The pagination controls you use to navigate through the pages of grids are available for each grid. The controls enable you to:
Profiles are assigned to user accounts to customize their landing page on CloudVision and present information relevant to them. You can use built-in profiles or create custom ones. Profiles are assigned in Users to user accounts.
Related Topics
The Profiles section is located under Settings > Profiles.
A table shows information about the configured profiles:
Name: The name of the profile. This is supplied by the user
Description: An optional description of the profile
Users: The number of users that have this profile assigned to them
Created by: The user who created the profile
Last Edited: The date and time when the profile was last modified
The three most recently edited or created profiles are highlighted at the top of the page.
You can filter the table to show all profiles, built-in profiles that come preconfigured with CloudVision, or custom-made profiles. You can also search the table for a specific profile.
There are currently two built-in profiles: Datacenter Monitoring and Campus Monitoring. You will need to enable the Campus Features toggles in General Settings to view the Campus Monitoring profile.
You cannot edit built-in profiles.
Campus Monitoring: Set the default landing page to the Campus Health Overview dashboard.
Datacenter Monitoring: Set the default Landing page to Inventory.
You will create a custom profile when you want to apply a specific landing page for yourself or another user.
If you select a section of CloudVision that has multiple sub-sections underneath it, such as Dashboards or Devices, a second dropdown will appear to specify which your page selection.
You will see the details of your new profile in the table. The Recents section above the table will also be updated to show details of your new profile.
You can now assign your new profile to a user.
You will assign a profile when you want to change the landing page that a user sees upon login.
The user account will now be assigned the profile and have its landing page updated.
The Settings and Tools screen configures CVP general settings. Click on the gear icon at the upper right corner of the CVP application to open the Settings and Tools screen.
CVP performs the following functions to monitor license keys:
Perform the following steps to upload and install license keys:
Perform the following steps for downloading and deleting multiple license key:
CloudVision allows users to maintain multiple login sessions simultaneously. However, to prevent account sharing, administrators can limit the number of active login sessions a user can have and terminate open sessions if a user has reached their limit and are unable to log in. You can configure the maximum number of concurrent login sessions that users can have in General Settings > Session Management.
To verify that you have the authority to configure the login limit, go to Settings > Roles. Users with Read and Write access in Account and Session Management can configure login limits.
If the toggle is enabled, users with more than the allowed number of open sessions will be notified that their maximum number of sessions has been reached. If the toggle is disabled, they will instead be shown a generic authentication failed message.
If a user is locked out of CloudVision or has exceeded the allowed number of login sessions and is unable to delete one or more sessions, an administrator can clear all open sessions. This will enable the user to log in.
An administrator, in this case, is anyone with Read and Write access to Account and Session Management and Read and Write access to User Session Deletion.
To end all open sessions for a user,
A mirroring session is the configuration created for one or more device interfaces. You will select the devices and interfaces with user tags. This enables you to select devices, for example, all leaf devices in a particular data center or campus pod. You will then select whether to send the mirrored configuration over a SPAN interface or GRE tunnel. Depending on the platform, multiple SPAN interfaces may be supported.
Select either RX, TX, or both to mirror the selected traffic direction from the interface.
Either a SPAN interface or a tunnel can be configured but not both. If you want to change from one to the other, you will need to delete the existing configuration.
Once you submit the workspace and execute the associated change control, the devices will begin mirroring traffic to the remote host.
CloudVision Portal (CVP) provides a powerful, event-driven, streaming analytics platform that enables you to monitor the state of all devices currently managed by CVP.
By configuring devices to stream device-state data to CVP, you can manage all of the devices in your current inventory of devices to gain valuable insights into the state of your devices, including real-time updates about changes in device state.
The device inventory is comprised of all devices that you have imported into CVP. After a device is imported into CVP, it can be configured and monitored using the various CVP modules.
Make sure you review the software and hardware requirements for deploying and using the Telemetry platform before you begin deploying the platform.
