Control Plane Security

This section contains the following topics:

Transport Layer Security

Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), is a security protocol used to communicate between client and server. It establishes an encrypted communication channel to secure data.

By default, EOS uses a self-signed certificate for client and server connections. However, some browsers or TLS libraries may refuse connections to the default self-signed certificates on EOS, and in such cases, Arista recommends installing the TLS server certificates that meet the following criteria:
  • RSA key sizes must be greater than or equal to 2048 bits.

     

  • There must be less than 825 days to expiry.

     

  • The certificate must use the SHA-2 family of hashing functions.

     

 

Note: Although Arista switches use TLS, the terms TLS and SSL are used interchangeably in this document.

 

The following are the two main components used by TLS for the authentication of identity before any communication starts.
  • Certificate

     

  • Key

     

An SSL certificate is required to establish a secure connection between the client and server. The certificate includes all of the details necessary for authentication. Cryptographic keys are used to provide a secure channel of communication. TLS uses two cryptographic keys: a private key known only to the server and a public key embedded in the certificate. The keys are used to validate the certificate.

 

Overview

We can manage and configure SSL certificates, keys, and profiles with the SSL certificate, key, and profile management framework. SSL is an application-layer protocol that transfers the data securely between the client and server using a combination of authentication, encryption, and data integrity. SSL uses certificates and private-public key pairs to provide this security. A user can configure an SSL profile, which includes a certificate, key, and trusted CA certificates used in SSL communication. A user can manage certificates, keys, and also multiple SSL profiles. An SSL profile can be configured and attached to any other EOS configuration which supports SSL communication. The individual EOS configuration using this framework includes details of using the SSL profile in their configuration.

The only private keys supported are those using the RSA algorithm. Encode both the certificate and keys in the Privacy Enhanced Mail (PEM) format.

 

Example

This is a code sample of a PEM encoded certificate.

$cat server.crt

-----BEGIN CERTIFICATE-----
MIIC3zCCAkgCAQkwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAkNBMQswCQYDVQQHDAJTQzEPMA0GA1UECgwGQXJpc3RhMQwwCgYDVQQLDANT
RE4xCzAJBgNVBAMMAmNhMRwwGgYJKoZIhvcNAQkBFg1jYUBhcmlzdGEuY29tMCAX
DTE0MDgxMTIxNDQxN1oYDzIwNjkwNTE0MjE0NDE3WjB5MQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNDMQ8wDQYDVQQKDAZBcmlzdGExDDAKBgNV
BAsMA1NETjEPMA0GA1UEAwwGc2VydmVyMSAwHgYJKoZIhvcNAQkBFhFzZXJ2ZXJA
YXJpc3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBOP/jh
xk28sUH+lhM/mY6QoyLGcbnygwe/hzIjn2mASnf7uPFGhB62JTt7tQv2xmu/MJfs
aVsNeYXP3ZOcmRO0uk9suGVbII7QJUomnsq1dJh59UyMfws6V6ergmhwEZCDIirV
7nbUDz+uSdNutQL4w/VB+juuWXQ8ztbmygT2ymySaHRK3XnDrAiva0UUVbSmEHH0
wLPsNVNYUxJ4PpOB9luw4upe6ACF9SFtMDz3BDcrL6Gq5idWw3YkQfzBwEl+5hkF
hu0owON29I5T8FpAx+Hzpl48YWW65d/4F40S3XRN312xALM8RrQOU/Chx9Sfg0iJ
dsXWNagx1eyW2EECAwEAATANBgkqhkiG9w0BAQQFAAOBgQBedfuKHvNDpEkdO2AE
Kihs/YeRGgp+5g7hXU0U2TMAMS545ZQ99pFbnScmIC0m68aw1VXILuj+vlkxAM27
oc8iB+gG7oaFtJpWTvmIHqzeHWb0zrwjPhtXTafWEoam8sJZt38Pc4UVb7lQCd6v
ZCLZZJmC2IL0SG7bLN7yaALCSQ==
-----END CERTIFICATE-----
 

Example

This is a code sample of a PEM encoded RSA key.

$cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4E4/+OHGTbyxQf6WEz+ZjpCjIsZxufKDB7+HMiOfaYBKd/u4
8UaEHrYlO3u1C/bGa78wl+xpWw15hc/dk5yZE7S6T2y4ZVsgjtAlSiaeyrV0mHn1
TIx/CzpXp6uCaHARkIMiKtXudtQPP65J0261AvjD9UH6O65ZdDzO1ubKBPbKbJJo
dErdecOsCK9rRRRVtKYQcfTAs+w1U1hTEng+k4H2W7Di6l7oAIX1IW0wPPcENysv
oarmJ1bDdiRB/MHASX7mGQWG7SjA43b0jlPwWkDH4fOmXjxhZbrl3/gXjRLddE3f
XbEAszxGtA5T8KHH1J+DSIl2xdY1qDHV7JbYQQIDAQABAoIBACv/TU8NQi+HXqGa
RWe7Juyu9EDi+fXGWutPJz6vfBpenrzQNGOnOE0p3z2+szGIkz0ZQHfcWIISr46O
ymCk6+XQombn5XeEG2vH6jiUQLt0Qk2SRopgWJ8kL4NlAexoZxmYj0AlvGO0jtUn
47VEVt8hWpal/WZteYByWQQQOvoj7EhlANIKUGUG9yOcBcEApdHsgOcXewrbilZQ
d4kbpegxQhjKU9jLUXRsIPV2YFrDcT83/94PFTRk/vFBOnWS/Ygt5vRedcoF2HcR
TJMyE+JwnwGJzTPKwbPJgLnjrEGVrqEerCuTU9v0PpFxu0AOEeV1kPyNbRZzzC+p
al70ZI0CgYEA/Ge1Hj5OBjS2DLUYG0zhmc4xoiIqcgPJCn6QQmfqa6DbscQzXsnp
GqNlwvB76L0mwNOSABX53YaXhFCrYXMRsXWl95hK7NYCGnD6f/fYcr3u+NdBm5+N
qEiqcq779arAXqGaN/TGKsm507ngyLBrMbUlaPQEXfaBjrQL3f0k7qMCgYEA44AW
1ptUWy0Wx5oa1wdYVgGw+Wbxb8JY88pj29JhE3Qwhy9FBq7x0wZOoQDSkyvbu9aZ
bEiUtctXDDNE/Fy7XgEBMiqrn4R383pbZ5LnmsFKZEcADU1Pe4HjDgSq1rjNSJSA
xEz8xRQvIvy4kpp/tpKsN/Xg2ZBnQmqgj6LWv8sCgYBKeSsWnlmVOS5R94kCXR/f
qtg4N46Aj59dClT0Uwb29MJ95B8oI7k00+ttpllZJZ5unL5iahmMhG7maor2uOYK
j2UF9hh9YvPB633uDin+SQ5eu9yu11gLxE0Og5TyOoyCH3qKch2aeGTtFNY/QNaQ
FxvPqNg1BUva2EL8H/oqswKBgQDjbW1nZSjTbSPUrq4eQG2CrXYqHUtHmlYqgS2K
16nMNN8+hXbP05xUhX2dXqEkFzg3c7U0lupzQq/mtmpEjr+Qnhh/+kBP27G+aZdu
12FJR+oCjSf0JFFM+u/tV6UhuuUdpbeEhiI7Mo5cv6AUjvcVoVMhLmB1nvJbZxTU
AsoEOQKBgHHVuuq4kWDfORCYwTvZPX0byQu++QhlOFfClYBIVuCP4/cU0o3Kw1Z6
tf+zP2rBMOl5eD7IBHjAtOlNjXcFgiyymNxJDKJSmTpw1VePncmuT5UMq8rbljSW
Yg0QGwyvB1Cat2mpgqVWS7YT0nmTooWmQdO3Qp48f+bVvmO/dJXS
-----END RSA PRIVATE KEY-----

 

Configuration

Configuring Certificates

Copying a Certificate to the Switch

The copy file: certificate: command copies the certificate to the certificate: file system from any supported source URLs of the copy command. The source file may contain multiple PEM-encoded certificates but must not contain other entities such as keys.

 

Example

This command copies a server.crt certificate to the certificate: file system.
switch(config)# copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
switch(config)#
 
Errors while Copying the Certificates
Examples
  • The PEM-encoded entities in the source file must all be certificates. If the source file contains different types of entities (e.g., a certificate and a key), the copy fails and displays an error message.
    switch(config)# copy file:tmp/ssl/mixed.crt certificate:
    % Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in 
    certificate file not supported)
    switch(config)#

     

  • The source file must contain valid PEM-encoded certificates. If the file contains invalid certificates, the copy fails and displays an error message.
    switch(config)# copy file:tmp/ssl/bad.crt certificate:
    % Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
    switch(config)#

     

  • Only certificates with RSA public keys are supported. The copy fails if the certificate does not have an RSA public key and displays an error message.
    switch(config)# copy file:tmp/ssl/dsa.crt certificate:
    % Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
    switch(config)#

     

Deleting a Certificate

The delete certificate command deletes a certificate configuration from the certificate: file system on the switch.

 

Example

This command deletes the server.crt certificate from the switch.
switch(config)#delete certificate:server.crt
switch(config)#
 
Generating Certificates

The following commands help the user to generate a self-signed certificate or Certificate Signing Request (CSR).

 

Examples
  • This command creates either a self-signed certificate or a Certificate Signing Request (CSR). The following example demonstrates using the existing private key test.key for certificate generation. During this process, the system prompts you to provide details like the common name, two-letter country code, etc. A common-name entry is mandatory. While you can view the generated CSR directly on the CLI, a self-signed certificate gets saved to the designated certificate: file system location.
    switch# security pki certificate generate self-signed test.crt key test.key 
    Common Name for use in subject: test
    [...]
    certificate:test.crt generated
    switch#

     

  • This command specifies the digest and the certificate's validity (in days). The validity applies only to self-signed certificates.
    switch# security pki certificate generate signing-request key test.key digest sha256 validity 365 
    Common Name for use in subject: test
    [...]
    certificate:test.crt generated
    switch#

     

  • This command adds the certificate parameters such as common-name, country, email, and others.
    switch# security pki certificate generate signing-request key test.key parameters common-name Test [country US ...] 
    certificate:test.crt generated
    switch#

     

Configuring Keys

Copying a Key to the Switch

The copy command copies an RSA key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command. The source file must contain only one key. Password-protected keys are not supported.

