BGP, BGP graceful restart must first be enabled using the graceful-restart command. The default restart time value (300 seconds) is appropriate for mostconfigurations.
The BGP configuration mode in which the graceful-restart command is issued determines which BGP connections will restart gracefully.
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# graceful-restart
switch(config-router-bgp)#
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# vrf purple
switch(config-router-bgp-vrf-purple)# graceful-restart
switch(config-router-bgp-vrf-purple)# exit
switch(config-router-bgp)#
switch# config
switch(config)# router bgp 64496
switch(config-router-bgp)# address-family ipv6
switch(config-router-bgp-af)# graceful-restart
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
The target image must be copied to the file system on the switch, typically onto the flash drive. After verifying that there is space for the image, use the CLI copy command to copy the image to the flash drive, then confirm that the new image file has been correctly transferred.
These command examples transfer an image file to the flash drive from various locations.
Command
copy usb1:/sourcefile flash:/destfile
Example
sch# copy usb1:/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy ftp:/ftp-source/sourcefile flash:/destfile
Example
sch# copy ftp:/user:password@10.0.0.3/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy scp://scp-source/sourcefile flash:/destfile
Example
sch# copy scp://user@10.1.1.8/user/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy http://http-source/sourcefile flash:/destfile
Example
sch# copy http://10.0.0.10/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Once the file has been transferred, verify that it is present in the directory, then confirm the MD5 checksum using the verify command. The MD5 checksum is available from the EOS download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS-4.12.2.swi
606638080 bytes total (208281186 bytes free)
switch#53# verify /md5 flash:EOS-4.13.2.swi
verify /md5 (flash:EOS-4.13.2.swi) =c277a965d0ed48534de6647b12a86991
After transferring and confirming the desired image file, use the boot system command to update the boot-config file to point to the new EOS image.
This command changes the boot-config file to point to the image file located in flash memory at EOS-4.12.2.swi.
switch# configure terminal
switch(config)# boot system flash:/EOS-4.13.2.swi
Use the show boot-config command to verify that the boot-config file is correct:
switch(config)# show boot-config
Software image: flash:/EOS-4.13.2.swi
Console speed: (not set)
Aboot password (encrypted): $1$ap1QMbmz$DTqsFYeauuMSa7/Qxbi2l1
Save the configuration to the startup-config file with the write command.
switch# write
After updating the boot-config file, reset the switch to activate the new image. The reload command resets the switch, resulting in temporary downtime and packet loss on single supervisor switches.
When reloading from the console port, all rebooting messages are displayed on the terminal. From any port except the console, the CLI displays this text:
switch# reload
The system is going down for reboot NOW!
After the switch finishes reloading, log into the switch and use the show version command to confirm the correct image is loaded. The Software image version line displays the version of the active image file.
switch# show version
Arista DCS-7150S-64-CL-F
Hardware version: 01.01
Serial number: JPE13120819
System MAC address: 001c.7326.fd0c
Software image version: 4.13.2F
Architecture: i386
Internal build version: 4.13.2F-1649184.4132F.2
Internal build ID: eeb3c212-b4bd-4c19-ba34-1b0aa36e43f1
Uptime: 14 hours and 48 minutes
Total memory: 4017088 kB
Free memory: 1569760 kB
switch>
Before upgrading the EOS image, ensure that backup copies of the currently running EOS version and the running-config file are available in case of corruption during the upgrade process. To copy the running-config file, use the copy running-config command. In this example, running-config is copied to a file called backup2 on the flash drive.
switch# copy running-config backup2
Copy completed successfully.
switch#
Ensure that you are logged in to the primary supervisor, not the standby. Use the show redundancy status command, and verify that my state reads ACTIVE and not STANDBY.
switch# show redundancy status
my status = Active
peer state = STANDBY HOT
Unit = Secondary
Unit ID = 1
Redundancy Protocol (Operational) = Stateful Switchover
Redundancy Protocol (Configured) = Stateful Switchover
Communications = Up
Ready for switchover
Last switchover time = 25 days, 19:51:34 ago
Last switchover reason = Other supervisor stopped sending heartbeats
Ensure that the switch has a management interface configured with an IP addresses and default gateway. Refer the sections, Assigning a Virtual IP Address to Access the Active Ethernet Management Port and Configuring a Default Route to the Gateway (see Assigning a Virtual IP Address to Access the Active Ethernet Management Port and Configuring a Default Route to the Gateway), and confirm that both management interfaces are in the up state and can ping the default gateway by using theshow interfaces status command and ping command.
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
Et3/1 notconnect 1 auto auto 1000BASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Ma1/1 connected routed unconf unconf Unknown
switch#ping 1.1.1.10
PING 172.22.26.1 (172.22.26.1) 72(100) bytes of data.
80 bytes from 1.1.1.10: icmp_seq=1 ttl=64 time=0.180 ms
80 bytes from 1.1.1.10: icmp_seq=2 ttl=64 time=0.076 ms
80 bytes from 1.1.1.10: icmp_seq=3 ttl=64 time=0.084 ms
80 bytes from 1.1.1.10: icmp_seq=4 ttl=64 time=0.073 ms
80 bytes from 1.1.1.10: icmp_seq=5 ttl=64 time=0.071 ms
Determine the size of the new EOS image. Then verify that there is enough space available on the flash drive for two copies of this image (use the dir command to check the bytes free figure).
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (602841088 bytes free)
Standby supervisor:
switch# dir supervisor-peer:mnt/flash/
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (602841088 bytes free)
And, finally, ensure that any extensions running on the primary supervisor are also available on the secondary supervisor.
Load the desired image to the file system on the primary supervisor, typically into the flash. Use the CLI copy command to load files to the flash on the primary supervisor, then confirm that the new image file has been correctly transferred.
These command examples transfer an image file to flash from various locations.
Command
copy usb1:/sourcefile flash:/destfile
Example
Sch#copy usb1:/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy ftp:/ftp-source/sourcefile flash:/destfile
Example
sch# copy ftp:/user:password@10.0.0.3/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy scp://scp-source/sourcefile flash:/destfile
Example
sch# copy scp://user@10.1.1.8/user/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Command
copy http://http-source/sourcefile flash:/destfile
Example
sch# copy http://10.0.0.10/EOS-4.13.2.swi flash:/EOS-4.13.2.swi
Once the file has been transferred, verify that it is present in the directory, then confirm the MD5 checksum using the verify command. The MD5 checksum for each available image can be found on the EOS download page of the Arista website.
switch# dir flash:
Directory of flash:/
-rwx 293168526 Nov 4 22:17 EOS4.11.0.swi
-rwx 36 Nov 8 10:24 boot-config
-rwx 37339 Jun 16 14:18 cfg_06162014
-rwx 394559902 May 30 02:57 EOS-4.12.2.swi
<-------OUTPUT OMITTED FROM EXAMPLE-------->
606638080 bytes total (208281186 bytes free)
switch#53# verify /md5 flash:EOS-4.13.2.swi
verify /md5 (flash:EOS-4.13.2.swi) =c277a965d0ed48534de6647b12a86991
Once the EOS image has been copied to the flash drive of the primary supervisor, use the install command to update the boot-config, copy the new image to the secondary supervisor and reload both supervisors. When upgrading to a new image, both supervisors will briefly be unavailable; using the install command minimizes packet loss during reload.
switch(config)# install source EOS-4.13.2.swi reload
Preparing new boot-config... done.
Copying new software image to standby supervisor... done.
Copying new boot-config to standby supervisor... done.
Committing changes on standby supervisor... done.
Reloading standby supervisor... done.
Committing changes on this supervisor... done.
Reloading this supervisor...
After the switch finishes reloading, log into the switch and use the show version command to confirm the correct image is loaded. The Software image version line displays the version of the active image file.
switch# show version
Arista DCS-7504
Hardware version: 01.01
Serial number: JPE13120819
System MAC address: 001c.7326.fd0c
Software image version: 4.13.2F
Architecture: i386
Internal build version: 4.13.2F-1649184.4132F.2
Internal build ID: eeb3c212-b4bd-4c19-ba34-1b0aa36e43f1
Uptime: 1 hour and 36 minutes
Total memory: 4017088 kB
Free memory: 1473280 kB
switch#
The install command copies the specified EOS image onto the switch (if the source is external), configures the boot-config file to point to the specified EOS image, copies the image to the standby supervisor (on dual-supervisor switches), and optionally reloads the switch to run the new EOS.
Command Mode
Privileged EXEC
Command Syntax
install source source_path [destination destination_path][now][reload]
switch(config)# install source EOS.swi reload
Preparing new boot-config... done.
Copying new software image to standby supervisor... done.
Copying new boot-config to standby supervisor... done.
Committing changes on standby supervisor... done.
Reloading standby supervisor... done.
Committing changes on this supervisor... done.
Reloading this supervisor...
Smart System Upgrade (SSU) allows critical switches to be upgraded with minimal downtime and packet loss by optimizing the reload procedure and leveraging protocols capable of graceful restart.The reload fast-boot command starts the SSU process using the EOS image specified by the boot-config file (configured by the boot system command).
When the reload fast-boot command is entered, the switch sends a message prompting the user to save the configuration if it contains unsaved modifications, then asks the user to confirm the reload request.
Command Mode
Privileged EXEC
Command Syntax
reload fast-boot
switch# reload fast-boot
Proceed with reload? [confirm]
switch# reload fast-boot
switch#'reload fast-boot' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
switch# reload fast-boot
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
The reload hitless command is a legacy command now identical to the reload fast-boot command.It starts the Smart System Upgrade (SSU) process using the EOS image specified by the boot-config file (configured by the boot system command).
Command Mode
Privileged EXEC
Command Syntax
reload hitless
switch# reload hitless
Proceed with reload? [confirm]
switch# reload hitless
switch#'reload hitless' cannot proceed due to the following:
Spanning-tree portfast is not enabled for one or more ports
Spanning-tree BPDU guard is not enabled for one or more ports
switch#
switch# reload hitless
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Copy completed successfully.
Proceed with reload? [confirm]y
The switch controls access to EOS commands by authenticating user identity and verifying user authorization. Authentication, Authorization, and Accounting (AAA) activities are conducted through three data services -a local security database, TACACS+ servers, and RADIUS servers. Configuring the Security Services describes these services.
Enabling AAA on the switch requires two steps:
EOS provides aaa authorization, aaa authentication, and aaa accounting commands to select the primary and backup services. Activating Security Services provides information on implementing a security environment.
The switch uses clear-text passwords and server access keys to authenticate users and communicate with security systems. To prevent accidental disclosure of passwords and keys, running-config stores their corresponding encrypted strings. The encryption method depends on the type of password or key.
Commands that configure passwords or keys can accept the clear-text password or an encrypted string that was generated by the specified encryption algorithm with the clear-text password as the seed.
The switch can access three security data services to authenticate users and authorize switch tasks: a local file, TACACS+ servers, and RADIUS Servers.
The local file contains username-password combinations to authenticate users. Passwords also authorize access to configuration commands and the switch root login.
Valid passwords contain the characters A-Z, a-z, 0-9 and any of these punctuation characters:
! @ # $ % ^ & * ( ) - _ = + { } [ ] ; : < > , . ? / ~ \
Usernames control access to the EOS and all switch commands. The switch is typically accessed through an SSH login, using a previously defined username-password combination. To create a new username or modify an existing username, use the username command.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
The default username is admin, which is described in Admin Username.
switch(config)# username john secret x245
switch(config)# username john secret 0 x245
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
switch(config)# username jane nopassword
switch(config)# no username william
The default switch configuration allows usernames that are not password-protected to log in only from the console. The aaa authentication policy local allow-nopassword-remote-login command configures the switch to allow unprotected usernames to log in from any port. To reverse this setting to the default state, use no form of aaa authentication policy local allow-nopassword-remote-login.
switch(config)# aaa authentication policy local allow-nopassword-remote-login
switch(config)# no aaa authentication policy local allow-nopassword-remote-login
The enable command controls access to Privileged EXEC and all configuration command modes. The enable password authorizes users to execute the enable command. When the enable password is set, the CLI displays a password prompt when a user attempts to enter Privileged EXEC mode.
main-host> enable
Password:
main-host#
If an incorrect password is entered three times in a row, the CLI displays the EXEC mode prompt.
If no enable password is set, the CLI does not prompt for a password when a user attempts to enter Privileged EXEC mode.
To set the enable password, use the enable password command.
switch(config)# enable password xyrt1
switch(config)# enable password 0 xyrt1
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
switch(config)# no enable password
The root account accesses the root directory in the underlying Linux shell. When it is not password protected, you can log into the root account only through the console port. After you assign a password to the root account, you can log into it through any port.
To set the password for the root account, use the aaa root command.
switch(config)# aaa root secret f4980
switch(config)# aaa root secret 0 f4980
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
switch(config)# aaa root nopassword
switch(config)# no aaa root
Terminal Access Controller Access-Control System Plus (TACACS+), derived from the TACACS protocol defined in RFC 1492, is a network protocol that provides centralized user validation services. TACACS+ information is maintained on a remote database. EOS support of TACACS+ services requires access to a TACACS+ server.
TACACS+ manages multiple network access points from a single server. The switch defines a TACACS+ server connection by its address and port, allowing the switch to conduct multiple data streams to a single server by addressing different ports on the server.
These sections describe steps that configure access to TACACS+ servers. Configuring TACACS+ access is most efficiently performed when TACACS+ is functioning prior to configuring switch parameters.
TACACS+ parameters define settings for the switch to communicate with TACACS+ servers. A set of values can be configured for individual TACACS+ servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.
The switch supports the following TACACS+ parameters.
switch(config)# tacacs-server host TAC-1 key rp31E2v
switch(config)# tacacs-server key 0 cv90jr1
switch(config)# tacacs-server key 7 020512025B0C1D70
switch(config)# tacacs-server host 10.12.7.9 single-connection
switch(config)# tacacs-server host TAC_1 timeout 20
switch(config)# tacacs-server timeout 40
switch(config)# tacacs-server host 10.12.7.9 port 54
To display the TACACS+ servers and their interactions with the switch, use the show tacacs command.
switch(config)# show tacacs
server1: 10.1.1.45
Connection opens: 15
Connection closes: 6
Connection disconnects: 6
Connection failures: 0
Connection timeouts: 2
Messages sent: 45
Messages received: 14
Receive errors: 2
Receive timeouts: 2
Send timeouts: 3
Last time counters were cleared: 0:07:02 ago
To reset the TACACS+ status counters, use the clear aaa counters tacacs+ command.
Example
switch(config)# clear aaa counters tacacs
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized AAA services for computers connecting to and using network resources. RADIUS is used to manage access to the Internet, internal networks, wireless networks, and integrated email services.
These sections describe steps that configure RADIUS server access. Configuring RADIUS parameters is most efficiently performed when RADIUS is functioning prior to configuring switch parameters.
RADIUS servers and client companies extend basic RADIUS functionality through vendor-specific attributes. A dictionary file includes a list of RADIUS attribute-value pairs that Arista switches use to perform AAA operations through the RADIUS server.