System Requirements
Verify the following requirements before installing CloudVision as-a-Service.
Minimum software requirements are:
To verify proper connectivity to apiserver.arista.io:443 use the following commands:
switch#bash nslookup apiserver.arista.io
switch(config)# ip name-server 8.8.8.8switch# bash
[admin@switch]$ curl apiserver.arista.io:443
curl: (52) Empty reply from server If multiple VRFs are configured, first change the VRF context:
switch# bash
[admin@switch]$ sudo ip netns exec ns-MGMT curl apiserver.arista.io:443
CloudVision as-a-Service supports OAuth 2.0 for authorization. OAuth is one of the most common methods used to pass authorization from a single sign-on (SSO) service to another cloud application. While there are many OAuth providers in the market today, CloudVision as-a-Service supports Google OAuth, OneLogin, Okta & Microsoft Azure AD.
Note that CloudVision as-a-Service is transparent to 3rd party MFA (Multi-Factor Authentication) Providers. As long as the customer is using one of the above listed OAuth Providers for identity management, CloudVision Service should be able to authorize against that OAuth provider.
Only admin email addresses are required when using Google OAuth or Azure AD as a provider.Select the Sign in with Google or Sign in with Microsoft link at: https://www.arista.io/cv
If you are using Okta, OneLogin, or another OAuth Provider, the following information is required to onboard CloudVision as-a-Service:
Refer to the respective OAuth Provider documentation for information about obtaining this information.
Your OneLogin or Okta administrator will use this information to add CloudVision to their authorized applications and adjust user permissions to allow access to the service. If you experience any OAuth errors, open an Arista TAC support request for assistance. Provide a the full URL and a screen capture of the output,
Once the CloudVision Service account is set up, an Invitation URL will be provided by Arista to login to the CloudVision Service.
For further onboarding procedures see Onboarding Authentication Providers.
Once the CloudVision as-a-Service instance is set up, use the following procedure to add a preferred authentication provider.
To add a preferred authentication provider:
Note that currently Google and Microsoft are supported as a Shared Providers. Shared Providers use an Arista-provided set of credentials so no other information is required from the customer for the onboarding.
Other providers are currently supported as non-shared providers. Additional required form fields will appear upon selecting these providers. These fields will need to be filled out with credentials specific to your account with that provider.
To onboard the devices using token-based authentication.
This email address is being protected from spambots. You need JavaScript enabled to view it.):
sw(config)#username john.smith privilege 15 <nopassword/secret>If you have TACACS+ configured for authentication, in order for CloudVision as-a-Service to properly provision the device, the exact user account should already exist in the TACACS+ Server.
If you have a Radius server for EOS authentication, you need to add the
--disableaaa argument into the TerminaAttr config.
For additional information on migrating an EOS device with a TACACS+/Radius authentication to the CloudVision Service, please refer to Authentication Requirements.
You can monitor CloudVision Service live status through https://status.arista.io . You can also subscribe to CloudVision Service notification via email/text using Subscribe to CloudVision.
Use bearer tokens to provide custom applications or third-party applications login access to CloudVision. This will allow the application to make configuration changes to EOS devices. Bearer token login can be used with identity providers that issue bearer tokens and have an introspection endpoint.
Login via bearer token involves communication between the application, the identity provider, and CloudVision.
To allow an application to log in via bearer token, ensure that both the Roles Mapping for Providers and the Allow Bearer Token Login toggles are enabled under Cluster Management in General Settings.
In generating the bearer token, you willneed to make sure that the user exists in CloudVision and that the token has the required fields for the relevant role, username, and optionally email address. Depending on the application, this may require you to log in to the identity provider, create a bearer token, and then program the token in the application.
For more information on creating a bearer token, or access token, with Okta, see Get an Access Token and Make a Request: https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/#get-an-access-token-and-make-a-request.