 

Example

This command copies a server.key RSA key to the sslkey: file system.
switch# copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch#
 
Errors While Copying the Keys
Examples
  • Only one PEM-encoded key per file is supported. The copy fails and displays an error message if the source file contains multiple PEM-encoded keys.
    switch# copy file:tmp/ssl/multi.key sslkey:
    % Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in 
    single file not supported)

     

  • The source file must contain a valid PEM-encoded RSA key. If the file contains an invalid RSA key, the copy fails and displays an error message.
    switch# copy file:tmp/ssl/bad.key sslkey:
    % Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)

     

  • Password-protected keys are not supported. If the source file contains a password-protected key, the copy fails and displays an error message.
    switch# copy file:/tmp/ssl/pass.key sslkey:
    % Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not 
    supported)

     

Deleting a Key

The delete command deletes the key configuration from the switch.

 

Example

This command deletes the server.key key from the switch.
switch# delete sslkey:server.key 
 
Generating Keys

The following commands generate the RSA keys.

 
Examples
  • This command generates a 2048-bit RSA private key and saves it to sslkey:test.key.
    switch# security pki key generate rsa 2048 test.key 

     

  • This command generates a 4096-bit self-signed certificate RSA key and a 2048-bit certificate signing request RSA key.
    switch# security pki certificate generate self-signed test.crt key test.key generate rsa 4096
    switch# security pki certificate generate signing-request key test.key generate rsa 2048

     

Configuring a certificate with a RSA key in SSL Profile

An SSL profile is configured with a certificate and its corresponding RSA key. The public key information in the certificate must match the RSA key. This certificate and RSA key pair are used to authenticate to the peer during SSL negotiation. The individual EOS features that use SSL profile configuration will decide whether the certificate and key configuration is optional or mandatory.

 

Examples
  • switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key

     

  • In this case, if the RSA key configured in the SSL profile does not match with the configured certificate, the SSL profile state becomes invalid, and an error message is displayed.
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key client.key
    switch(config-mgmt-sec-ssl-profile-server)# show management security ssl profile
       Profile       State      Error
    ------------- ------------- ----------------------------------------
       server        invalid    Certificate 'server.crt' does not match
       with key

     

Configuring SSL Profile with a Certificate Authority (CA)

During SSL negotiation with mutual authentication, the peer (or client) certificate is verified by checking if it is signed by one of these trusted certificates. The full bundle of certificates leading to the trusted certificates must be included for peer certificates that do not have a chain to a trusted certificate. The individual EOS features that use SSL profile configuration will decide whether the trusted certificate configuration is optional or mandatory.

 

Example

switch# config
switch(config)# management security
switch(config-mgmt-security)# ssl profile server
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca2.crt

 

Configuring Certificate Chains

Certificate chains establish a chain of trust for the SSL Profile server certificate, ensuring its authenticity to a remote party. Several chain certificate commands can be issued to build a certificate chain with many intermediate CAs, regardless of the order. Use the chain certificate command to configure the certificate chain for an SSL profile. The no form of the command deletes the certificate configuration.

 

Examples

Assume that server.crt is issued by an intermediate CA intermediate.crt and intermediate.crt itself is issued by the root CA ca.crt, as shown in the following figure.
Figure 1. Certificate Chain Example


 

  • These commands configure the certificate chain shown schematically in the preceding figure.
    switch#(config)# management security
    switch#(config-mgmt-security)# ssl profile server
    switch#(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
    switch#(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt
    switch#(config-mgmt-sec-ssl-profile-server)# exit
    switch(config)#

     

  • Configure the other peer to trust ca.crt to verify the certificate chain during the TLS handshake, as shown below.
    switch# config
    switch#(config)# management security
    switch(config-mgmt-security)# ssl profile client
    switch(config-mgmt-sec-ssl-profile-client)# certificate client.crt key client.key
    switch(config-mgmt-sec-ssl-profile-client)# trust certificate ca.crt

     

  • To check the revocation status of the server certificate chain, the client can add the Certificate Revocation List (CRLs) to its SSL profile configuration. One CRL needs to be specified for every CA in the chain, even if it's not revoking any certificate.
    switch# config
    switch#(config)# management security
    switch(config-mgmt-security)# ssl profile client
    switch(config-mgmt-sec-ssl-profile-client)# crl intermediate.crl
    switch(config-mgmt-sec-ssl-profile-client)# crl ca.crl

     

     

    Note: Both the chain certificate and crl commands look into the certificate: file system to find the right PEM file.

     

Several chain certificate commands can be used to build a certificate chain with multiple intermediate CAs, regardless of the order. The following diagram shows an example certificate chain.
Figure 2. Certificate Chain Example 2


 

Configure this SSL profile in the following way. Note that the order of intermediate CAs does not matter.
switch(config)# management security
switch(config-mgmt-security)# ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)# certificate server2.crt key server2.key 
switch(config-mgmt-sec-ssl-profile-server2)# chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)# chain certificate intermediate.crt 
switch(config-mgmt-sec-ssl-profile-server2)# exit
switch(config-mgmt-security)# exit
switch(config)#

 

You can divide a certificate chain into two segments, each configured on a separate peer. As long as this division occurs somewhere between the client and the server, they can collaborate to assemble a complete chain. The provided example illustrates precisely this scenario, demonstrating how to configure server and client SSL profiles with a split certificate chain.

 

Server side:
switch(config)# management security
switch(config-mgmt-security)# ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)# certificate server2.crt key server2.key 
switch(config-mgmt-sec-ssl-profile-server2)# chain certificate intermediate2.crt
switch(config-mgmt-sec-ssl-profile-server2)# exit
switch(config-mgmt-security)# exit
switch(config)#

 

Client side:
switch(config)# management security
switch(config-mgmt-security)# ssl profile client
switch(config-mgmt-sec-ssl-profile-client)# certificate client.crt key client.key 
switch(config-mgmt-sec-ssl-profile-client)# trust certificate ca.crt 
switch(config-mgmt-sec-ssl-profile-client)# trust certificate intermediate.crt 
switch(config-mgmt-sec-ssl-profile-client)# exit
switch(config-mgmt-security)# exit
switch(config)#

 

Incorrect Configuration Example

The following configuration will not work, as it results in invalid SSL profiles.

Server:
switch(config)# management security
switch(config-mgmt-security)# ssl profile server2
switch(config-mgmt-sec-ssl-profile-server2)# certificate server2.crt key server2.key 
switch(config-mgmt-sec-ssl-profile-server2)# chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server2)# show management security ssl profile
   Profile                      State      Additional Info                         
---------------------------- ------------- ----------------------------------------
   server3                      invalid    Profile has invalid certificate chain
switch(config-mgmt-sec-ssl-profile-server3)# exit
switch(config-mgmt-security)# exit
switch(config)#

 

Client:
switch(config)# management security
switch(config-mgmt-security)# ssl profile client3
switch(config-mgmt-sec-ssl-profile-client3)# certificate client3.crt key client3.key 
switch(config-mgmt-sec-ssl-profile-client3)# trust certificate intermediate.crt 
switch(config-mgmt-sec-ssl-profile-client3)# show management security ssl profile
   Profile                      State      Additional Info                         
---------------------------- ------------- ----------------------------------------
   client3                      invalid    Profile has invalid trusted certificate 
                                           chain
switch(config-mgmt-sec-ssl-profile-client3)# exit
switch(config-mgmt-security)# exit
switch(config)#
Local Certificate Checks

EOS conducts various checks on the certificates in an SSL profile before allowing its use. You can modify, add to, or relax these checks locally. Here are some checks EOS performs before communicating with the peer:

 

Examples
  • Check whether the certificate has an extended key usage attribute:
    switch(config-mgmt-sec-ssl-profile-client)# certificate requirement extended-key-usage

     

  • Check whether all the trusted certificates or certificates in the chain have CA basic constraints set to true.
    switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true
    switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true

     

  • Do not mark an expired certificate as invalid.
    switch(config-mgmt-sec-ssl-profile-client)# certificate policy expiry-date ignore

     

Displaying SSL profile status and SSL profile errors

The show management security ssl profile command displays the SSL profile status information. To view a specific SSL profile status, use the name of the SSL profile. Otherwise, all SSL profile statuses are displayed.

Example

This command displays the status of the SSL profile server.
switch# show management security ssl profile server
 Profile      State
------------- -----------
 server       valid

 

If the SSL profile contains errors, an invalid state is displayed, and the errors are listed in the third column. After fixing the error, the SSL profile becomes valid.

 
Examples
  • When the certificate server.crt does not match with the key, EOS displays the following error message.
    switch# show management security ssl profile server
     Profile        State       Error
    ------------- ------------- ----------------------------------------
     server         invalid     Certificate 'server.crt' does not match
                                with key

     

  • EOS displays the following error message when a trusted certificate ca2.crt does not exist.
    switch# show management security ssl profile server
     Profile        State       Error
    ------------- ------------- -------------------------------------
     server         invalid     Certificate 'ca2.crt' does not exist

     

  • EOS displays the following error message when a trusted certificate foo.crt is not a self-signed root certificate.
    switch# show management security ssl profile server
     Profile        State       Error
    ------------- ------------- ----------------------------------------
    server         invalid     Certificate 'foo.crt' is trusted and not
                               a root certificate

     

  • When the certificate server.crt is expired, EOS displays the following error message.
    switch# show management security ssl profile server
     Profile        State       Error
    ------------- ------------- -------------------------------------
     server         invalid     Certificate 'server.crt' has expired

     

  • EOS displays the following error message when the certificate chain is missing an intermediate certificate.
    switch# show management security ssl profile server
        Profile        State     Error
    -------------- ------------- ---------------------------------------------
        server        invalid    Profile has invalid certificate chain
                                 Certificate 'intermediate.crt' does not exist

     

Rotating Certificate and Key Pair

The SSL profile uses a certificate and key pair. Rotation commands can rotate the certificate and key pair. For example, to rotate cert.pem and key.pem in the SSL profile profile01, use the following commands.
switch01# show running-config section ssl
management security
ssl profile profile01
certificate cert.pem key key.pem

 

Using the command security pki certificate generate signing-request rotation ssl profile, generate a new key and signing request for SSL profile profile01. The command also generates a unique rotation ID for later certificate import.
switch01# security pki certificate generate signing-request rotation ssl profile profile01 key generate rsa 2048 parameters common-name switch01
Rotation ID: 2ad7771e8cbc11ebbba37483ef8d9c4b
Certificate Signing Request:
-----BEGIN CERTIFICATE REQUEST-----
MIICZzCCAU8CAQAwEzERMA8GA1UEAwwIc3dpdGNoMDEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCy5EsczfEZlAVNZQ8/nfRgEF3bg/tz0XrQJwP/zHhI
UFx1A1VI4O7XhUrYReH1h4OQWhXXX0AHTLTsaClJWHH9m7SXb4iZVo/Y1zXGdyju
1FmnWnNDi72M8f60WXG9gAMtnZK9K53A3lwvrKS+CwJkLCOjlH4xyp1Wsg1+yfay
AdfXAj+s1Vmg3Rux/XR8iP3N620YVbQ+AfWUQkSNFSsykcTeLvx2WybqX4p4Kids
nqU28ml/NZPS5wEc2OXhagrBn3jHbxdmI33/4SJHN8iNZ6h+gQz+JI18bQrlTHng
RzAx1ENvnz7ZzzeN/n/wh/ArZ6Q9aojrBtAk55aGuY4hAgMBAAGgDzANBgkqhkiG
9w0BCQ4xADANBgkqhkiG9w0BAQsFAAOCAQEAqwQbAsdw6UhpvjDk8OdmXLgCNOSC
jGFLFZe4I67gDmyGQR2lG1brRTQPKp7OphpPxaqr3YvxErEFdQ35gvIUyo9j8qp1
F22yAZGjLqU3prnGLEAZ/I3PcdivNVzL9UJw/JMfHI1CMH6yGtbEI2BXsCTetfxm
JE+N9ujfBlQ/MjUR6IszNxEB2YkFh/DvnVUHoqV0ka+JRmMhGkmTrXwad8bhxYZs
g7cwXktsMLuy2otK21fkFcRvd9OHXssJ2Mf7914ALiDe2sfixHX+35SytR8bahTk
z09HPCkxJmfl+cdhS9SWXrXpHHwXicjwYCj1pqZulBFXtgnVs2Kmd3NnRA==
-----END CERTIFICATE REQUEST-----

 

The following example illustrates the command's complete syntax. The import-timeout argument specifies the timeout period for the rotation ID. If the system does not import a certificate within this period, the rotation ID expires and the system deletes it.
switch# security pki certificate generate signing-request rotation ssl profile <profile-name> 
key generate rsa <2048|3072|4096>
[ import-timeout <minutes> ] (default: 60 mins) 
[ digest <sha256|sha384|sha512> ]  (default: sha256) parameters common-name <common-name>
[ country <country-code> ]
[ state <state-name> ]                         
[ locality <locality-name> ]                         
[ organization <org-name> ]                         
[ organization-unit <org-unit-name> ]                         
[ email <email> ]                         
[ subject-alternative-name [ ip <ip1 ip2 …> ]                         
[ dns  <nm1 nm2 …> ] [ dns  <nm1 nm2 …> ]

 

Use the show security pki certificate rotation command to view the status of rotation IDs.

Example
switch# show security pki certificate rotation
Rotation ID                       Profile Name State           Expiry
--------------------------------- ------------ --------------- -------------------
2ad7771e8cbc11ebbba37483ef8d9c4b  profile01    Import Pending  2021-03-24 10:15:37

 

Copy the Certificate Signing Request (CSR) and submit the CSR to a trusted Certificate Authority (CA) for signing. Import the signed certificate using the security pki certificate rotation import <rotation-id> command. Use the previously generated rotation ID with the signing request.

switch# security pki certificate rotation import 2ad7771e8cbc11ebbba37483ef8d9c4b
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success

 

Commit the rotation ID using the security pki certificate rotation commit <rotation-id> command. This command will rotate cert.pem and key.pem of SSL profile profile01 with new certificate and key.
switch# security pki certificate rotation commit 2ad7771e8cbc11ebbba37483ef8d9c4b
                                        Success

 

 

Note: For keys generated outside of EOS, use the following command to rotate the certificate and key pairs in place of the earlier workflow:
switch# security pki certificate rotation commit ssl profile profile01
Enter TEXT private key. Type 'EOF' on its own line to end.
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCti4aj50Nzs9T4
NTwebaDcgjQetCHQg1FV2XMJsgoEuon8AWIJsP5gqt4jhZ3BIpWgjSJGhSoln2+7
ON40HfbZgG550MN8VDvIw8HrrPsgrpjDYyy0AKW0zmQxOMw6J5m1oepLMIfKiG2r
Ys/cEe5eStWz225kMepztvC63CwrhUmVq8OEdp6a0MXaKOXgKLTLBg0HYdr5+5OM
g9AkBlQqrlcyiPolYFu8iH4mfXMFnRUwJU5pK6kLKvnnWZr57jXDmmZttkeUm2j8
vaLL/NqGZPIjF/qA2HXWNsDEMy3ewclpQIeG8wicTTDyM/Ia8VPOLqdCOLK14sQ1
V3S9XdibAgMBAAECggEAEdDMLSD4HTVzDFoBW8mlpQ10G/TNBd1Sk7gY0FV9JCLM
OIPMfzHdeKoB15lcv691DIArP8cQM8A21ab5tKr2JOTuMnDaffXIagyikzb0/tQT
1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4HuiywlkhbyOHV7b9xuPPhqwQxFY
qHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+ltizcyAbEx5YL/y5Vu08bITZr0m
UxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQYSwu6WzOj4dNpEQAeD8jMmGAl
wKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/JoEi2IHG4ISxVlZc9lZgLuWHDyS
6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5FMEbtnrojTO2ANC9JcWo2EgP31
r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fbPHvSHUFknQKBgDe8VhByOH4Hy
oCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/EmKm1ZUC9V+DEIRjfaCIVbOX6o
f21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c27g4qb7erZQ6/tML72i370z90
HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3QzQiJrGf3xFborwlNa6F0uxrwfI
iXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhRE0CU/27C/Nn6H1CxA9MqsCMz2
NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSzb0UcanmJKGulbrFKPfWmh+RMQ
DK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9PlrntzvY7GhopJgJfAvfi5nBXPS+f
kdKtWzOmhW1jon1ka0fEeRQnQjB7DSYB4zldufPKiD+EXgJtQbhSqfdtgL7QlhVr
pO/s5tUrPE/KRu/yLGtEWruQlDCawpMPA63eP4XER/MHVXBkqbWy85vx46SisOBA
nuEum0yMngru5fARoBKO1aV7G94FI7Eu5rDqeVYsE5jrdnWJTZTgpHf9RYUOlz8R
wwbD/xUs+cKbM1qhaFeHaHCTFP4yBQKBgQDczahFFYJRP0joT4HuiywlkhbyOHV7
b9xuPPhqwQxFYqHvEE0qBnmjBzXujbpdb+V18QFGyl0uH4mHr+ltizcyAbEx5YL/
y5Vu08bITZr0mUxS0ZkDXg6n6GKJVIPUH05xSZb/eqtSFIq/DsBQYSwu6WzOj4dN
pEQAeD8jMmGAlwKBgQDJNWTNyC2JgDYmF039gwNEOY+UuJQ3v/JoEi2IHG4ISxVl
Zc9lZgLuWHDyS6zNOIeSAYIzDVSsRAGH9sWaK4E4Yno4KHptRC5FMEbtnrojTO2A
NC9JcWo2EgP31r1OJolFpKUiPhOEAzdEYd/sdp9tWEusszTrn8fbPHvSHUFknQKB
gDe8VhByOH4HyoCRqUusp80oDlDAPa+V8f+FtnNEHbPaDORKqh/EmKm1ZUC9V+DE
IRjfaCIVbOX6of21Quga7yjZUoA03hdxrVvXa2Mea9H4bFKvg79c27g4qb7erZQ6
/tML72i370z90HQf5h2kGcIRvBx8EHxhzaSMtetNiV0rAoGAP3QzQiJrGf3xFbor
wlNa6F0uxrwfIiXKkL+K1G4C1WK4cK3W5idxrTD/DaqH6IB3YLhRE0CU/27C/Nn6
H1CxA9MqsCMz2NmzreY3uCBim1dbXx8V+pdl439y+Ooj8U195RSzb0UcanmJKGul
brFKPfWmh+RMQDK3mJBOjEjlopECgYAr6F+60TZ7ZAvA0vZ9PlrntzvY7GhopJgJ
fGr1GYQPJi38DJ5NR/w64js21t5X2yJ4xcCB3H7R0QWJ9EE+fc+7nBYFJlaDzSRB
bES24yGh4n4Vc6luYW9A+YJR3EaElE6RMWyzIY8J8kV2xuTaK9xepdM9x1J1kIm2
rA1mcO4Xqw==
-----END PRIVATE KEY-----
EOF
Enter TEXT certificate. Type 'EOF' on its own line to end.
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIJANzHst3ljdWfMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA2ZvbzAeFw0yMTAzMjQxNjAyMDdaFw0yMjAzMjQxNjAyMDdaMA4xDDAKBgNV
BAMMA2ZvbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2LhqPnQ3Oz
1Pg1PB5toNyCNB60IdCDUVXZcwmyCgS6ifwBYgmw/mCq3iOFncEilaCNIkaFKiWf
b7s43jQd9tmAbnnQw3xUO8jDweus+yCumMNjLLQApbTOZDE4zDonmbWh6kswh8qI
batiz9wR7l5K1bPbbmQx6nO28LrcLCuFSZWrw4R2nprQxdoo5eAotMsGDQdh2vn7
k4yD0CQGVCquVzKI+iVgW7yIfiZ9cwWdFTAlTmkrqQsq+edZmvnuNcOaZm22R5Sb
aPy9osv82oZk8iMX+oDYddY2wMQzLd7ByWlAh4bzCJxNMPIz8hrxU84up0I4srXi
xDVXdL1d2JsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADkjfobxF7BAVFdIjyWHL
ID+9D1t96JvCe+PDUyggow6iZE8ROq2fIFHuXhXMrd/neN3WtxqtjvGBnS49t4fa
qIcjerkIPwLaBSwWdpm/1FrIFejYqU0symRE3bKJULLBEdQhyox37D2uqPm71ado
5rXCX9pSu2oNOThd/877QKxtrKa5pekx1acxEa4E0QJ0/YPwkA5nCzM9jy7DZlH2
+cdtCxREeqlhOJUJxQ2354LyykU2fOXe6AGGdVE9hdIOJDnG26VVb+gFt2qaKD5+
3D3/Gd1pm4P3+9aENlhAcr0PUoL3xUApeIdkEf7n8KHiNP+gmlPyVDTCAudwHnwq
Vg==
-----END CERTIFICATE-----
EOF
Success

 

After rotating the certificate and key pair, use the show management security ssl certificate cert.pem and show management security ssl key key.pem commands to display the new contents.

Resetting Diffie-Hellman Parameters

The Diffie-Hellman parameters file facilitates the exchange of symmetric keys during SSL negotiations. When the system is booted, it auto-generates a Diffie-Hellman parameters file if one does not exist. Use the reset command to reset the auto-generated Diffie-Hellman parameters file. The individual features that use SSL profile configuration will decide whether they also use the Diffie-Hellman parameters file. The switch uses 2048-bit Diffie-Hellman parameters with no options to select the size.

 

Note: Not all features that use SSL profile configuration will use the Diffie-Hellman parameters file.

 

 

Example

This command resets the Diffie-Hellman parameters file.
switch# reset ssl diffie-hellman parameters

 

Displaying the Diffie-Hellman parameters

The show management security ssl diffie-hellman command displays the Diffie-Hellman parameters.

 

Example

This command displays the Diffie-Hellman parameters.
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
 Generator: 2
 Prime:     dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
            664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
            6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
            9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b

 

Configuring the TLS Handshake Settings

During a TLS handshake, both peers send each other a list of the TLS versions they support to agree on and use the highest common version. The following allowable versions can be configured in an SSL profile using the tls versions command. By default, TLSv1, TLSv1.1, and TLSv1.2 are enabled.

 

Examples
  • This command forces the use of TLSv1.2. If the other peer does not support this version, the TLS handshake fails.
    switch# config
    switch#(config)# management security
    switch(config-mgmt-security)# ssl profile client
    switch(config-mgmt-sec-ssl-profile-client)#
    switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.2

     

  • These commands add support for TLSv1.1 on top of the already configured TLSv1.2.
    switch(config-mgmt-sec-ssl-profile-client)# tls versions add 1.1
    switch(config-mgmt-sec-ssl-profile-client)# tls versions 1.1 1.2

     

The TLS handshake establishes a secure communication channel by negotiating the cipher suite and the TLS version. The client initiates this process by providing the server a list of supported cipher suites. Based on the client's list and capabilities, the server selects a mutually supported cipher suite. This selection ensures both parties utilize the same cryptographic algorithms for secure data exchange.

The default cipher-list setting employs an OpenSSL cipher string (HIGH:!eNULL:!aNULL:!MD5). This configuration permits only key lengths longer than 128 bits and excludes cipher suites using MD5.

To view the complete list of cipher suites included in this setting, execute the following shell command: openssl ciphers HIGH:!eNULL:!aNULL:!MD5.

 

Example

This command builds a cipher suite list.
switch(config-mgmt-sec-ssl-profile-client)# cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-client)# cipher-list SHA256:SHA384
switch(config-mgmt-sec-ssl-profile-client)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384

 

Enabling the Federal Information Processing Standards (FIPS) Mode

Federal Information Processing Standards (FIPS) is a cryptographic standard that restricts the cryptographic functions and protocol versions used by OpenSSL.

 

Example

This command enables the FIPS mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)# fips restrictions

 

Syslog with TLS Support

Collecting syslog information on a remote syslog server requires defining an SSL profile. This profile ensures the secure transmission of syslog data to the server over a TLS connection.