#
# dictionary.arista
#
VENDOR Arista 30065
# Standard Attribute
BEGIN-VENDOR Arista
ATTRIBUTE Arista-AVPair 1 string
END-VENDOR Arista
RADIUS policies specify settings for the switch to communicate with RADIUS servers. A set of values can be configured for individual RADIUS servers that the switch accesses. Global parameters define settings for communicating with servers for which parameters are not individually configured.
The switch defines the following RADIUS parameters.
switch(config)# radius-server host RAD-1 key rp31E2v
switch(config)# radius-server key 0 cv90jr1
switch(config)# radius-server key 7 020512025B0C1D70
switch(config)# radius-server host RAD-1 timeout 20
switch(config)# radius-server timeout 50
switch(config)# radius-server host RAD-1 retransmit 2
switch(config)# radius-server retransmit 5
switch(config)# radius-server host RAD-1 deadtime 90
switch(config)# radius-server deadtime 120
Example
switch(config)# radius-server host RAD-1 auth-port 1850
switch(config)# radius-server host RAD-1 acct-port 1851
To remove the configuration for this server, use no radius-server host command and specify the hostname or IP address with both the authorization and accounting port numbers.
The following commands are applicable to all platforms for configuring DSCP value.
This command configures the DSCP value of 62 for RADIUS-server.
switch(config)# radius-server qos dscp 62
This command configures the DSCP value of 36 for TACACS-server.
switch(config)# tacacs-server qos dscp 36
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
This command configures the DSCP value of 36 for sFlow.
switch(config)# sFlow qos dscp 36
This command configures the DSCP value of 36 for snmp-server.
switch(config)# snmp-server qos dscp 36
The show radius command displays configured RADIUS servers and their interactions with the switch.
switch(config)# show radius
server1: 10.1.1.45
Messages sent: 24
Messages received: 20
Requests accepted: 14
Requests rejected: 8
Requests timeout: 2
Requests retransmitted: 1
Bad responses: 1
Last time counters were cleared: 0:07:02 ago
To reset the RADIUS status counters, use the clear aaa counters radius command.
switch(config)# clear aaa counters radius
The switches support AAA with LDAP protocol for authentication and authorization using TLS communication with a remote LDAP server, and interoperates with Microsoft's ActiveDirectory when configured with LDAP plugins. LDAP authentication configuration is required for LDAP to work. AAA requests to servers are made in the order of their configuration. Once a server is marked as unreachable, it is tried only after all other servers are also found unreachable.
For all platforms, the ldap command is configured from the management ldap mode and requires configuration files to provide remote authentication.
aaa authentication login default group ldap local
aaa authorization exec default group ldap local
!
management ldap
server host ldap-server.samplecompany.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
management security
ssl profile testProfile
fips restrictions
trust certificate caCert
!
management ldap
server host ldap-server.samplecompany.com
ssl-profile testProfile2
authorization group policy company1
!
Server host ldap-server.company2.com
!
server defaults
base-dn dc=samplecompany,dc=com
rdn attribute user cn
ssl-profile testProfile1
authorization group policy basic-role-example
search username cn=ldap-admin-acct,OU=ServiceAccounts,OU=Sample,dc=samplecompany,dc=com password 0 secretString
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
!
group policy company1
search filter objectclass group attribute member
group "Network Admin2" role network-admin
group "Network Newbie2" role network-operator
!
aaa authentication login default group ldap
!
management ldap
server host <ldap server hostname/ip>
!
server defaults
base-dn <base distinguished name>
rdn attribute user <relative distinguished attribute name>
search username <full distinguished name> password <password>
The configuration sets up aaa authentication with LDAP. The LDAP server supports IPv4, IPv6, hostnames, and VRFs for specifying the address. The RDN , relative distiguished name, is typically an attribute/value pair to specify a user. When a user attempts to connect to the switch, the admin username searches recursively for the RDNs which match the passed-in username from the base-dn folder to generate a shortened list of potential DNs, which are then searched for a match with the provided password.
Active Directory Server with LDAP Plug-in Configured
aaa authorization exec default group ldap
!
management ldap
server defaults
authorization group policy basic-role-example
!
group policy basic-role-example
search filter objectclass group attribute member
group "Network Admin" role network-admin
group "Network Newbie" role network-operator
The group / role maps an LDAP group to an EOS role for RBAC. The matching is done so that the first group that is matched against results in the role being mapped to the user. before and after commands are used to insert rules in the appropriate priority.
The LDAP admin account uses the search filter command to search for LDAP groups which contain the user, where objectclass defines the object which contains the LDAP group and attribute is the entry attribute name which contains the DN of the group member.LDAP supports TLS communication using SSL profiles. A trust certificate, or multiple intermediate certificates, is required to verify the root of trust of the LDAP server. The server will not be used for authentication if ssl profiles are configured and the server does not support TLS or fails x509 verification. Other ssl profiles supported commands are:
Active Directory Server with LDAP Plug-in Configured
management ldap
!
server defaults
ssl-profile testProfile
management security
ssl profile testProfile
trust certificate <root of trust>
A server group is a collection of servers that are associated with a single group name. Subsequent authorization and authentication commands can access all servers in a group by invoking the group name. The switch supports TACACS+ and RADIUS server groups.
The aaa group server commands create server groups and place the switch in a server-group configuration mode to assign servers to the group. Commands that reference an existing group place the switch in a server-group configuration mode to modify the group.
The server (server-group-RADIUS configuration mode) commands add servers to the configuration mode server group. Servers must be previously configured with a radius-server host or tacacs-server host command before they are added to a group.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#
The CLI remains in server-group configuration mode after adding the TAC-1 server (port 49) and the server located at 10.1.4.14 (port 151) to the group.
switch(config-sg-tacacs+-TAC-GR)# server TAC-1
switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14 port 151
switch(config-sg-tacacs+-TAC-GR)#
switch(config-sg-tacacs+-TAC-GR)# exit
switch(config)#
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#
The CLI remains in server-group configuration mode after adding the RAC-1 server (authorization port 1812, accounting port 1813) and the server located at 10.1.5.14 (authorization port 1812, accounting port 1850) to the group.
switch(config-sg-radius-RAD-SV1)# server RAC-1
switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1850
switch(config-sg-radius-RAD-SV1)#
Role-based authorization is a method of restricting access to CLI commands through the assignment of profiles, called roles, to user accounts. Each role consists of rules that permit or deny access to a set of commands within specified command modes.
All roles are accessible to the local security file through a username parameter and to remote users through RADIUS or TACACS+ servers. Each role can be applied to multiple user accounts. Only one role may be applied to a user.
Built-in roles supplied by the switch are network-operator and network-admin.
Upon its entry in the CLI, a command is compared to the first rule of the role. Commands that match the rule are executed (permit rule) or disregarded (deny rule). Commands that do not match the rule are compared to the next rule. This process continues until the command either matches a rule or the rule list is exhausted. The switch disregards commands not matching any rule.
Role rules consist of four components: sequence number, filter type, mode expression, and command expression.
The sequence number designates a rule’s placement in the role. Sequence numbers range in value from 1 to 256. Rule commands that do not include a sequence number append the rule at the end of the list, deriving its sequence number by adding 10 to the sequence number of the last rule in the list.
Example
10 deny mode exec command reload
20 deny mode config command (no |default )?router
The filter type specifies the disposition of matching commands. Filter types are permit and deny. Commands matching permit rules are executed. Commands matching deny rules are disregarded.
Example
10 deny mode exec command reload
20 permit mode config command interface
The mode expression specifies the command mode under which the command expression is effective. The mode expression may be a regular expression or a designated keyword. Rules support the following mode expressions:
switch(config)# prompt switch%p
switch(config)# interface ethernet 1
switch(config-if)# exit
switch(config)# prompt switch%P
switch(config)# interface ethernet 1
switch(config-if-Et1)#
The command supports the use of regular expressions to reference multiple command modes.
The command expression is a regular expression that corresponds to one or more CLI commands.
Examples
The network-admin role is typically assigned to the admin user to allow it to run any command.
Built-in roles are not editable.
Example
switch(config)# show users roles network-operator
The default role is network-operator
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
switch(config)# show users roles network-admin
The default role is network-operator
role: network-admin
10 permit command .*
switch(config)#
Roles are created and modified in Role configuration mode. To create a role, enter the role command with the role’s name. The switch enters Role configuration mode. If the command is followed by the name of an existing role, subsequent commands edit that role.
Example
switch(config)# role sysuser
switch(config-role-sysuser)#
Role configuration mode is a group-change mode; changes are saved by exiting the mode.
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# show users roles sysuser
The default role is network-operator
switch(config-role-sysuser)#
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
switch(config)#
The abort command exits Role configuration mode without saving pending changes.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# abort
switch(config)# show users roles sysuser
The default role is network-operator
switch(config)#
The deny (Role) command adds a deny rule to the configuration mode role. The permit (Role) command adds a permit rule to the configuration mode role.
To append a rule to the end of a role, enter the rule without a sequence number while in Role Configuration Mode. The new rule's sequence number is derived by adding 10 to the last rule's sequence number.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# deny mode exec command reload
switch(config-role-sysuser)# deny mode config command (no |default )?router
switch(config-role-sysuser)# permit command .*
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 permit command .*
switch(config)#
To insert a rule into a role, enter the rule with a sequence number between the existing rules numbers.
Example
switch(config)# role sysuser
switch(config-role-sysuser)# 15 deny mode config-all command lacp
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp
20 deny mode config command (no |default )router
30 permit command .*
switch(config)#
switch(config-role-sysuser)# no 30
switch(config-role-sysuser)# default 30
switch(config-role-sysuser)# no permit command .*
switch(config-role-sysuser)# default permit command .*
This role results from entering one of the preceding commands.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
15 deny mode config-all command lacp|spanning-tree
20 deny mode config command (no |default )router
switch(config)#
Sequence numbers determine the order of the rules in a role. After a list editing session where existing rules are deleted and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Redistributing rule numbers changes adjusts the sequence number of rules to provide a constant difference between adjacent rules. The resequence (Role) command adjusts the sequence numbers of role rules.
Example
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config-all command lacp|spanning-tree
25 deny mode config command (no |default )?router
30 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 100 20
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
100 deny mode exec command reload
120 deny mode config-all command lacp|spanning-tree
140 deny mode config command (no |default )?router
160 permit command .*
switch(config)#
Roles are assigned to local users through the username command and to remote users through RADIUS servers or TACACS+ servers. Each user is assigned one role. Each role can be assigned to multiple local and remote users.
Users that are not explicitly assigned a role are assigned the default role. The aaa authorization policy local default-role command designates the default role. The network-operator built-in role is the default role when the default role is not configured.
switch(config)# aaa authorization policy local default-role sysuser
switch(config)# show users roles
The default role is sysuser
switch(config)#
These commands restore network-operator as the default role by deleting the aaa authorization policy local default-role statement from running-config, then display the default role name.
switch(config)# no aaa authorization policy local default-role
switch(config)# show users roles
The default role is network-operator
switch(config)#
Roles are assigned to users with the username command's role parameter. A username whose running-config username statement does not include a role parameter is assigned the default role.
The role parameter function in a command creating a username is different from its function in a command editing an existing name.
A username command creating a username explicitly assigns a role to the username by including the role parameter; commands without a role parameter assigns the default role to the username.
switch(config)# username FRED secret 0 axced role sysuser1
switch(config)# username JANE nopassword
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
The role of a previously configured username may be edited by a username command without altering its password. The role assignment of a username is not changed by username commands that do not include a role parameter.
switch(config)# username JANE role sysuser2
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED role sysuser1 secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE role sysuser2 nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
switch(config)# no username FRED role
switch(config)# show running-config
<-------OUTPUT OMITTED FROM EXAMPLE-------->
!
username FRED secret 5 $1$dhJ6vrPV$PFOvJCX/vcqyIHV.vd.l20
username JANE role sysuser2 nopassword
!
<-------OUTPUT OMITTED FROM EXAMPLE-------->
switch(config)#
The show users accounts command displays role assignment of the configured users. The show users detail command displays roles of users that are currently logged into the switch.
switch(config)# show users accounts
user: FRED
role: <unknown>
privilege level: 1
user: JANE
role: sysuser2
privilege level: 1
user: admin
role: network-admin
privilege level: 1
switch(config)#
switch(config)# show aaa session
Session Username Roles TTY State Duration Auth Remote Host
------- --------- ------------ ------ ----- -------- ------------- ------------
2 admin network-operator ttyS0 E 0:01:21 local
4 Fred sysadmin telnet E 0:02:01 local sf.example.com
6 Jane sysuser2 ssh E 0:00:52 group radius ny.example.com
9 admin network-admin ssh E 0:00:07 local bj.example.com
10 max network-admin telnet E 0:00:07 local sf.example.com
A role can be assigned to a remote user authenticated through a RADIUS server. Roles are assigned through the vendor-specific Attribute-Value (AV) pair named “Arista-AVPair.” The switch extracts the remote user’s role upon a successful authentication when RADIUS authentication is enabled.
Example
# Sample RADIUS server users file
"Jane" Cleartext-Password := "Abc1235"
Arista-AVPair = "shell:roles=sysuser2",
Service-Type = NAS-Prompt-User
"Mary" Cleartext-Password := "xYz$2469"
Arista-AVPair = "shell:roles=sysadmin",
Service-Type = NAS-Prompt-User
"Fred" Cleartext-Password := "rjx4#222"
Arista-AVPair = "shell:roles=network-operator",
Service-Type = NAS-Prompt-User
The aaa authentication login command selects the user authentication service (see Configuring Service Lists ).
Example
switch(config)# aaa authentication login default group radius
To enable Role-Based Access Control on the switch, apply the following configuration:
switch(config)# aaa authorization commands all default local
After configuring the access databases, aaa authentication, aaa authorization, and aaa accounting commands designate active and backup services for handling access requests.
These sections describe the methods of selecting the database that the switch uses to authenticate users and authorize access to network resources.
Service lists specify the services the switch uses to authenticates usernames and the enable password.
Service list elements are service options, ordered by their priority.
To authenticate a username, the switch checks Location_1 server group. If a server in the group is available, the switch authenticates the username through that group. Otherwise, it continues through the list until it finds an available service or utilizes option 5, which allows the access attempt to succeed without authentication.
switch(config)# aaa authentication login default group TAC-1 local
switch(config)# aaa authentication login default group tacacs+ group radius none
switch(config)# aaa authentication enable default group TACACS+ local
AAA time-based lockout enables managing remote user unsuccessful login attempts for a configurable time duration.
switch(config)# aaa authentication policy lockout failure 4
duration 360
switch# show aaa authentication lockout
switch# clear aaa authentication lockout
Authorization commands control EOS shell access, CLI command access, and configuration access through the console port. The switch also supports role-based authorization, which allows access to specified CLI commands by assigning command profiles (or roles) to usernames. See Role-Based Authorization for details.
During the exec authorization process, TACACS+ server responses may include attribute-value (AV) pairs. The switch recognizes the mandatory AV pair named priv-lvl=x (where x is between 0 and 15).