For documentation on getting a bearer token, or access token, with PingIdentity, see Getting an Access Token: https://docs.pingidentity.com/r/en-us/pingone/p1_t_getaccesstoken.
Alternatively, you may be able to log in to the application and request a bearer token from the identity provider via script that is then returned directly to the application.
To complete this process in Ansible, see Token-Based Authentication: https://docs.ansible.com/ansible-tower/latest/html/administration/oauth2_token_auth.html
The URL includes the following components, which must match the details in CloudVision for the bearer token to be verified and the access token returned to the application:
<CV-domain>: Enter the domain of your CloudVision cluster
<Org>: Enter Default
<Provider>: Enter the name of the provider in CloudVision that issued the bearer token
The application then makes an API call to CloudVision using the access token to complete the login process.
Authentication, authorization, and accounting (AAA) providers create and log in to CloudVision through any provider. The OAuth and SAMLproviders are pre-configured buts require additional information to create the provider.
The following sections describe procedures to configure AAA providers:
Pre-requisites:
Perform the following steps to create and edit SAML Providers:
Pre-requisites:
Pre-requisites:
.png)
%20Confirm%20Screen.png)
You must setup CloudVision with your Identity Provider.
For instructions on setting up CloudVision with identity providers, refer to the CloudVision as a Service (CVaaS) Quick Start Guide at https://www.arista.com/en/support/product-documentation or reference documentation at https://www.arista.com/en/support/toi/cvp-2021-2-0/14834-aaa-providers-oauth-and-saml-support.
Starting with the 2023.2.0 release, you can login to CloudVision through an Identity Provider (IDP) instead of directly through the CloudVision application. When you log in to the IDP and your identity is verified, then, that verification process is used to access the CloudVision portal.
For SAML IDP initiated login to function with CloudVision, you should define a default relay state value while setting up the SAML provider in your IDP. It is expected that your IDP should have an optional field to configure the default relay state.
For example, while configuring IDP, enter the details in the Relay State (Optional) field in the following format:
<ProviderID>:<OrgName>:<NextURL>, where:
For example, if the URL is https://www.cvp.arista.io the base 64 RawURL encoding is, aHR0cHM6Ly93d3cuY3ZwLmFyaXN0YS5pby9zZXR0aW5ncy9hYWEtcHJvdmlkZXJz and this encoded value gets included in the Relay State field. You can leave the URL empty, in which case you are redirected to a default URL, which is the Entity ID followed by /cv.
For Example, if a user from the organization, Foo is setting up a Microsoft Provider and wants to be redirected to https://www.cloudvision.domain/settings/aaa-providers, then the Relay State should be, microsoftsaml:Foo:aHR0cHM6Ly93d3cuY3ZwLmFyaXN0YS5pby9zZXR0aW5ncy9hYWEtcHJvdmlkZXJz. You can also enter the Relay State without the NextURL details as microsoftsaml:Foo:, where you will be redirected to https://<your FQDN>/cv, where <your FQDN> is the DNS name you configured for the cluster.
You can use your registered providers on the CloudVision login screen to log in to cloud and on-premise CloudVision deployments. Click on the provider that has been created to log in through that provider.
You can add a launchpad using one of the following methods as per your requirement:
This section applies to non-CV-CUE customers who want to use launchpad as an identity provider.
To add launchpad as a shared provider for CVaas deployments, request the list of users to be created in launchpad by emailing to wifi-cloudops-tickets@
Provider: launchpad Identity Provider Issuer: https://mojoonedemo.airtightnw.com/idp/shibboleth Identity Provider Metadata URL: https://mojoonedemo.airtightnw.com/idp/shibboleth Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding
Provider: launchpad Identity Provider Issuer: https://login.mojonetworks.com/idp/shibboleth Identity Provider Metadata URL: https://login.wifi.arista.com/casui/idp-metadata.xml Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding
Perform the following steps to add a launchpad for on-premise deployments:
Perform the following steps to add a launchpad for CVaaS and on-premise deployments:
