Using TACACS+ and RADIUS to Control Access to the Arista Analytics CLI
This appendix describes how to use TACACS+ and RADIUS servers to control administrative access to the Analytics Node.
Using AAA Services with Arista Analytics
You can use remote Authentication, Authorization, and Accounting (AAA) services using TACACS+ or RADIUS servers to control administrative access to the Analytics Node CLI.
Attributes | Values |
---|---|
BSN-User-Role | admin
read-only bigtap-admin bigtap-read-only |
A remotely authenticated admin user has full administrative privileges. Read-only users on the switch must be remotely authenticated. Read-only access is not configurable for locally authenticated user accounts.
- TACACS, SNMP and user configuration is not visible to the read-only user in the output from the show running-config command.
- show snmp, show user, and show support commands are disabled for the read-only user.
Note: Local authentication and authorization take precedence over remote authentication and authorization.
- Supported attribute name: BSN-User-Role
- Supported attribute values: admin, read-only
You can use a TACACS+ server to maintain administrative access control instead of using the Analytics Node local database, although it is a best practice to maintain the local database as the secondary method of authentication and authorization in case the remove server becomes unavailable.
DMF TACACS+ Configuration
The DANZ Monitoring Fabric (DMF) requires the following configuration on TACACS+ servers in addition to the configuration required on the Analytics Node.
Authentication Method
- Configure the TACACS+ server to accept ASCII authentication packets. Do not use the single connect only protocol feature.
- The DMF TACACS+ client uses the ASCII authentication method. It does not use PAP.
Device Administration
- Configure the TACACS+ server to connect to the device administration login service.
- Do not use a network access connection method, such as PPP.
Group Memberships
- Create a bigtap-admin group. Make all DANZ Monitoring Fabric users part of this group.
- TACACS+ group membership is specified using the BSN-User-Role AV Pair as part of TACACS+ session authorization.
- Configure the TACACS+ server for session authorization, not for command authorization.
Note: To use the same user credentials to access ANET and non-ANET devices, the BSN-User-Role attribute must be specified as Optional in the tac_plus.conf file.
Enabling Remote Authentication and Authorization on the Analytics Node
analytics-1# tacacs server host 10.2.3.201 analytics -1# aaa authentication login default group tacacs+ local analytics -1# aaa authorization exec default group tacacs+ local
Now, all users in the bigtap-admin group on TACACS+ server 10.2.3.201 have full access to the Arista Analytics Node.
User Lockout
(config)#aaa authentication policy lockout failure F window W duration D max-failures = F = [1..255] duration = D = [1..(2^32 - 1)] window = W = [1..(2^32 - 1)]
Adding a TACACS+ Server
analytics -1(config-switch)# show run switch BMF-DELIVERY-SWITCH-1 tacacs override-enabled tacacs server host 1.1.1.1 key 7 020700560208 tacacs server key 7 020700560208 analytics -1(config-switch)#
The TACACS+ key value is displayed as a type7 secret instead of plaintext.
To configure the Analytics Node with TACACS+ to control administrative access to the switch, complete the following steps.
tacacs server <server> [key {<plaintext-key> | 0 <plaintext-key> | 7 <encrypted-key>}
analytics -1(config-switch)# tacacs server 10.1.1.1 key 0 secret
Each TACACS+ server connection can be encrypted using a pre-shared key.
analytics -1# tacacs server host <ip-address> key <plaintextkey> analytics -1# tacacs server host <ip-address> key 0 <plaintextkey> analytics -1# tacacs server host <ip-address> key 7 <plaintextkey>
Replace plaintextkey with a password, up to 63 characters in length. This key can be specified either globally or for each individual host. The first two forms accept a plaintext (literal) key, and the last form accepts a pseudo-encrypted key, such as that displayed with show running-config.
If no key is specified for a given host, then the global key value is used. If no key is specified globally and no key is specified for a given host, then an empty key is assumed.
analytics-1(config-switch)# tacacs server 10.1.1.1 key 7 0832494d1b1c11
Setting up a TACACS+ Server
After installing the TACACS+ server, complete the following steps to set up authentication and authorization for Analytics Node with the TACACS+ server:
Using the Same Credentials for the Analytics Node and Other Devices
group = group-admin { default service = permit service = exec { optional BSN-User-Role = "admin" } }
RBAC-based Configuration for Non-default Group User
Using RADIUS for Managing Access to the Arista Analytics Node
- admin: Administrator access, including all CLI modes and debug options.
- read-only: Login access, including most show commands.
The admin group provides full access to all network resources, while the read-only group provides read-only access to all network resources.
- Accounting: local, local and remote, or remote.
- Authentication: local, local then remote, remote then local, or remote.
- Authorization: local, local then remote, remote then local, or remote.
Note: Fallback to local authentication occurs only when the remote server is unavailable, not when authentication fails.
Supported attribute names | Supported attribute values |
---|---|
BSN-User-Role | admin
read-only bigtap-admin bigtap-read-only |
The BSN-AV-Pair attribute is used for sending CLI command activity accounting to the RADIUS server.
Adding a RADIUS Server
radius server host <server-address> [timeout {<timeout>}][key {{<plaintext>} | 0 {<plaintext>} | 7 {<secret>}}]
analytics-1(config)# radius server host 192.168.17.101 key admin
You can enter this command up to five times to specify multiple RADIUS servers. The Analytics Node tries to connect to each server in the order in which they are configured.