By default, a TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server. The tacacs-server policy command programs the switch to allow access to TACACS+ servers that send unrecognized mandatory AV pairs.
switch(config)# aaa authorization exec default group tacacs+
switch(config)# aaa authorization commands all default local
switch(config)# aaa authorization commands all default none
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
By default, EOS does not verify authorization of commands entered on the console port.
switch(config)# no aaa authorization config-commands
This command enables the authorization of configuration commands.
switch(config)# aaa authorization config-commands
This command configures the switch to authorize commands entered on the console, using the method specified through a previously executed aaa authorization command.
switch(config)# aaa authorization serial-console
The accounting service collects information for billing, auditing, and reporting. The switch supports TACACS+ and RADIUS accounting by reporting user activity to either the TACACS+ server or RADIUS server in the form of accounting records.
Accounting is enabled by the aaa accounting command.
switch(config)# aaa accounting commands all default start-stop group tacacs+
switch(config)# aaa accounting exec console stop group tacacs+
These sections describe two sample TACACS+ host configurations.
The switch authenticates the username and enable command against all TACACS+ servers which, in this case, is one host. If the TACACS+ server is unavailable, the switch authenticates with the local file.
OpenConfig allows network engineers to collaboratively develop programming interfaces and tools to manage networks dynamically and vendor-neutral manner. EOS supports AAAA Accounting for gRPC Network Management Interface (gNMI), gRPC Network Operations (gNOI) Interface, and gRPC Network Security Interface (gNSI) RPCs by logging the accounting records to a TACACS+ server, RADIUS server, or to a Syslog server.
The aaa accounting dot1x command enables the accounting of requested 802.1X services for network access.
The no aaa accounting dot1x and default aaa accounting dot1x commands disable the specified method list by removing the corresponding aaa accounting dot1x command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting dot1x default [METHOD_1][METHOD_2][METHOD_N]
no aaa accounting dot1x default
default aaa accounting dot1x default
Parameter value is not specified if MODE is set to none. If MODE is not set to none, the command must provide at least one method. Each method is composed of one of the following:
logging server group that includes all defined TACACS+ hosts.
switch(config)# aaa accounting dot1x default start-stop group radius
switch(config)#
switch(config)# no aaa accounting dot1x default
switch(config)#
The aaa accounting system command performs accounting for all system-level events.
The no aaa accounting system and default aaa accounting system commands clear the specified method list by removing the corresponding aaa accounting system command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting system default [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting system default
default aaa accounting system default
switch(config)# aaa accounting system default none
switch(config)#
switch(config)# aaa accounting system default stop-only group radius
switch(config)#
The aaa accounting command configures accounting method lists for a specified authorization type. Each list consists of a prioritized list of methods. The accounting module uses the first available listed method for the authorization type.
The no aaa accounting and default aaa accounting commands clear the specified method list by removing the corresponding aaa accounting command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa accounting TYPE CONNECTION MODE [METHOD_1][METHOD_2] ... [METHOD_N]
no aaa accounting TYPE CONNECTION
default aaa accounting TYPE CONNECTION
switch(config)# aaa accounting commands all default start-stop group tacacs+
switch(config)#
switch(config)# aaa accounting exec console stop group tacacs+
switch(config)#
switch(config)# aaa accounting commands all default start-stop group tacacs+
switch(config)#
switch(config)# aaa accounting exec console stop group tacacs+
switch(config)#
The aaa authentication dot1x command configures the default authentication list of requested 802.1X services for network access.
The no aaa authentication dot1x and default aaa authentication dot1x commands remove the default authentication list for IEEE 802.1X.
Command Mode
Global Configuration
Command Syntax
aaa authentication dot1x default group {group_name | radius}
no aaa authentication dot1x default
default aaa authentication dot1x
switch(config)# aaa authentication dot1x default group auth1
switch(config)#
The aaa authentication enable command configures the service list that the switch references to authorize access to Privileged EXEC command mode.
The switch authorizes access by using the first listed service option available. When the local file is a service list element, attempts to locally authenticate a usernamenot in the local file results in the switch continuing to the next service list element.
EOS supports a console list for authorizing usernames through the console and a default list for authorizing usernames through all other connections.
The no aaa authentication enable and default aaa authentication enable commands revert the list configuration to the default by removing the corresponding aaa authentication enable command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication enable [console|default] METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authentication enable [console|default] default
default aaa authentication enable [console|default] default
Parameters
console - Uses the console authentication list.
default - Uses the default authentication list.
switch(config)# aaa authentication default enable group TACACS+ local
switch(config)#
When the local file contains a service list element, attempts to locally authenticate a username not in the local file results in the switch continuing to the next service list element.
The switch supports a console list for authenticating usernames through the console and a default list for authenticating usernames through all other connections.
The no aaa authentication login and default aaa authentication login commands revert the specified list configuration to its default by removing the corresponding aaa authentication login command from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authentication login CONNECTION SERVICE_1 [SERVICE_2] ... [SERVICE_N]
no aaa authentication login CONNECTION
default aaa authentication login CONNECTION
switch(config)# aaa authentication login default group TAC-1 local
switch(config)#
switch(config)# aaa authentication login default group tacacs+ group radius none
switch(config)#
The aaa authentication policy local allow-nopassword-remote-login command permits usernames without passwords to log in from any port. The default switch setting only allows unprotected usernames to log in from the console.
The no aaa authentication policy local allow-nopassword-remote-login and default aaa authentication policy local allow-nopassword-remote-login commands return the switch to the default setting of allowing unprotected usernames to log in only from the console.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy local allow-nopassword-remote-login
no aaa authentication policy local allow-nopassword-remote-login
default aaa authentication policy local allow-nopassword-remote-login
switch(config)# aaa authentication policy local allow-nopassword-remote-login
switch(config)#
switch(config)# no aaa authentication policy local allow-nopassword-remote-login
switch(config)#
The aaa authentication policy lockout failure command configures the switch to lock the remote user from getting access after specific unsuccessful login attempts within a lockout period.
The no aaa authentication policy lockout failure and the default aaa authentication policy lockout failure commands disable the lockout period configuration.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy lockout failure failure_count duration duration_time {window window_time}
no aaa authentication policy lockout failure
default aaa authentication policy lockout failure
switch(config)# aaa authentication policy lockout failure 4
duration 360
switch(config)# aaa authentication policy lockout failure 5
window 10 duration 60
The aaa authentication policy log command configures the switch to generate syslog messages for login authentication success or failure events.
The no aaa authentication policy log and the default aaa authentication policy log commands restore the default behavior of not generating syslog messages for these events.
Command Mode
Global Configuration
Command Syntax
aaa authentication policy {on-failure | on-success} log
no aaa authentication policy {on-failure | on-success} log
default aaa authentication policy {on-failure | on-success} log
This command configures the switch to log successful and failed login attempts.
switch(config)# aaa authentication policy on-success log
switch(config)# aaa authentication policy on-failure log
Command usage is authorized for each privilege level specified in the command.
The list is set to none for all unconfigured privilege levels, allowing all CLI access attempts to succeed.
The no aaa authorization commands and default aaa authorization commands commands revert the list contents to none for the specified privilege levels.
Command Mode
Global Configuration
Command Syntax
aaa authorization commands PRIV default SERVICE_1[SERVICE_2] ... [SERVICE_N]
no aaa authorization commands PRIV default
default aaa authorization commands PRIV default
switch(config)# aaa authorization commands all default local
switch(config)#
switch(config)# aaa authorization commands all default none
switch(config)#
The aaa authorization config-commands command enables authorization of commands in any configuration mode, such as Global Configuration and all interface configuration modes. Commands are authorized through the policy specified by the aaa authorization commands setting. Authorization is enabled by default, so issuing this command has no effect unless running-config contains the no aaa authorization config-commands command.
The no aaa authorization config-commands command disables configuration command authorization. When configuration command authorization is disabled, running-config contains the no aaa authorization config-commands command. The default aaa authorization config-commands command restores the default setting by removing the no aaa authorization config-commands from running-config.
Command Mode
Global Configuration
Command Syntax
aaa authorization config-commands
no aaa authorization config-commands
default aaa authorization config-commands
switch(config)# aaa authorization config-commands
switch(config)#
switch(config)# no aaa authorization config-commands
switch(config)#
The aaa authorization exec command configures the service list that the switch references to authorize access to open an EOS CLI shell.
The list consists of a prioritized list of service options. The switch authorizes access by using the first listed service option to which the switch can connect. When the switch cannot communicate with an entity that provides a specified service option, it attempts to use the next option in the list.
EOS supports a console list to authorize access to a CLI shell through the console and a default list to authorize access for all other connections.
The no aaa authorization exec and default aaa authorization exec commands set the list contents to none.
Command Mode
Global Configuration
Command Syntax
aaa authorization exec default METHOD_1 [METHOD_2] ... [METHOD_N]
no aaa authorization exec default
default aaa authorization exec default
The command must provide at least one method. Each method is composed of one of the following:
Guidelines
During the EXEC authorization process, the TACACS+ server response may include attribute-value (AV) pairs. The switch recognizes priv-lvl=x (where x is an integer between 0 and 15), which is a mandatory AV pair. A TACACS+ server that sends any other mandatory AV pair is denied access to the switch. The receipt of optional AV pairs by the switch has no affect on decisions to permit or deny access to the TACACS+ server.
switch(config)# aaa authorization exec default group tacacs+
switch(config)#
The aaa authorization policy local command specifies the name of the default role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
When the default-role is not specified, network-operator is assigned to qualified users as the default role. The network-operator role authorizes assigned users access to all CLI commands in EXEC and Privileged EXEC modes.
The no aaa authentication policy local default-role and default aaa authentication policy local default-role commands remove the authentication policy local default-role statement from running-config. Removing this statement restores network-operator as the default role.
Command Mode
Global Configuration
Command Syntax
aaa authorization policy local default-role role_name
no aaa authorization policy local default-role
default aaa authorization policy local default-role
Parameters
role_name Name of the default role.
Related Command
The role command places the switch in role configuration mode for creating and editing roles.
switch(config)# aaa authorization policy local default-role sysuser
switch(config)#
switch(config)# no aaa authorization policy local default-role
switch(config)#
switch# show users roles network-operator
The default role is network-operator
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
switch#
The aaa authorization serial-console command configures the switch to authorize commands entered through the console. By default, commands entered through the console do not require authorization.
The no aaa authorization serial-console and default aaa authorization serial-console commands restore the default setting.
Command Mode
Global Configuration
Command Syntax
aaa authorization serial-console
no aaa authorization serial-console
default aaa authorization serial-console
switch(config)# aaa authorization serial-console
switch(config)#
The aaa group server radius command enters the Server-group-RADIUS Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.
A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a radius-server host command.
The no aaa group server radius and default aaa group server radius commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server radius group_name
no aaa group server radius group_name
default aaa group server radius group_name
Parameters
group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a TACACS+ server group.
Commands Available in Server-group-RADIUS Configuration Mode
server (server-group-RADIUS configuration mode).
Related Command
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)#
The aaa group server tacacs+ command enters Server-group-TACACS+ Configuration Mode for the specified group name. The command creates the specified group if it was not previously created. Commands are available to add servers to the group.
A server group is a collection of servers that are associated with a single label. Subsequent authorization and authentication commands access all servers in a group by invoking the group name. Server group members must be previously configured with a tacacs-server host command.
The no aaa group server tacacs+ and default aaa group server tacacs+ commands delete the specified server group from running-config.
Command Mode
Global Configuration
Command Syntax
aaa group server tacacs+ group_name
no aaa group server tacacs+ group_name
default aaa group server tacacs+ group_name
Parameters
group_name name (text string) assigned to the group. Cannot be identical to a name already assigned to a RADIUS server group.
Commands Available in Server-group-TACACS+ Configuration Mode
server (server-group-TACACS+ configuration mode)Related Command
aaa group server radiusswitch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)#
The aaa root command specifies the password security level for the root account and can assign a password to the account.
The no aaa root and default aaa root commands disable the root account by removing the aaa root command from running-config. The root account is disabled by default.
Command Mode
Global Configuration
Command Syntax
aaa root SECURITY_LEVEL [ENCRYPT_TYPE] [password]
no aaa root
default aaa root
Encrypted strings entered through this parameter are generated elsewhere.
switch(config)# aaa root secret f4980
switch(config)# aaa root secret 0 f4980
switch(config)# aaa root secret 5 $1$HW05LEY8$QEVw6JqjD9VqDfh.O8r.b
switch(config)#
switch(config)# aaa root nopassword
switch(config)#
switch(config)# no aaa root
switch(config)#
The clear aaa authentication lockout command clears the locked status of a user so as to allow access within a lockout period. If no user is specified, the command clears the locked status of all users.
Command Mode
Privileged EXEC
Command Syntax
clear aaa authentication lockout [user user_name]
switch# clear aaa authentication lockout user Alice
The clear aaa counters radius command resets the counters that track the statistics for the RADIUS servers that the switch accesses. The show radius command displays the counters reset by the clear aaa counters radius command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch# clear aaa counters radius
switch# show radius
RADIUS server : radius/10
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
The clear aaa counters tacacs+ command resets the counters that track the statistics for the TACACS+ servers that the switch accesses. The show tacacs command displays the counters reset by the clear aaa counters tacacs+ command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch# clear aaa counters tacacs+
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: 0:00:03 ago
switch#
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
The clear aaa counters command resets the counters that track the number of service transactions performed by the switch since the last time the counters were reset. The show aaa counters command displays the counters reset by the clear aaa counters command.
Command Mode
Privileged EXEC
Command Syntax
clear aaa counters [SERVICE_TYPE]
switch# clear aaa counters
switch# show aaa counters
Authentication
Successful: 0
Failed: 0
Service unavailable: 0
Authorization
Allowed: 1
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: 0:00:44 ago
The deny command adds a deny rule to the configuration mode role. Deny rules prohibit access of specified commands from usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A commands authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the roles last rule.
Deny rules use regular expressions to denote commands. A mode parameter specifies command modes from which commands are restricted. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] deny [MODE_NAME] command command_name
no deny [MODE_NAME] command command_name
default deny [MODE_NAME] command command_name
Guidelines
Deny statements are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# deny mode exec command reload
switch(config-mode-sysuser)#
The enable password command creates a new enable password or changes an existing password.
The no enable password and default enable password commands delete the enable password by removing the enable password command from running-config.
Command Mode
Global Configuration
Command Syntax
enable password [ENCRYPT_TYPE] password
no enable password
default enable password
Encrypted strings entered through this parameter are generated elsewhere.
switch(config)#enable password xyrt1
switch(config)#enable password 0 xyrt1
switch(config)# enable password 5 $1$8bPBrJnd$Z8wbKLHpJEd7d4tc5Z/6h/
switch(config)#
switch(config)# no enable password
switch(config)#
The ip radius source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound RADIUS packets. When a source interface is not specified, the switch selects an interface.
The no ip radius source-interface and default ip radius source-interface commands remove the ip radius source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip radius [VRF_INST] source-interface INT_NAME
no ip radius [VRF_INST] source-interface
default ip radius [VRF_INST] source-interface
switch(config)# ip radius source-interface loopback 0
switch(config)#
The ip tacacs source-interface command specifies the interface from which the IPv4 address is derived for use as the source for outbound TACACS+ packets. When a source interface is not specified, the switch selects an interface.
The no ip tacacs source-interface and default ip tacacs source-interface commands remove the ip tacacs source-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
ip tacacs [VRF_INST] source-interface INT_NAME
no ip tacacs [VRF_INST] source-interface
default ip tacacs [VRF_INST] source-interface
switch(config)# ip tacacs source-interface loopback 0
switch(config)#
The no <sequence number> command removes the rule with the specified sequence number from the configuration-mode role. The default <sequence number> command also removes the specified rule.
Command Mode
Role Configuration
Command Syntax
no sequence_num
default sequence_num
Parameters
sequence_num sequence number of rule to be deleted. Values range from 1 to 256.
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
30 deny mode config command (no |default )?(ip|mac) access-list
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# no 30
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)#
The radius-server deadtime command defines global deadtime period, when the switch ignores a non-responsive RADIUS server. A non-responsive server is one that fails to answer any attempt to retransmit after a timeout expiry. Deadtime is disabled if a value is not configured.
The no radius-server deadtime and default radius-server deadtime commands restore the default global deadtime period of three minutes by removing the radius-server deadtime command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server deadtime dead_interval
no radius-server deadtime
default radius-server deadtime
Parameters
dead_interval period that the switch ignores non-responsive servers (minutes). Values range from 1 to 1000. Default is 3.
switch(config)# radius-server deadtime 120
switch(config)#
The radius-server host command sets parameters for communicating with a specific RADIUS server. These values override global settings when the switch communicates with the specified server.
A RADIUS server is defined by its server address, authorization port, and accounting port. Servers with different address-authorization port-accounting port combinations have separate configurations.
The no radius-server host and default radius-server commands remove settings for the RADIUS server configuration at the specified address-authorization port-accounting port location by deleting the corresponding radius-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server host ADDR [VRF_INST][AUTH][ACCT][TIMEOUT][DEAD][RETRAN][ENCRYPT]
no radius-server host [ADDR][VRF_INST][AUTH][ACCT]
default radius-server host [ADDR][VRF_INST][AUTH][ACCT]
switch(config)# radius-server host 10.1.1.5
switch(config)#
switch(config)# radius-server host RAD-1 auth-port 1850
switch(config)#
The radius-server key command defines the global encryption key the switch uses when communicating with any RADIUS server for which a key is not defined.
The no radius-server key and default radius-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server key [ENCRYPT_TYPE] encrypt_key
no radius-server key
default radius-server key
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
switch(config)# radius-server key 0 cv90jr1
switch(config)#
switch(config)# radius-server key 7 020512025B0C1D70
switch(config)#
The radius-server retransmit command defines the global retransmit count, which specifies the number of times the switch attempts to access the RADIUS server after the first timeout expiry.
The no radius-server retransmit and default radius-server retransmit commands restore the global retransmit count to its default value of three by deleting the radius-server retransmit command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server retransmit count
no radius-server retransmit
default radius-server retransmit
Parameters
count retransmit attempts after first timeout expiry. Values range from 1 to 100. Default is 3.
Related Command
switch(config)# radius-server retransmit 5
switch(config)#
The radius-server timeout command defines the global timeout the switch uses when communicating with any RADIUS server for which a timeout is not defined.
The no radius-server timeout and default radius-server timeout commands restore the global timeout default period of five seconds by removing the radius-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
radius-server timeout time_period
no radius-server timeout
default radius-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Commands
switch(config)# radius-server timeout 50
switch(config)#
The resequence command assigns sequence numbers to rules in the configuration mode role. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.
The maximum sequence number is 256.
Command Mode
Role Configuration
Command Syntax
resequence start_num inc_num
Guidelines
Role statement changes are saved to running-config only upon exiting Role configuration mode.
Related Command
The role command places the switch in Role configuration mode.
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
10 deny mode exec command reload
20 deny mode config command (no |default )?router
40 deny mode if command (no |default )?(ip|mac) access-group
50 deny mode config-all command lacp|spanning-tree
60 permit command .*
switch(config)# role sysuser
switch(config-role-sysuser)# resequence 15 5
switch(config-role-sysuser)# exit
switch(config)# show users roles sysuser
The default role is network-operator
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
switch(config)#
The permit command adds a permit rule to the configuration mode role. Permit rules authorize access to specified commands for usernames to which the role is applied. Sequence numbers determine rule placement in the role. Commands are compared sequentially to rules within a role until it matches a rule. A command's authorization is determined by the first rule it matches. Sequence numbers for commands without numbers are derived by adding 10 to the number of the role's last rule.
Permit rules use regular expression to denote commands. A mode parameter specifies command modes in which commands are authorized. Modes are denoted either by predefined keywords, a command modes short key, or a regular expression that specifies the long key of one or more command modes.
The no deny and default deny commands remove the specified rule from the configuration mode role. The no <sequence number> (Role) command also removes the specified rule from the role.
Command Mode
Role Configuration
Command Syntax
[SEQ_NUM] permit [MODE_NAME] command command_name
no permit [MODE_NAME] command ] command_name
default permit [MODE_NAME] command command_name
Guidelines
Permit statements are saved to running-config only upon exiting Role configuration mode.
Related Commands
The role command places the switch in Role Cconfiguration mode.
switch(config)# role sysuser
switch(config-mode-sysuser)# permit mode if-Vl(1|2) command .*
switch(config-mode-sysuser)#
The role command places the switch in Role Configuration Mode, which is a group-change mode that modifies a role. A role is a data structure that supports local command authorization through its assignment to user accounts. Roles consist of permit and deny rules that define authorization levels for specified commands. Applying a role to a username authorizes the user to execute commands specified by the role.
The role command specifies the name of the role that subsequent commands modify and creates a role if it references a nonexistent role. All changes in a group change mode edit session are pending until the session ends:
The no role and default role commands delete the specified role by removing the role and its statements from running-config.
Command Mode
Global Configuration
Command Syntax
role role_name
no role role_name
default role role_name
Parameters
role_name Name of role.
Commands Available in Role Configuration Mode:
Related Commands
switch(config)# role speaker
switch(config-role-speaker)#
This command saves changes to speaker role, then returns the switch to Global configuration mode.
switch(config-role-speaker)# exit
switch(config)#
This command discards changes to speaker, then returns the switch to Global configuration mode.
switch(config-role-speaker)# abort
switch(config)#
The server (server-group-RADIUS configuration mode) command adds the specified RADIUS server to the configuration-mode group. Servers must be configured with the radius-server host command before adding them to the server group.
A RADIUS server is defined by its server address, authorization port, and accounting port. A group can contain multiple servers with the same IP address that have different authorization or accounting ports.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-Group-RADIUS Configuration
Command Syntax
server LOCATION [VRF_INST][AUTH][ACCT]
no server LOCATION [VRF_INST][AUTH][ACCT]
default server LOCATION [VRF_INST][AUTH][ACCT]
Related Commands
The aaa group server radius command places the switch in Server-group-RADIUS cConfiguration mode.
switch(config)# aaa group server radius RAD-SV1
switch(config-sg-radius-RAD-SV1)# server RAC-1
switch(config-sg-radius-RAD-SV1)# server 10.1.5.14 acct-port 1851
switch(config-sg-radius-RAD-SV1)#
The server (server-group-TACACS+ configuration mode) command adds the specified TACACS+ server to the configuration-mode group. Servers must be configured with the tacacs-server host command before adding them to the server group.
A TACACS+ server is defined by its server address and port number. Servers with different address-port combinations have separate statements in running-config.
The no server and default server commands remove the specified server from the group.
Command Mode
Server-group-TACACS+ Configuration
Command Syntax
server LOCATION [VRF_INST][PORT]
no server LOCATION [VRF_INST][PORT]
default server LOCATION [VRF_INST][PORT]
Related Command
The aaa group server tacacs+ command places the switch in Server-group-TACACS+ configuration mode.
switch(config)# aaa group server tacacs+ TAC-GR
switch(config-sg-tacacs+-TAC-GR)# server TAC-1
switch(config-sg-tacacs+-TAC-GR)# server 10.1.4.14
switch(config-sg-tacacs+-TAC-GR)#
The show aaa command displays the user database. The command displays the encrypted enable password first, followed by a table of usernames and their corresponding encrypted password.
The command does not display unencrypted passwords.
Command Mode
Privileged EXEC
Command Syntax
show aaa
switch# show aaa
Enable password (encrypted): $1$UL4gDWy6$3KqCPYPGRvxDxUq3qA/Hs/
Username Encrypted passwd
-------- ----------------------------------
admin
janis $1$VVnDH/Ea$iwsfnrGNO8nbDsf0tazp9/
thomas $1$/MmXTUil$.fJxLfcumzppNSEDVDWq9.
switch#
The show aaa authentication lockout command displays the status of locked-out users who could not log within the specified time and number of login attempts.
Command Mode
Privileged EXEC
Command Syntax
show aaa authentication lockout
switch# show aaa authentication lockout
User Start Time End Time Expires In
--------- ------------------------- ------------------------- ----------
alice Fri Jul 12 17:50:06 2020 Fri Jul 12 17:51:06 2020 0:00:58
The show aaa counters command displays the number of service transactions performed by the switch since the last time the counters were reset.
Command Mode
Privileged EXEC
Command Syntax
show aaa counters
switch# show aaa counters
Authentication
Successful: 30
Failed: 0
Service unavailable: 0
Authorization
Allowed: 188
Denied: 0
Service unavailable: 0
Accounting
Successful: 0
Error: 0
Pending: 0
Last time counters were cleared: never
switch#
The show aaa methods command displays all the named method lists defined in the specified Authentication, Authorization, and Accounting (AAA) service.
Command Mode
Privileged EXEC
Command Syntax
show aaa methods SERVICE_TYPE
Parameters
switch# show aaa methods all
Authentication method lists for LOGIN:
name=default methods=group tacacs+, local
Authentication method list for ENABLE:
name=default methods=local
Authorization method lists for COMMANDS:
name=privilege0-15 methods=group tacacs+, local
Authentication method list for EXEC:
name=exec methods=group tacacs+, local
Accounting method lists for COMMANDS:
name=privilege0-15 default-action=none
Accounting method list for EXEC:
name=exec default-action=none
switch#
The show management ldap command displays information about the LDAP configuration.
Command Mode
EXEC
Command Syntax
show management ldap
Parameter
switch# show management ldap
LDAP server: prod-dc-hq1.aristanetworks.com/389
Binds requested: 6
Binds successful: 6
Binds failed: 0
Binds timed out: 0
FIPS is ON
Last time counters were cleared: 1:16:41 ago
The authentication action in LDAP is the bind, which is equivalent to attempting a log-in. There will be two binds per login attempt, one for the admin account and one for the user account.
switch# show management security ssl profile
Profile State
----------------- -----------
testProfile valid
To verify a user accounts authorization being performed by ldap, use “show users detail”:
switch# show users detail
Session Username Roles TTY State Duration Auth Remote Host
-------- --------- ------------- ---- ----- --------- ---------- ---------------------------------------
1006 erahn network-admin vty3 E 0:00:05 group ldap fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
To validate the role for a current session the vty information in the TTY column must be matched against the Line column in the following command. The row with a “*” character at the start is the current session where the command was run:
switch#show users
Line User Host(s) Idle Location
1 con 0 admin idle 01:19:00 -
2 vty 10 srv-sw-ldaptest idle 01:19:00 172.16.124.151
* 3 vty 3 erahn idle 00:00:04 fd7a:629f:52a4:dc25:b08d:feff:feed:2ce7
The show privilege command displays the current privilege level for the CLI session.
Command Mode
EXEC
Command Syntax
show privilege
switch> show privilege
Current privilege level is 15
switch>
The show radius command displays statistics for the RADIUS servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show radius
switch#show radius
RADIUS server : radius/10
Connection opens: 204
Connection closes: 0
Connection disconnects: 199
Connection failures: 10
Connection timeouts: 2
Messages sent: 1490
Messages received: 1490
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
Last time counters were cleared: never
switch#
The show tacacs command displays statistics for the TACACS+ servers that the switch accesses.
Command Mode
EXEC
Command Syntax
show tacacs
switch# show tacacs
TACACS+ server : tacacs/49
Connection opens: 15942
Connection closes: 7
Connection disconnects: 1362
Connection failures: 0
Connection timeouts: 0
Messages sent: 34395
Messages received: 34392
Receive errors: 0
Receive timeouts: 2
Send timeouts: 0
Last time counters were cleared: never
TACACS+ source-interface: Enabled
TACACS+ outgoing packets will be sourced with an IP address associated with the
Loopback0 interface
switch#
The show users accounts command displays the names, roles, and privilege levels of users that are listed in running-config. The SSH public key is also listed for names for which an SSH key is configured.
Command Mode
Privileged EXEC
Command Syntax
show users accounts
switch# show users accounts
user: FRED
role: <unknown>
privilege level: 1
ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUg2VDiBX7In0q
HtN5PyHOWtYvIoeZsxF5YmesQ/rh++mbpT504dL7So+Bpr9T/0qIj+zilat8fX/JlO42+3pjfkHY/+l
sT2EPNjGTK7uJv1wSGmhc3+90dNmJtr5YVlJFjjQ5m+5Pa+PGe3z4JIV1lY2NhLrV2fXtbciLdjnj6F
AlhXjiLt51DJhG13uUxGBJe0+NlGvpEsTJVJvMdJuS6weMi+xSXc9yQimVD2weJBHsYFnghST2j0pAy
F2S7/EOU13pY42RztDSs42nMNNrutPT0q5Z17aAKvhpd0dDlc+qIwrCrXbeIChHem7+0N8/zA3alBK4
eKSFSZBd3Pb admin@switch
switch#
user: JANE
role: sysuser2
privilege level: 1
user: admin
role: network-admin
privilege level: 1
The show users detail command displays information about active AAA login sessions. Information includes username, roles, TTY, state of the session (pending or established), duration, authentication method, and if available, remote host and remote username.
Command Mode
Privileged EXEC
Command Syntax
show users detail
switch# show users detail
Session Username Roles TTY State Duration Auth Remote Host
------- ---------- ------------ ------ ----- -------- ------------- ------------
2 admin network-admin ttyS0 E 0:01:21 local
4 joe sysadmin telnet E 0:02:01 local sf.example.com
6 alice sysadmin ssh E 0:00:52 group radius ny.example.com
7 bob sysadmin ssh E 0:00:48 group radius la.example.com
8 kim network-admin1 ssh E 0:00:55 group radius de.example.com
9 admin network-admin ssh E 0:00:07 local bj.example.com
10 max network-admin telnet E 0:00:07 local sf.example.com
The show users roles command displays the name of the default role and the contents of the specified roles. Commands that do not specify a role display the rules in all built-in and configured roles.
Command Mode
Privileged EXEC
Command Syntax
show users roles [ROLE_LIST]
Parameters
Related Command
The role command places the switch in Role configuration mode, which is used to create new roles or modify existing roles.
switch# show users roles
The default role is network-operator
role: network-admin
10 permit command .*
role: network-operator
10 deny mode exec command bash|\|
20 permit mode exec command .*
role: sysuser
15 deny mode exec command reload
20 deny mode config command (no |default )?router
25 deny mode if command (no |default )?(ip|mac) access-group
30 deny mode config-all command lacp|spanning-tree
35 permit command .*
40 deny mode exec command .*
50 permit mode exec command show|clear (counters|platform)|configure
The show users command displays the usernames that are currently logged into the switch.
Command Mode
Privileged EXEC
Command Syntax
show users
switch# show users
Line User Host(s) Idle Location
1 vty 2 john idle 1d 10.22.6.113
2 vty 4 jane idle 21:33:00 10.22.26.26
* 3 vty 6 ted idle 00:00:01 10.17.18.71
switch#
The tacacs-server host command sets communication parameters for communicating with a specific TACACS+ server. These values override global settings when the switch communicates with the specified server.
A TACACS+ server is defined by its server address and port number. Servers with different combinations of address-port-VRF-multiplex settings have separate statements in running-config.
The no tacacs-server host and default tacacs-server host commands remove settings for the TACACS+ server configuration at the specified address-port-VRF combination by deleting the corresponding tacacs-server host command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server host SERVER_ADDR [MULTIPLEX][VRF_INST][PORT][TIMEOUT][ENCRYPT]
no tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
default tacacs-server host [SERVER_ADDR][MULTIPLEX][VRF_INST][PORT]
switch(config)# tacacs-server host 10.1.1.5
switch(config)#
switch(config)# tacacs-server host TAC_1 timeout 20 key rp31E2v
switch(config)#
switch(config)# tacacs-server host 10.12.7.9 single-connection port 54
switch(config)#
The tacacs-server key command defines the global encryption key the switch uses when communicating with any TACACS+ server for which a key is not defined.
The no tacacs-server key and default tacacs-server key commands remove the global key from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server key [ENCRYPT_TYPE] encrypt_key
no tacacs-server key
default tacacs-server key
Encrypted strings entered through this parameter are generated elsewhere.
Related Command
switch(config)# tacacs-server key 0 cv90jr1
switch(config)#
switch(config)# tacacs-server key 7 020512025B0C1D70
switch(config)#
The tacacs-server policy command programs the switch to permit access to TACACS+ servers that send mandatory attribute-value (AV) pairs that the switch does not recognize. By default, the switch denies access to TACACS+ servers when it receives unrecognized AV pairs from the server.
The switch recognizes the following mandatory AV pairs:
priv-lvl=x where x is an integer between 0 and 15.
The no tacacs-server policy and default tacacs-server policy commands restore the switch default of denying access to servers from which it receives unrecognized mandatory AV pair by deleting the tacacs-server policy statement from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server policy unknown-mandatory-attribute ignore
no tacacs-server policy unknown-mandatory-attribute ignore
default tacacs-server policy unknown-mandatory-attribute ignore
switch(config)# tacacs-server policy unknown-mandatory-attribute ignore
switch(config)#
The tacacs-server timeout command defines the global timeout the switch uses when communicating with any TACACS+ server for which a timeout is not defined.
The no tacacs-server timeout and default tacacs-server timeout commands restore the global timeout default period of five seconds by removing the tacacs-server timeout command from running-config.
Command Mode
Global Configuration
Command Syntax
tacacs-server timeout time_period
no tacacs-server timeout
default tacacs-server timeout
Parameters
time_period timeout period (seconds). Values range from 1 to 1000. Default is 5.
Related Command
switch(config)# tacacs-server timeout 20
switch(config)#
The username ssh-key command configures an SSH key for the specified username. Command options allow the key to be entered directly into the CLI or referenced from a file.
The specified username must be previously configured through a username command.
The no username ssh-key and default username ssh-key commands delete the SSH key for the specified username by removing the corresponding username ssh-key command from running-config.
The no username ssh-key role and default username ssh-key role commands perform the following:
Command Mode
Global Configuration
Command Syntax
username name sshkey KEY
no username name sshkey [role]
default username name sshkey [role]
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
switch(config)# username john secret x245
switch(config)# username john sshkey file john-ssh
switch(config)#
The username command adds a username to the local file and optionally assigns a password to the username. If the command specifies an existing username, the command replaces the password in the local file. The command can also define a username without a password or remove the password from a username.
The no username command deletes the specified username by removing the corresponding username statement from running-config. The default username command removes user-specified usernames, but restores the admin username to its default parameters.
The no username role command assigns the default role assignment to the specified username statement by editing the corresponding username statement in running-config. The default username role command reverts the specified username to its default role by editing the corresponding username statement in running-config. For the admin username, this restores network-admin as its role, even if the admin username has been deleted and then created again.
Command Mode
Global Configuration
Command Syntax
username name [PRIVILEGE_LEVEL] SECURITY [ROLE_USER]
no username name [role]
default username name [role]
All parameters except name can be placed in any order.
Valid usernames begin with A-Z, a-z, or 0-9 and may also contain any of these characters:
@ # $ % ^ & * - _ = + ; < > , . ~ |
Guidelines
Encrypted strings entered through this parameter are generated elsewhere. The secret 5 option (SECURITY) is typically used to enter a list of username-passwords from a script.
The SECURITY parameter is mandatory for unconfigured usernames. For previously configured users, the command can specify a PRIVILEGE_LEVEL or ROLE without a SECURITY setting.
username admin privilege 1 role network-admin nopassword
switch(config)# username john secret x245
switch(config)# username john secret 0 x245
switch(config)# username john secret 5 $1$sU.7hptc$TsJ1qslCL7ZYVbyXNG1wg1
switch(config)#
A user authenticates the username john by entering x245 when the CLI prompts for a password.
switch(config)# username jane nopassword
switch(config)#
switch(config)# no username william
switch(config)#
Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), is a security protocol used to communicate between client and server. It establishes an encrypted communication channel to secure data.
An SSL certificate is required to establish a secure connection between the client and server. The certificate includes all of the details which are necessary for authentication. Cryptographic keys are used to provide a secure channel of communication. TLS uses two cryptographic keys: a private keyknown only to the server and a public key embedded in the certificate. The keys are used to validate the certificate.
With the SSL certificate, key, and profile management framework we can manage and configure SSL certificates, keys and profiles. SSL is an application-layer protocol which transfers the data securely between the client and server using a combination of authentication, encryption, and data integrity. SSL uses certificates and private-public key pairs to provide this security. An user can configure an SSL profile which includes certificate, key and trusted CA certificates used in SSL communication. A user can manage certificates, keys, and also multiple SSL profiles. A SSL profile can be configured and attached to any other EOS configuration which supports SSL communication. The individual EOS configuration using this framework includes details of using the SSL profile in their configuration.
The only private keys supported are those using the RSA algorithm. Both the certificate and keys must be encoded in the Privacy Enhanced Mail (PEM) format.
Example
This is a code sample of a PEM encoded certificate.
$cat server.crt
-----BEGIN CERTIFICATE-----
MIIC3zCCAkgCAQkwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAkNBMQswCQYDVQQHDAJTQzEPMA0GA1UECgwGQXJpc3RhMQwwCgYDVQQLDANT
RE4xCzAJBgNVBAMMAmNhMRwwGgYJKoZIhvcNAQkBFg1jYUBhcmlzdGEuY29tMCAX
DTE0MDgxMTIxNDQxN1oYDzIwNjkwNTE0MjE0NDE3WjB5MQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNDMQ8wDQYDVQQKDAZBcmlzdGExDDAKBgNV
BAsMA1NETjEPMA0GA1UEAwwGc2VydmVyMSAwHgYJKoZIhvcNAQkBFhFzZXJ2ZXJA
YXJpc3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBOP/jh
xk28sUH+lhM/mY6QoyLGcbnygwe/hzIjn2mASnf7uPFGhB62JTt7tQv2xmu/MJfs
aVsNeYXP3ZOcmRO0uk9suGVbII7QJUomnsq1dJh59UyMfws6V6ergmhwEZCDIirV
7nbUDz+uSdNutQL4w/VB+juuWXQ8ztbmygT2ymySaHRK3XnDrAiva0UUVbSmEHH0
wLPsNVNYUxJ4PpOB9luw4upe6ACF9SFtMDz3BDcrL6Gq5idWw3YkQfzBwEl+5hkF
hu0owON29I5T8FpAx+Hzpl48YWW65d/4F40S3XRN312xALM8RrQOU/Chx9Sfg0iJ
dsXWNagx1eyW2EECAwEAATANBgkqhkiG9w0BAQQFAAOBgQBedfuKHvNDpEkdO2AE
Kihs/YeRGgp+5g7hXU0U2TMAMS545ZQ99pFbnScmIC0m68aw1VXILuj+vlkxAM27
oc8iB+gG7oaFtJpWTvmIHqzeHWb0zrwjPhtXTafWEoam8sJZt38Pc4UVb7lQCd6v
ZCLZZJmC2IL0SG7bLN7yaALCSQ==
-----END CERTIFICATE-----
Example
This is a code sample of a PEM encoded RSA key.
$cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4E4/+OHGTbyxQf6WEz+ZjpCjIsZxufKDB7+HMiOfaYBKd/u4
8UaEHrYlO3u1C/bGa78wl+xpWw15hc/dk5yZE7S6T2y4ZVsgjtAlSiaeyrV0mHn1
TIx/CzpXp6uCaHARkIMiKtXudtQPP65J0261AvjD9UH6O65ZdDzO1ubKBPbKbJJo
dErdecOsCK9rRRRVtKYQcfTAs+w1U1hTEng+k4H2W7Di6l7oAIX1IW0wPPcENysv
oarmJ1bDdiRB/MHASX7mGQWG7SjA43b0jlPwWkDH4fOmXjxhZbrl3/gXjRLddE3f
XbEAszxGtA5T8KHH1J+DSIl2xdY1qDHV7JbYQQIDAQABAoIBACv/TU8NQi+HXqGa
RWe7Juyu9EDi+fXGWutPJz6vfBpenrzQNGOnOE0p3z2+szGIkz0ZQHfcWIISr46O
ymCk6+XQombn5XeEG2vH6jiUQLt0Qk2SRopgWJ8kL4NlAexoZxmYj0AlvGO0jtUn
47VEVt8hWpal/WZteYByWQQQOvoj7EhlANIKUGUG9yOcBcEApdHsgOcXewrbilZQ
d4kbpegxQhjKU9jLUXRsIPV2YFrDcT83/94PFTRk/vFBOnWS/Ygt5vRedcoF2HcR
TJMyE+JwnwGJzTPKwbPJgLnjrEGVrqEerCuTU9v0PpFxu0AOEeV1kPyNbRZzzC+p
al70ZI0CgYEA/Ge1Hj5OBjS2DLUYG0zhmc4xoiIqcgPJCn6QQmfqa6DbscQzXsnp
GqNlwvB76L0mwNOSABX53YaXhFCrYXMRsXWl95hK7NYCGnD6f/fYcr3u+NdBm5+N
qEiqcq779arAXqGaN/TGKsm507ngyLBrMbUlaPQEXfaBjrQL3f0k7qMCgYEA44AW
1ptUWy0Wx5oa1wdYVgGw+Wbxb8JY88pj29JhE3Qwhy9FBq7x0wZOoQDSkyvbu9aZ
bEiUtctXDDNE/Fy7XgEBMiqrn4R383pbZ5LnmsFKZEcADU1Pe4HjDgSq1rjNSJSA
xEz8xRQvIvy4kpp/tpKsN/Xg2ZBnQmqgj6LWv8sCgYBKeSsWnlmVOS5R94kCXR/f
qtg4N46Aj59dClT0Uwb29MJ95B8oI7k00+ttpllZJZ5unL5iahmMhG7maor2uOYK
j2UF9hh9YvPB633uDin+SQ5eu9yu11gLxE0Og5TyOoyCH3qKch2aeGTtFNY/QNaQ
FxvPqNg1BUva2EL8H/oqswKBgQDjbW1nZSjTbSPUrq4eQG2CrXYqHUtHmlYqgS2K
16nMNN8+hXbP05xUhX2dXqEkFzg3c7U0lupzQq/mtmpEjr+Qnhh/+kBP27G+aZdu
12FJR+oCjSf0JFFM+u/tV6UhuuUdpbeEhiI7Mo5cv6AUjvcVoVMhLmB1nvJbZxTU
AsoEOQKBgHHVuuq4kWDfORCYwTvZPX0byQu++QhlOFfClYBIVuCP4/cU0o3Kw1Z6
tf+zP2rBMOl5eD7IBHjAtOlNjXcFgiyymNxJDKJSmTpw1VePncmuT5UMq8rbljSW
Yg0QGwyvB1Cat2mpgqVWS7YT0nmTooWmQdO3Qp48f+bVvmO/dJXS
-----END RSA PRIVATE KEY-----
The copy file: certificate: command copies the certificate to the certificate: file system from any supported source URLs of the copy command. The source file may contain multiple PEM encoded certificates, but must not contain other entities such as keys.
Example
switch(config)#copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
switch(config)#
switch(config)#copy file:tmp/ssl/mixed.crt certificate:
% Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in
certificate file not supported)
switch(config)#
switch(config)#copy file:tmp/ssl/bad.crt certificate:
% Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
switch(config)#
switch(config)#copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have
RSA key)
switch(config)#
The delete certificate command deletes a certificate configuration from the certificate: file system on the switch.
Example
switch(config)#delete certificate:server.crt
switch(config)#
The following commands help the user to generate a self-signed certificate or Certificate Signing Request (CSR).
switch#security pki certificate generate self-signed test.crt key test.key
Common Name for use in subject: test
[...]
certificate:test.crt generated
switch#
switch#security pki certificate generate signing-request key test.key digest sha256 validity 365
Common Name for use in subject: test
[...]
certificate:test.crt generated
switch#
switch#security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
certificate:test.crt generated
switch#
The copy command copies an RSA key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command. The source file must contain only one key. Password protected keys are not supported.
Example
switch#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch#
switch#copy file:tmp/ssl/multi.key sslkey:
% Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in
single file not supported)
switch# copy file:tmp/ssl/bad.key sslkey:
% Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
switch#copy file:/tmp/ssl/pass.key sslkey:
% Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not
supported)
The delete command deletes the key configuration from the switch.
Example
switch# delete sslkey:server.key
The following commands help the user to generate RSA keys.
switch# security pki key generate rsa 2048 test.key
switch# security pki certificate generate self-signed test.crt key test.key
generate rsa 4096
switch#security pki certificate generate signing-request key test.key
generate rsa 2048
A SSL profile is configured with a certificate and its corresponding RSA key. The public key information in the certificate must match the RSA key. This certificate and RSA key pair are used to authenticate to the peer during SSL negotiation. The individual EOS features that use SSL profile configuration will decide whether the certificate and key configuration is optional or mandatory.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key client.key
switch(config-mgmt-sec-ssl-profile-server)# show management security ssl profile
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
During SSL negotiation with mutual authentication, the peer (or client) certificate is verified by checking if it is signed by one of these trusted certificates. For peer certificates that do not have a chain to a trusted certificate, the full bundle of certificates leading to the trusted certificates must be included. The individual EOS features that use SSL profile configuration will decide whether the trusted certificate configuration is optional or mandatory.
Example
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca2.crt
Certificate chains are used to provide a chain of trust for the SSL Profile server certificate to a remote party. Several chain certificate commands can be issued to build a certificate chain with many intermediate CAs, regardless of the order. Use the chain certificate command to configure the certificate chain for a SSL profile. The no form of the command deletes the certificate configuration.
Examples
switch#(config)# management security
switch#(config-mgmt-security)# ssl profile server
switch#(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
switch#(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt
switch#(config-mgmt-sec-ssl-profile-server)# exit
switch(config)#
switch# config
switch#(config)# management security
switch(config-mgmt-security)# ssl profile client
switch(config-mgmt-sec-ssl-profile-client)# certificate client.crt key client.key
switch(config-mgmt-sec-ssl-profile-client)# trust certificate ca.crt
switch# config
switch#(config)# management security
switch(config-mgmt-security)# ssl profile client
switch(config-mgmt-sec-ssl-profile-client)# crl intermediate.crl
switch(config-mgmt-sec-ssl-profile-client)# crl ca.crl
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server2)#exit
switch(config-mgmt-security)#exit
switch(config)#
A certificate chain can be split into two parts, each part configured on a different peer. The location of the split can be anywhere, as long as between the client and the server, a complete certificate chain can be constructed. The following example shows a server and client SSL profile configuration with a split certificate chain.
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)#exit
switch(config-mgmt-security)#exit
switch(config)#
switch(config)#management security
switch(config-mgmt-security)#ssl profile client
switch(config-mgmt-sec-ssl-profile-client)#certificate client.crt key client.key
switch(config-mgmt-sec-ssl-profile-client)#trust certificate ca.crt
switch(config-mgmt-sec-ssl-profile-client)#trust certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-client)#exit
switch(config-mgmt-security)#exit
switch(config)#
The following configuration will not work, as it results in invalid SSL profiles.
switch(config)#management security
switch(config-mgmt-security)#ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)#certificate server2.crt key server2.key
switch(config-mgmt-sec-ssl-profile-server2)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server2)#show management security ssl profile
Profile State Additional Info
---------------------------- ------------- ----------------------------------------
server3 invalid Profile has invalid certificate chain
switch(config-mgmt-sec-ssl-profile-server3)#exit
switch(config-mgmt-security)#exit
switch(config)#
switch(config)#management security
switch(config-mgmt-security)#ssl profile client3
switch(config-mgmt-sec-ssl-profile-client3)#certificate client3.crt key client3.key
switch(config-mgmt-sec-ssl-profile-client3)#trust certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-client3)#show management security ssl profile
Profile State Additional Info
---------------------------- ------------- ----------------------------------------
client3 invalid Profile has invalid trusted certificate
chain
switch(config-mgmt-sec-ssl-profile-client3)#exit
switch(config-mgmt-security)#exit
switch(config)#
EOS performs various checks on the certificates in an SSL profile before allowing the use of the profile. The way these checks is performed can be modified, added to or relaxed locally. The following are some of the checks that can be performed before any communication with the peer.
switch(config-mgmt-sec-ssl-profile-client)# certificate requirement extended-key-usage
switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement
basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement
basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)# certificate policy expiry-date ignore
The show management security ssl profile command displays the SSL profile status information. To view a specific SSL profile status, use the name of the SSL profile. Otherwise, all SSL profile statuses are displayed.
Example
switch# show management security ssl profile server
Profile State
------------- -----------
server valid
If there are any errors in the SSL profile, an invalid state is displayed and the errors are listed in the third column. Once the error is fixed, the SSL profile becomes valid.
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
switch# show management security ssl profile server
Profile State Error
------------- ------------- -------------------------------------
server invalid Certificate 'ca2.crt' does not exist
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'foo.crt' is trusted and not
a root certificate
switch# show management security ssl profile server
Profile State Error
------------- ------------- -------------------------------------
server invalid Certificate 'server.crt' has expired
switch# show management security ssl profile server
Profile State Error
-------------- ------------- ---------------------------------------------
server invalid Profile has invalid certificate chain
Certificate 'intermediate.crt' does not exist
switch01# show running-config section ssl
management security
ssl profile profile01
certificate cert.pem key key.pem
Run the
security pki certificate generate
signing-request rotation ssl profile command
to generate a new key and corresponding signing request for SSL profile
profile01. This command also
generates a unique rotation ID that can be later used to import the
certificate.switch01# security pki certificate generate signing-request rotation ssl profile profile01 key generate rsa 2048 parameters common-name switch01
Rotation ID: 2ad7771e8cbc11ebbba37483ef8d9c4b
Certificate Signing Request:
-----BEGIN CERTIFICATE REQUEST-----
MIICZzCCAU8CAQAwEzERMA8GA1UEAwwIc3dpdGNoMDEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCy5EsczfEZlAVNZQ8/nfRgEF3bg/tz0XrQJwP/zHhI
UFx1A1VI4O7XhUrYReH1h4OQWhXXX0AHTLTsaClJWHH9m7SXb4iZVo/Y1zXGdyju
1FmnWnNDi72M8f60WXG9gAMtnZK9K53A3lwvrKS+CwJkLCOjlH4xyp1Wsg1+yfay
AdfXAj+s1Vmg3Rux/XR8iP3N620YVbQ+AfWUQkSNFSsykcTeLvx2WybqX4p4Kids
nqU28ml/NZPS5wEc2OXhagrBn3jHbxdmI33/4SJHN8iNZ6h+gQz+JI18bQrlTHng
RzAx1ENvnz7ZzzeN/n/wh/ArZ6Q9aojrBtAk55aGuY4hAgMBAAGgDzANBgkqhkiG
9w0BCQ4xADANBgkqhkiG9w0BAQsFAAOCAQEAqwQbAsdw6UhpvjDk8OdmXLgCNOSC
jGFLFZe4I67gDmyGQR2lG1brRTQPKp7OphpPxaqr3YvxErEFdQ35gvIUyo9j8qp1
F22yAZGjLqU3prnGLEAZ/I3PcdivNVzL9UJw/JMfHI1CMH6yGtbEI2BXsCTetfxm
JE+N9ujfBlQ/MjUR6IszNxEB2YkFh/DvnVUHoqV0ka+JRmMhGkmTrXwad8bhxYZs
g7cwXktsMLuy2otK21fkFcRvd9OHXssJ2Mf7914ALiDe2sfixHX+35SytR8bahTk
z09HPCkxJmfl+cdhS9SWXrXpHHwXicjwYCj1pqZulBFXtgnVs2Kmd3NnRA==
-----END CERTIFICATE REQUEST-----
The complete syntax of the
above command is as follows. The import-timeout
specifies the timeout for this rotation ID. If no certificate is imported
within this timeout, the rotation ID expires and will be deleted.
switch# security pki certificate generate signing-request rotation ssl profile <profile-name>
key generate rsa <2048|3072|4096>
[ import-timeout <minutes> ] (default: 60 mins)
[ digest <sha256|sha384|sha512> ] (default: sha256) parameters common-name <common-name>
[ country <country-code> ]
[ state <state-name> ]
[ locality <locality-name> ]
[ organization <org-name> ]
[ organization-unit <org-unit-name> ]
[ email <email> ]
[ subject-alternative-name [ ip <ip1 ip2 …> ]
[ dns <nm1 nm2 …> ] [ dns <nm1 nm2 …> ]
Use the
show security pki certificate
rotation command to view the status of rotation
IDs.switch# show security pki certificate rotation
Rotation ID Profile Name State Expiry
--------------------------------- ------------ --------------- -------------------
2ad7771e8cbc11ebbba37483ef8d9c4b profile01 Import Pending 2021-03-24 10:15:37
Copy
the signing request, get it signed by a CA and import the certificate using
the security pki certificate rotation import
<rotation-id> command. Use the rotation ID
that was generated with the signing request. switch# security pki certificate rotation import 2ad7771e8cbc11ebbba37483ef8d9c4b
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
switch# security pki certificate rotation commit 2ad7771e8cbc11ebbba37483ef8d9c4b
Success
switch# security pki certificate rotation commit ssl profile profile01
Enter TEXT private key. Type 'EOF' on its own line to end.
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCti4aj50Nzs9T4
NTwebaDcgjQetCHQg1FV2XMJsgoEuon8AWIJsP5gqt4jhZ3BIpWgjSJGhSoln2+7
ON40HfbZgG550MN8VDvIw8HrrPsgrpjDYyy0AKW0zmQxOMw6J5m1oepLMIfKiG2r
Ys/cEe5eStWz225kMepztvC63CwrhUmVq8OEdp6a0MXaKOXgKLTLBg0HYdr5+5OM
g9AkBlQqrlcyiPolYFu8iH4mfXMFnRUwJU5pK6kLKvnnWZr57jXDmmZttkeUm2j8
vaLL/NqGZPIjF/qA2HXWNsDEMy3ewclpQIeG8wicTTDyM/Ia8VPOLqdCOLK14sQ1
V3S9XdibAgMBAAECggEAEdDMLSD4HTVzDFoBW8mlpQ10G/TNBd1Sk7gY0FV9JCLM
OIPMfzHdeKoB15lcv691DIArP8cQM8A21ab5tKr2JOTuMnDaffXIagyikzb0/tQT
1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4Hu
iywlkhbyOHV7b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+lt
izcyAbEx5YL/y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQ
YSwu6WzOj4dNpEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/Jo
Ei2IHG4ISxVlZc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5F
MEbtnrojTO2ANC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fb
PHvSHUFknQKBgDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/E
mKm1ZUC9V+DEIRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c
27g4qb7erZQ6/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3Qz
QiJrGf3xFborwlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhR
E0CU/27C/Nn6H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSz
b0UcanmJKGulbrFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9Plrn
tzvY7GhopJgJfAvfi5nBXPS+fkdKtWzOmhW1jon1ka0fEeRQnQjB7DSYB4zldufPKiD+EXgJtQbhS
qfdtgL7QlhVrpO/s5tUrPE/KRu/yLGtEWruQlDCawpMPA63eP4XER/MHVXBkqbWy
85vx46SisOBAnuEum0yMngru5fARoBKO1aV7G94FI7Eu5rDqeVYsE5jrdnWJTZTg
pHf9RYUOlz8RwwbD/xUs+cKbM1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4Hu
iywlkhbyOHV7b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+lt
izcyAbEx5YL/y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQ
YSwu6WzOj4dNpEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/Jo
Ei2IHG4ISxVlZc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5F
MEbtnrojTO2ANC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fb
PHvSHUFknQKBgDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/E
mKm1ZUC9V+DEIRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c
27g4qb7erZQ6/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3Qz
QiJrGf3xFborwlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhR
E0CU/27C/Nn6H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSz
b0UcanmJKGulbrFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9Plrn
tzvY7GhopJgJfGr1GYQPJi38DJ5NR/w64js21t5X2yJ4xcCB3H7R0QWJ9EE+fc+7
nBYFJlaDzSRBbES24yGh4n4Vc6luYW9A+YJR3EaElE6RMWyzIY8J8kV2xuTaK9xe
pdM9x1J1kIm2rA1mcO4Xqw==
-----END PRIVATE KEY-----
EOF
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success
The Diffie-Hellman parameters file is used for symmetric key exchange during SSL negotiation. When the system is booted, the system auto generates a Diffie-Hellman parameters file if one does not exist. To reset the auto generated Diffie-Hellman parameters file, use the reset command. The individual features that use SSL profile configuration will decide whether they also use the Diffie-Hellman parameters file. The switch uses 2048-bit Diffie-Hellman parameters with no options to select the size.
Example
switch# reset ssl diffie-hellman parameters
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameters.
Example
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
During a TLS handshake, both peers send each other a list of the TLS versions they support as a way to agree on and use the highest common version. In a SSL profile the following allowable versions can be configured using the tls versions command. By default, TLSv1, TLSv1.1, and TLSv1.2 are enabled.
switch# config
switch#(config)# management security
switch(config-mgmt-security)# ssl profile client
switch(config-mgmt-sec-ssl-profile-client)#
switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.2
switch(config-mgmt-sec-ssl-profile-client)# tls versions add 1.1
switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.1 1.2
Similarly to the TLS version, the cipher suite is negotiated between the client and the server during a TLS handshake. Ideally, the client will send the list of cipher suites it supports and the server will choose a common cipher suite after looking at the clients list as well as its own list of cipher suites. The default cipher-list setting here is an Open SSL cipher string that is HIGH:!eNULL:!aNULL:!MD5, which only allows key length larger than 128 bits and forbids cipher suites using MD5. The full list of cipher suites can be expanded using the shell command openssl ciphers HIGH:!eNULL:!aNULL:!MD5
Example
switch(config-mgmt-sec-ssl-profile-client)# cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-client)# cipher-list SHA256:SHA384
switch(config-mgmt-sec-ssl-profile-client)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384
Federal Information Processing Standards (FIPS) is a cryptographic standard used to restrict the cryptographic functions and protocol versions that are used by OpenSSL.
Example
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
To collect Syslog information on a remote Syslog server define an SSL profile. Traffic to the server is then sent over a TLS connection.
switch(config)# logging host test.example.com 1234 protocol tls ssl-profile test-profile
switch(config-mgmt-security)# ssl profile test-profile
switch(config-mgmt-sec-ssl-profile-test-profile)# certificate clientCert key clientKey
switch(config-mgmt-sec-ssl-profile-test-profile)# trust certificate serverCA
The dir command displays the directory output of certificate file systems.
Example
switch# dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
The show management security ssl certificate command displays the certificate information. To view a specific certificate use the name of the certificate, else all the certificates are displayed.
Example
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
635a831d5ec96d841
The show management security ssl crl command displays the installed Certificate Revocation List (CRL) information. To view a specific CRL use the name of the CRL, else all the CRLs are displayed.
Example
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
The dir command displays the directory output of SSL key file systems.
Example
switch# dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
The show management security ssl key command displays the RSA key information. To view a specific RSA key use the name of the key, otherwise, all the keys are displayed. For security reasons, only the public part of the key is displayed.
Example
switch# show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
The copy file: certificate: command copies the certificate to the certificate: file system. The certificate can be copied from any supported source URL of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name certificate:
Parameters
file_name location or the path of the file or the directory where the certificate is saved.
Guidelines
switch(config)#copy file:tmp/ssl/mixed.crt certificate:
% Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in certificate file not supported)
switch(config)#
switch(config)#copy file:tmp/ssl/bad.crt certificate:
% Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
switch(config)#
switch(config)#copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
switch(config)#
Example
switch(config)# copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
The copy file: sslkey: command copies the SSL key to the sslkey: file system. The key can be copied from any supported source URL of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name sslkey:
Parameters
file_name location or the path of the file or the directory where the key is saved.Guidelines
switch#copy file:tmp/ssl/multi.key sslkey:
% Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)
switch#copy file:tmp/ssl/bad.key sslkey:
% Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
switch#copy file:/tmp/ssl/pass.key sslkey:
% Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)
Example
switch(config)#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch(config)#
The delete certificate: command deletes a specified certificate from certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
delete certificate: certificate_name
Parameters
certificate_name name of the certificate to be deleted.
Example
switch(config)# delete certificate:server.crt
The delete sslkey: command deletes a SSL key from sslkey: file system on a switch.
Command Mode
Global Configuration
Command Syntax
delete sslkey: key_name
Parameters
key_name name of the key.
Example
switch(config)# delete sslkey:server.key
The dir certificate: command displays the directory output of certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir certificate:
Example
switch(config)# dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
The dir sslkey: command displays the directory output of sslkey: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir sslkey:
Example
switch(config)# dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
The reset ssl diffie-hellman parameters command resets the Diffie-Hellman parameters file after a system reboot.
Command Mode
Global Configuration
Command Syntax
reset ssl diffie-hellman parameters
Example
switch(config)# reset ssl diffie-hellman parameters
switch(config)#
The security pki certificate generate command is used to generate a self-signed certificate or a Certificate Signing Request (CSR) certificate. The generated CSR is displayed on the CLI, whereas a self-signed certificate is saved to the certificate: file system.
Many other parameters can be entered and applied to the certificate as shown in the following examples below.
Command Mode
Global Configuration
Command Syntax
security pki certificate generate {self-signed | signing-request} certificate_name Key key_name
switch(config)# security pki certificate generate self-signed test.crt key test.key
switch(config)# security pki certificate generate signing-request key test.key digest sha256 validity 365
switch(config)# security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
The security pki key generate command generates a RSA key used to validate a specific certificate.
The key generated can be modified and saved by entering the value of the length in generate rsa <length> parameter.
Command Mode
Global Configuration
Command Syntax
security pki key generate rsa key_name
switch(config)#security pki key generate rsa 2048 test.key
switch(config)# security pki certificate generate self-signed test.crt key
test.key generate rsa 4096
switch(config)# security pki certificate generate signing-request key test.key
generate rsa 2048
The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate if you want to view more information of the certificate. If no name is provided, this command displays information of all the certificates.
Command Mode
EXEC
Command Syntax
show management security ssl certificate [certificate_name]
Parameter
certificate_name name of the certificate. This is optional.
Example
switch# show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
The show management security ssl crl command displays the basic information on the installed Certificate Revocation List (CRLs).To view information of a specific CRL provide the name of the CRL. If no name is provided, this command shows information of all the CRLs.
Command Mode
EXEC
Command Syntax
show management security ssl crl
Example
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.
Command Mode
EXEC
Command Syntax
show management security ssl diffie-hellman
Example
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If no name is provided, this command displays information of all the keys.
Command Mode
EXEC
Command Syntax
show management security ssl key [key_name]
Parameter
key_name name of the key. This is optional.
Example
switch# show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
The show management security ssl profile command displays the SSL profile status information. To display information of a specific SSL profile, provide the name of the profile. If no name is provided, this command displays profile status of all the SSL profiles.
If there are any errors in the SSL profile, the state is shown invalid and the errors are listed in the third column as shown in the example below.
Command Mode
EXEC
Command Syntax
show management security ssl profile [profile_name]
Parameter
profile_name name of the SSL profile, this is optional.
switch# show management security ssl profile server
Profile State
------------- -----------
server valid
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'ca2.crt' does not exist
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'foo.crt' is trusted and not
a root certificate
switch# show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' has expired
switch# show management security ssl profile server
Profile State Error
-------------- ------------- ---------------------------------------------
server invalid Profile has invalid certificate chain
Certificate 'intermediate.crt' does not exist
The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.
Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.
The no form of the command deletes the SSL profile management configuration from running-config.
Command Mode
Management Security Mode
SSL Profile Mode
Command Syntax
ssl profile profile_name
Parameter
profile_name name of the profile.
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)# no certificate server.crt key server.key
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)# no trust certificate ca1.crt
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server)# no chain certificate intermediate.crt
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# crl intermediate.crl
switch(config-mgmt-sec-ssl-profile-server)# crl ca.crl
switch(config-mgmt-sec-ssl-profile-server)# no crl ca.crl
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# tls versions 1.2
switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-server)# cipher-list SHA256:SHA38
switch(config-mgmt-sec-ssl-profile-server)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384
switch(config-mgmt-sec-ssl-profile-client)#certificate requirement extended-key-usage
switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions
802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to the network.
Before authentication can succeed, switchport is in unauthorized mode and blocks all traffic but, after authentication has succeeded, normal data can then flow through the switchport.
Port security control who can send or receive traffic from an individual switch port. An end node is not allowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.
This prevents unauthorized individuals from connecting to a switch port to access your network. Only designated valid users on a RADIUS server will be allowed to use the switch to access the network.
The Single Host and the Multi-Host modes allow only one 802.1X supplicant to be authenticated for one port. Once it is successfully authenticated, no other 802.1X supplicant can be authenticated, unless the current one logs off. However, the Multi-Host authenticated Mode allows multiple 802.1X supplicants to be authenticated and provided access to the network.
Apart from 802.1X authentication, Arista switches also support MAC-Based Authentication (MBA), which allows devices not speaking 802.1X to have access to the network. The authenticator uses the MAC address of such devices as username/password in its RADIUS request packets. Depending on the MAC-Based Authentication configuration on the RADIUS server, it decides whether to authenticate the supplicant or not. Unlike 802.1X supplicants, multiple MBA supplicants are allowed on a single port. The MBA configuration is independent of the 802.1X host modes. MBA supplicants will not be considered to allow or reject unauthenticated traffic, based on the host mode.
Arista switches also support Dynamic VLAN assignment, which allows the RADIUS server to indicate the desired VLAN for the supplicant, using the tunnel attributes with the Access-Accept message. Both 802.1X and MBA supplicants can be assigned a VLAN via the RADIUS server. Note that only one VLAN per port is supported. When the first host authenticates, the authenticator port is put in the respective VLAN (via dynamic VLAN assignment) and subsequently, all other hosts must belong to that VLAN as well.
802.1X features are now supported on 802.1Q trunk ports allowing the user to have Port-Based Network Access Control (PNAC) on such a port. With this feature, traffic coming into an 802.1X enabled port with a VLAN tag can also be authenticated via both 802.1X or MBA.
By default, traffic from any unauthenticated device on an 802.1X enabled port is dropped. By configuring Authentication Failure VLAN on the authenticator switch, 802.1X or MBA supplicants traffic can be put into a specific VLAN, if the supplicant fails to authenticate via the RADIUS server.
The 802.1X standard specifies the roles of Supplicant (client), Authenticator, and Authentication Server in a network. Switch Roles for 802.1X Configurations illustrates these roles.
Authentication Server The switch that validates the client and specifies whether or not the client may access services on the switch. The switch supports Authentication Servers running RADIUS.
Authenticator The switch that controls access to the network. In an 802.1X configuration, the switch serves as the Authenticator. As the Authenticator, it moves messages between the client and the Authentication Server. The Authenticator either grants or does not grant network access to the client based on the identity data provided by the client, and the authentication data provided by the Authentication Server.
Supplicant/Client The client provides a username or password data to the Authenticator. The Authenticator sends this data to the Authentication Server. Based on the supplicants information, the Authentication Server determines whether the supplicant can use services given by the Authenticator. The Authentication Server gives this data to the Authenticator, which then provides services to the client, based on the authentication result.
For communication between the switches, 802.1X port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.
The 802.1X standard defines a method for encapsulating EAP messages so they can be sent over a LAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifies a means of transferring the EAPOL information between the client or Supplicant, Authenticator, and Authentication Server.
EAPOL messages are passed between the Supplicants and Authenticators Port Access Entity (PAE). The figure below shows the relationship between the Authenticator PAE and the Supplicant PAE.
Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive the Supplicants identifying information. Behaving as a RADIUS client, the Authenticator PAE passes the Supplicants information to the Authentication Server, which decides whether to grant the Supplicant access. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.
Supplicant PAE: The Supplicant PAE provides information about the client to the Authenticator PAE and replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authentication procedure with the Authenticator PAE, as well as send logoff messages.
The Dot1x Dropped Counters count the packets dropped by dot1x interfaces. The dropped counter will not represent all the dropped packets in case of high volume dropping, and the CPU queue drop counter will reflect the rest of the dropped packet counter. This is due to the fact that EOS limits the bandwidth for the packets that get sent to the CPU.
To enable 802.1X port authentication on the switch, global command configuration is required:
switch(config)# dot1x system-auth-control
Port mode can be set to access/trunk port and 802.1X port access entity is set to authenticator:
switch(config-if-Et1)# switchport mode access
switch(config-if-Et1)# dot1x pae authenticator
A physical port on the switch used with 802.1X has two virtual access points that include a controlled port and an uncontrolled port. The controlled port grants full access to the network. The uncontrolled port only gives access for EAPOL traffic between the client and the Authentication Server. When a client is authenticated successfully, the controlled port is opened to the client.
Before the port is authenticated, the port is in an unauthorized state. In this state, only EAPOL packets are processed by 802.1X agent and all other packets are dropped. After the port is successfully authenticated, the port is in the authorized state and all packets are allowed to pass. The state transition is controlled by authentication exchange between supplicant and authentication server. However, the user can control the state by using any one of the following commands:
dot1x port-control force-authorized
force-authorized: disables 802.1X authentication and directly put the port to the authorized state. This is the default setting.
dot1x port-control force-unauthorized
force-unauthorized: also disables 802.1X authentication and directly put the port to unauthorized state, ignoring all attempts by the client to authenticate.
dot1x port-control auto
auto: enables 802.1X authentication and put the port to unauthorized state first. The port state remains in an unauthorized state or transit to authorized state according to authentication result and configuration.
The uncontrolled port on the Authenticator is the only one open before a client is authenticated. The uncontrolled port permits only EAPOL frames to be swapped between the client and the Authentication Server. No traffic is allowed to pass through the controlled portin the unauthorized state.
During authentication, EAPOL messages are swapped between the Supplicant PAE and the Authenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and the Authentication Server. If the client is successfully authenticated, the controlled port becomes authorized, and traffic from the client can flow through the port normally.
All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. When authentication is initiated, the controlled port on the interface is initially set in the unauthorized state. If a client connected to the port is authenticated successfully, the controlled port is set in the authorized state.
The figure below illustrates an exchange of messages between an 802.1X-enabled client, a switch operating as Authenticator, and a RADIUS server operating as an Authentication Server.
Arista switches support 802.1X authentication for ports with more than one client connected to them. Figure 7 illustrates a sample configuration where multiple clients are connected to a single 802.1X port. 802.1X authentication may use multi-host mode, or (on selected switches) single-host mode. In both modes, the port authenticates the packets received from any one client, and the packets received from other clients are dropped, until the connected client is authenticated by the RADIUS server.
In single-host mode, once the 802.1X client has been authenticated by the RADIUS server further authentication is not required, but the port accepts packets only from the MAC address of the authenticated client.
In multi-host mode, once the 802.1X client has been authenticated by the RADIUS server, the port is open to accept all packets from any connected client, and these packets do not require any authentication.
The 802.1X MAC-based authentication allows a set of MAC addresses to be programmed into the RADIUS server. These MAC addresses (MAC-based authentication supplicants) do not connect to 802.1X profiles but are still allowed access to the network. The authenticator identifies devices that do not support 802.1X and uses the MAC address of these devices as username and password in its RADIUS request packets.
In a MAC-based authentication, every supplicant trying to gain access to the authenticator port is individually authenticated as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X. The behavior is different for MAC-based authentication supplicants when we have a 802.1.x supplicant authenticated in single host and multi-host 802.1X modes.
To enable Mac-based authentication, use the following command:
Command syntax
dot1x mac based authentication
switch(config-if-Et1/1)# show active
speed forced 1000full
dot1x pae authenticator
dot1x port-control auto
dot1x mac based authentication
Use the mac based authentication delay command to configure a Mac-based Authentication delay. By default, the delay is triggered after 5 seconds.
Comman Syntax
mac based authentication delay 0-300 seconds
When Mac Based Authentication is rejected by a AAA server, there is a default hold period of 60 seconds before the Mac Based Authentication is retried again even if the host continues to send traffic. However, the hold-period can be configured manually using the mac based authentication hold period command.
Command Syntax
Overview
Devices connected to 802.1X controlled ports must perform authentication before their generic traffic is allowed into the network. During this process, the switch contacts a configured AAA server that determines if the device’s access to the network is accepted or denied. When the AAA server is unresponsive, the default behavior is to deny all authentication attempts. The AAA Unresponsive VLAN feature allows the user to specify different behavior for this case, accepting authentication attempts and assigning devices to the native VLAN or a specified VLAN. As in other failure scenarios, the switch tries to authenticate the supplicant after the quiet period has passed.
The aaa unresponsive action traffic allow vlan command is configured under the dot1x configuration sub-mode to enable the dot1x AAA unresponsive VLAN feature on the switch. When configured, the switch changes the action taken with regards to authentication attempts when the AAA server is unresponsive. The AAA server is considered unresponsive when communication with it times out.
Example
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan
Command Syntax
captive portal url URL][ssl profile profile]
Enabling the 802.1X Web authentication starts the redirection agent (Dot1xWeb) and its internal HTTP redirector, and makes 802.1X act on radius web-auth-start VSA’s. If a URL is specified, it’s used for the redirection when AAA does not provide a specific URL. If a valid SSL profile is specified, the configured certificate and key are used to start 802.1X Web’s internal HTTPS redirector.
switch(config-dot1x)# captive portal access-list ipv4 test-ACL
An ACL can be defined locally on the switch and be configured to use for web authentication, for cases, when AAA is not able to send ACL with web auth = start.
AttributeName | Attribute ID | Type | Value |
---|---|---|---|
Arista-WebAuth | 6 | integer |
start = 1 complete = 2 |
Arista-Captive-Portal | 10 | string | any valid url |
Show Commands
The “show” commands that display the state of a host show the new values for WebAuth stage as well.
switch(config)# show dot1x hosts
Interface: Ethernet36
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
00:1c:73:73:f9:38 MAC-BASED-AUTH WEB-AUTH-START
00:1c:73:73:f9:39 MAC-BASED-AUTH WEB-AUTH-FAILED
Basic steps to implementing 802.1X Port-based Network Access Control and RADIUS accounting on the switch:
IEEE 802.1X port security relies on external client-authentication methods, which must be configured for use. The method currently supported on Arista switches is RADIUS authentication. To configure the switch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.
Example
switch(config)# aaa authentication dot1x default group radius
switch(config)#
Use the statistics packets dropped command to cofigure the dot1x dropped counters on the switch under dot1x configuration mode. By default, the dot1x dropped counters is disabled. The no form of the command disables the dot1x dropped counters from the running configuration.
Example
switch(config-dot1x)# statistics packets dropped
To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-control command.
Example
switch(config)# dot1x system-auth-control
switch(config)#
To set the port access entity (PAE) type of an Ethernet or management interface to the authenticator, use the dot1x pae authenticator command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x pae authenticator
switch(config-if-Et1)#
Example
For ports to act as authenticator ports to connected supplicants, those ports must be designated using the dot1x port-control command.
The auto option of thedot1x port-control command designates an authenticator port for immediate use, blocking all traffic that is not authenticated by the AAA server.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-control auto
switch(config-if-Et1)#
The force-authorized option of the dot1x port-control command sets the state of the port to authorized without authentication, allowing traffic to continue uninterrupted.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#
To designate a port as an authenticator but prevent it from authorizing any traffic, use the force-unauthorized option of the dot1x port-control command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#
By default, Arista switches authenticate in multi-host mode, allowing packets from any source MAC address once 802.1X authentication has taken place. To configure the switch for single-host mode (allowing traffic only from the authenticated clients MAC address), use the dot1x host-mode command.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#
The dot1x reauthentication command enables re-authentication of authenticator ports with the default values.
The dot1x timeout reauth-period command allows to customize the re-authentication period of authenticator ports.
switch(config)# interface Ethernet 1
switch(config-if-Eth)# dot1x reauthentication
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
switch(config-if-Et1)#
switch(config)# interface Ethernet 1
switch(config-if-Et1)# no dot1x reauthentication
switch(config-if-Et1)#
The dot1x reauthorization request limit command configures the number of times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x reauthorization request limit 4
switch(config-if-Et1)#
The default value is 2.
To disable authentication on an authenticator port, use the no form of the dot1x port-control command.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# no dot1x port-control
switch(config-if-Et1)#
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that failed authentication is blocked.
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30
The default value is 60 seconds.
The dot1x timeout reauth-period command specifies the time period in seconds that the configuration mode interface waits before requiring re-authentication from clients.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
The default value is 3600 seconds.
Authentication and re-authentication are accomplished by the authenticator sending an Extensible Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the authenticator forwards to an authentication server. If the authenticator doesnt receive a reply to the EAP request, it waits a specified period of time before retransmitting. To configure that wait time, use the dot1x timeout tx-period command.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#
The default value is 5 seconds.
Configure Authentication Failure VLAN on a dot1x-enabled port using the following CLI command under the interface-config mode. The CLI command to set VLAN10 as authentication failure VLAN is as follows:
switch(config-if-Et1/1)# dot1x authentication failure action traffic allow vlan 10
When no authentication failure VLAN is configured on a dot1x-enabled port, the default action is to drop any unauthorized traffic on the port. This behavior can also be specified using the following command:
Example
switch(config-if-Et1/1)# dot1x authentication failure action traffic drop
The clear dot1x statistics command resets the 802.1X counters.
switch# clear dot1x statistics all
switch#
switch# clear dot1x statistics interface ethernet 1
switch#
You can display information about 802.1X on the switch and on individual ports.
Use the show dot1x statistics command to display 802.1X statistics for the specified port or ports.
switch# show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
-------------------------------------------------
RxStart = 0 RxLogoff = 0 RxRespId = 0
RxResp = 0 RxInvalid = 0 RxTotal = 0
TxReqId = 0 TxReq = 0 TxTotal = 0
RxVersion = 0 LastRxSrcMAC = 0000.0000.0000
switch#
switch# show dot1x all statistics
Dot1X Authenticator Port Statistics for Ethernet51/1
-------------------------------------------------
RX start = 1 RX logoff = 0 RX response ID = 1
RX response = 10 RX invalid = 0 RX total = 12
TX request ID = 2 TX request = 11 TX total = 13
RX version = 2 Last RX src MAC = ded6.404b.ec94
Data packet drop counters:
EAPOL unauthorized port = 2
EAPOL unauthorized host = 1
MBA unauthorized host = 0
Dot1X Authenticator Port Statistics for Ethernet49
-------------------------------------------------
RX start = 1 RX logoff = 0 RX response ID = 1
RX response = 10 RX invalid = 0 RX total = 12
TX request ID = 2 TX request = 11 TX total = 13
RX version = 2 Last RX src MAC = ded6.404b.ec94
Data packet drop counters:
EAPOL unauthorized port = 2
EAPOL unauthorized host = 1
MBA unauthorized host = 0
Use the show dot1x hosts command to display information for all the supplicants.
Example
switch# show dot1x hosts
Interface: Ethernet1/1
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
e2:29:cb:11:2f:4a EAPOL SUCCESS 300
e2:29:cb:11:2f:4b MAC-BASED-AUTH SUCCESS 300
Use the show mac address-table command to display the MAC address of the supplicants allowed to pass the traffic through the port.
Example
switch# show mac address-table
Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Moves Last Move
---- ----------- ---- ----- ----- ---------
300 e229.cb11.2f4a STATIC Et1/1
300 e229.cb11.2f4b STATIC Et1/1
Total Mac Addresses for this criterion: 2
The show dot1x command shows information about the 802.1X configuration on the specified port or ports.
Example
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
switch#
Use the show dotx1 interface interface-id command to display the status of the 802x1 attributes for each port.
switch(config-if-Et1/1)# show dot1x interface ethernet1/1
Dot1X Information for Ethernet1
--------------------------------------------
PortControl : force-authorized
HostMode : multi-host
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 0 seconds
MaxReauthReq : 2
ReauthTimeoutIgnore : No
AuthFailVlan : 10
Use the show dot1x all brief command to display IEEE 802.1X status for all ports.
Example
switch# show dot1x all brief
Interface Client Status
---------- -------- -------------
Ethernet5 None Unauthorized
switch#
Use the show vlan command to display if a VLAN has been dynamically assigned to the port.
Example
switch# show vlan
VLAN Name Status Ports
----- ------------- --------- ----------------------------------
1 default active
2 VLAN0002 active Et7, Et17, Et18, Et41
300* VLAN0300 active Et1/1, Et6, Et19, Et20, Et29
Et30, Et31, Et32, Et42, Et43, Et44
* indicates a Dynamic VLAN
Use the show dotx1 interface interface ID details command to display information about the EAPOL fallback to MBA authentication and MBA timeout details.
switch(config-if-Et1)# show dot1x interface Ethernet1 details
Dot1X Information for Ethernet1
--------------------------------------------
Port control: auto
Host mode: multi-host authenticated
Quiet period: 60 seconds
TX period: 5 seconds
Maximum reauth requests: 2
Ignore reauth timeout: No
Auth failure VLAN: 101
Unauthorized access VLAN egress: Yes
Unauthorized native VLAN egress: Yes
EAPOL: enabled
MAC-based authentication: disabled
EAPOL authentication failure fallback: MBA, timeout 200 seconds
Dot1X Authenticator Client
Port status: Authorized
Supplicant MAC Reauth Period (in seconds)
-------------- --------------------------
0022.0100.0001 120
The aaa unresponsive action traffic allow vlan enables the the dot1x AAA unresponsive VLAN feature on the switch.
The no aaa unresponsive action traffic allow vlan command disbales the dot1x AAA unresponsive VLAN feature from the running-config.
Command Mode
Dot1x Configuration Mode
Command Syntax
aaa unresponsive action traffic allow vlan VLAN-ID
no unresponsive action traffic allow vlan
Parameters
Example
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan 50
The captive portal command enables the 802.1X Web Authentication on the switch.
The no captive portal command removes the 802.1X Web Authentication configuration from the running-config.
Command Mode
Dot1x Configuration Mode
Command Syntax
captive portal url URL ssl profile profile access-list ipv4 ACL name
no captive portal url URL ssl profile profile access-list ipv4 ACL name
switch(config)# dot1x
switch(config-dot1x)# captive portal ssl profile test-ssl_profile
switch(config)# dot1x
switch(config-dot1x)# captive portal access-list ipv4 test-ACL
The clear dot1x statistics command resets the 802.1X counters on the specified interface or all interfaces.
Privileged EXEC
clear dot1x statistics INTERFACE_NAME
Example
switch# clear dot1x statistics all
switch#
The dot1x mac based authentication command enables MAC-based authentication on the existing 802.1X authenticator port.
The no dot1x mac based authentication and the default dot1x mac based authentication commands restore the switch default by disabling the corresponding dot1x mac based authentication command for the specific 802.1X authenticator port.
Interface-Ethernet Configuration
dot1x mac based authentication
no dot1x mac based authentication
default dot1x mac based authentication
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x mac based authentication
switch(config-if-Et1)#
The dot1x mac based authentication delay command enables MAC-based authentication delay. By default, the delay is triggered after 5 seconds.
The no dot1x mac based authentication delay and the default dot1x mac based authentication delay commands restore the switch default by disabling the corresponding dot1x mac based authentication delay command.
Dot1x Configuration
dot1x mac based authentication delay delay-time seconds
no dot1x mac based authentication delay
default dot1x mac based authentication delay
Example
switch(config)# dot1x
switch(config-dot1x)# mac based authentication delay 30 seconds
The dot1x mac based authentication hold period command enables MAC-based authentication hold period. By default, the hold period is 60 seconds.
The no dot1x mac based authentication hold period and the default dot1x mac based authentication hold period commands restore the switch default by disabling the corresponding dot1x mac based authentication hold period command.
Dot1x Configuration
dot1x mac based authentication hold period hold period-time seconds
no dot1x mac based authentication hold period
default dot1x mac based authentication hold period
Example
switch(config)# dot1x
switch(config-dot1x)# mac based authentication hold period 100 seconds
The dot1x pae authenticator command sets the port access entity (PAE) type of the configuration mode interface to authenticator, which enables IEEE 802.1X on the port. IEEE 802.1X is disabled on all ports by default.
The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switch default by deleting the corresponding dot1x pae authenticator command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x pae authenticator
no dot1x pae authenticator
default dot1x pae authenticator
switch(config-if-Et1)# interface ethernet 2
switch(config-if-Et1)# dot1x pae authenticator
switch(config-if-Et1)#
switch(config-if-Et1)# interface ethernet 2
switch(config-if-Et1)# no dot1x pae authenticator
switch(config-if-Et1)#
The dot1x reauthentication command configures the configuration mode interface to require re-authentication from clients at regular intervals. The interval is set by the dot1x timeout reauth-period command.
The no dot1x reauthentication and default dot1x reauthentication commands restore the default setting by deleting the corresponding dot1x reauthentication command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x reauthentication
no dot1x reauthentication
default dot1x reauthentication
Example
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x reauthentication
switch(config-if-Et1)#
The dot1x reauthorization request limit command configures how many times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.
The no dot1x reauthorization request limit and default dot1x reauthorization request limit commands restore the default value of 2 by deleting the corresponding dot1x reauthorization request limit command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x reauthorization request limit attempts
no dot1x reauthorization request limit
default dot1x reauthorization request limit
attempts Maximum number of attempts. Values range from 1 to 10; default value is 2.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x reauthorization request limit 6
switch(config-if-Et1)#
switch(config)# interface ethernet 1
switch(config-if-Et1)# no dot1x reauthorization request limit
switch(config-if-Et1)#
The dot1x system-auth-control command enables 802.1X authentication on the switch.
The no dot1x system-auth-control and default dot1x system-auth-control commands disables 802.1X authentication by removing the dot1x system-auth-control command from running-config.
Global Configuration
dot1x system-auth-control
no dot1x system-auth-control
default dot1x system-auth-control
switch(config)# dot1x system-auth-control
switch(config)#
switch(config)# no dot1x system-auth-control
switch(config)#
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that failed authentication is blocked.
The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore the default quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout quiet-period quiet_time
no dot1x timeout quiet-period
default dot1x timeout quiet-period
quiet_time Interval in seconds. Values range from 1 to 65535. Default value is 60.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30
switch(config-if-Et1)#
The dot1x timeout reauth-period command specifies the time period that the configuration mode interface waits before requiring re-authentication from clients.
The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restore the default period of 60 minutes by removing the corresponding dot1x timeout reauth-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout reauth-period reauth_time
no dot1x timeout reauth-period
default dot1x timeout reauth-period
reauth_time The number of seconds the interface passes traffic before requiring re-authentication. Values range from 1 to 65535. Default value is 3600.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
switch(config-if-Et1)#
Authentication and re-authentication are accomplished by the authenticator sending an Extensible Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the authenticator forwards to an authentication server. If the authenticator does not get a reply to the EAP request, it waits a specified period of time before retransmitting. The dot1x timeout tx-periodcommand configures that wait time.
The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the default wait time by removing the corresponding dot1x timeout tx-period command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x timeout tx-period tx_time
no dot1x timeout tx-period
default dot1x timeout tx-period
tx_time Values range from 1 to 65535. Default value is 5.
Example
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#
When multiple clients are connected to an Ethernet interface providing 802.1X authentication, the port can accept packets from all MAC addresses once the supplicant has been authenticated (multi-host mode), or it can accept only those packets originating from the MAC address of the authenticated client (single-host mode) or ultiple authenticated clients (multi-host authenticated mode) . The dot1x host-mode command specifies the host mode for authentication of multiple clients on the configuration mode interface.
The no dot1x host-mode and default dot1x host-mode commands restore the switch default (multi-host mode) by removing the corresponding dot1x host-mode command for the configuration mode interface.
Command Mode
Interface-Ethernet Configuration
dot1x host-mode [multi-host | single-host | multi-host authenticated]
no dot1x host-mode
default dot1x host-mode
Example
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#
The dot1x port-control command configures the configuration mode interface as an authenticator port and specifies whether it will authenticate traffic.
The no dot1x port-control and default dot1x port-control commands configure the port to pass traffic without authorization by removing the corresponding dot1x port-control command from running-config.
Interface-Ethernet Configuration
Interface-Management Configuration
dot1x port-control STATE
no dot1x port-control
default dot1x port-control
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x port-control force-authorized
switch(config-if-Et1)#
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x port-control force-unauthorized
switch(config-if-Et1)#
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x port-control auto
switch(config-if-Et1)#
The show dot1x all brief command displays the IEEE 802.1X status for all ports.
EXEC
show dot1x all brief
Example
switch# show dot1x all brief
Interface Client Status
-------------------------------------------------
Ethernet5 None Unauthorized
switch#
The show dot1x hosts command displays 802.1X information for all the supplicants.
EXEC
show dot1x hosts [ethernet]
ethernet e_num Ethernet interface specified by e_num.
Example
switch# show dot1x hosts
Interface: Ethernet1/1
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
e2:29:cb:11:2f:4a MAC-BASED-AUTH SUCCESS 300
The show dot1x statistics command displays 802.1X statistics for the specified port or ports.
EXEC
show dot1x INTERFACE_NAME statistics
vlan v_num VLAN interface specified by v_num.
Example
switch# show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
-------------------------------------------------
RxStart = 0 RxLogoff = 0 RxRespId = 0
RxStart= 0 RxInvalid = 0 RxTotal = 0
TxReqId = 0 TxReq = 0 TxTotal = 0
RxVersion = 0 LastRxSrcMAC = 0000.0000.0000
switch#
The show dot1x command displays 802.1X information for the specified interface.
EXEC
show dot1x INTERFACE_NAME INFO
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
switch#
switch# show dot1x interface ethernet 5 detail
Dot1X Information for Ethernet5
--------------------------------------------
PortControl : auto
QuietPeriod : 60 seconds
TxPeriod : 5 seconds
ReauthPeriod : 3600 seconds
MaxReauthReq : 2
Dot1X Authenticator Client
Port Status : Unauthorized
switch#
The statistics packets droppedcommand to cofigure the dot1x dropped counters on the switch under dot1x configuration mode. By default, the dot1x dropped counters is disabled. The no form of the command disables the dot1x dropped counters from the running configuration.
The no statistics packets dropped command disables the dot1x dropped counters from the running configuration.
Command Mode
Dot1x Configuration
Command Syntax
statistics packets dropped
no statistics packets dropped
Example
switch(config-dot1x)# statistics packets dropped
To set the timeout multiplier for an interface, use the ptp announce timeout command. The timeout multiplier is the number of announcement intervals that the interface will wait without receiving a PTP announcement before a timeout occurs; values range from 2 to 255. The default multiplier is 3, which results in a 6-second timeout interval when the announcement interval is set to the default of 2 seconds.
switch(config-if-Et5)# ptp announce timeout 5
switch(config-if-Et5)#
To set the delay mechanism used in boundary-mode, use the ptp delay-mechanism command.
Example
switch(config-if-Et5)# ptp delay-mechanism p2p
switch(config-if-Et5)#