Configuring Syslog with TLS Support

The following command configures a remote syslog server with an SSL profile. It configures a syslog server with the hostname test.example.com using the SSL profile (test-profile) for communications over port 1234.
switch(config)# logging host test.example.com 1234 protocol tls ssl-profile test-profile

 

SSL Profile Example (Minimal)

The following commands set up a minimal profile to support remote logging over TLS. Ensure the proper configuration of the remote server to enable TLS communication.
switch(config-mgmt-security)# ssl profile test-profile
switch(config-mgmt-sec-ssl-profile-test-profile)# certificate clientCert key clientKey
switch(config-mgmt-sec-ssl-profile-test-profile)# trust certificate serverCA

 

Displaying Certificate and Key Information

Displaying Certificate Information

Displaying the Directory Information

The dir command displays the directory output of certificate file systems.

 

Example

This command displays the directory output of certificate: file-system.
switch# dir certificate:
Directory of certificate:/
   -rw- 3319 Apr 10 11:50 server.crt
No space information available
 
Displaying the certificate information

The show management security ssl certificate command displays the certificate information. To display a specific certificate, specify the certificate name. Omitting a name displays all available certificates.

 

Example

This command displays the server.crt certificate information.
switch# show management security ssl certificate server.crt
Certificate server.crt:
 Version:                    1
 Serial Number:              9
 Issuer:
    Common name:             ca
    Email address:           This email address is being protected from spambots. You need JavaScript enabled to view it.
    Organizational unit:     Foo Org
    Organization:            Foo
    Locality:                SC
    State:                   CA
    Country:                 US
 Validity:
    Not before:             Aug 11 21:44:17 2014 GMT
    Not After:              May 14 21:44:17 2069 GMT
 Subject:
    Common name:            server
    Email address:          This email address is being protected from spambots. You need JavaScript enabled to view it.
    Organizational unit:    Foo Org
    Organization:           Foo
    Locality:               SC
    State:                  CA
    Country:                US
 Subject public key info:
    Encryption Algorithm:   RSA
    Size:                   2048 bits
    Public exponent:        65537
    Modulus:                e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                            2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                            0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                            ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
                            635a831d5ec96d841
 
Displaying Certificate Revocation List (CRL) Information

The show management security ssl crl command displays the installed Certificate Revocation List (CRL) information. To view a specific CRL, use its name. Omitting a name displays all the CRLs.

 

Example

This command displays the intermediate.crl information.
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
   CRL Number: 11
   Issuer:
      Common name: intermediate
      Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
      Organizational unit: Foo Org
      Organization: Foo
      State: CA
      Country: US
   Validity:
      Last Update: Jul 19 19:27:34 2016 GMT
      Next Update: Dec 05 19:27:34 2043 GMT

 

Displaying Key Information

Displaying the Directory Information

The dir command displays the directory output of SSL key file systems.

 

Example

This command displays the directory output of sslkey: file-system.
switch# dir sslkey:
Directory of sslkey:/
   -rw- 1675 Apr 10 12:55 server.key
No space information available
 
Displaying the RSA Key Information

The show management security ssl key command displays the RSA key information. To view a specific RSA key, use the name of the key; otherwise, all the keys are displayed. For security reasons, only the public part of the key is displayed.

Example

This command displays the server.key key information.
switch# show management security ssl key server.key
Key server.key:
 Encryption Algorithm: RSA
 Size:                 2048 bits
 Public exponent:      65537
 Modulus:              e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                       2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                       0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                       b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
                       f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d

 

TLS Commands

copy file: certificate:

The copy file: certificate: command copies the certificate to the certificate: file system. The certificate can be copied from any supported source URL of the copy command.

 

Command Mode

Global Configuration

 

Command Syntax

copy file: file_name certificate:

 

Parameter

file_name location or the path of the file or the directory to save the certificate.

 

Guidelines

The following requirements apply to copying certificates:
  • A single source file can contain multiple PEM encoded entities, but they must all be certificates. If including other types such as SSL keys, the copy fails and displays an error message.
    switch(config)# copy file:tmp/ssl/mixed.crt certificate:
    % Error copying file:tmp/ssl/mixed.crt to certificate: (Multiple types of entities in certificate file not supported)
    switch(config)#

     

  • The source file must contain valid PEM encoded certificates. If the file contains invalid certificates, the copy fails and displays an error message.
    switch(config)# copy file:tmp/ssl/bad.crt certificate:
    % Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
    switch(config)#

     

  • EOS only supports certificates with RSA public keys. If the certificate does not have an RSA public key, the copy fails and displays an error message.
    switch(config)# copy file:tmp/ssl/dsa.crt certificate:
    % Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
    switch(config)#

     

  • This command copies a server.crt certificate to the certificate: file system.
    switch(config)# copy file:/tmp/ssl/server.crt certificate:
    Copy completed successfully.

     

copy file: sslkey:

The copy file: sslkey: command copies the SSL key to the sslkey: file system. The key can be copied from any supported source URL of the copy command.

 

Command Mode

Global Configuration

 

Command Syntax

copy file: file_name sslkey:

 

Parameter

file_name location or the path of the file or the directory to save the key.

 

Guidelines

The following requirements apply to copying SSL keys:
  • EOS only supports one PEM encoded key per file. If the source file contains multiple PEM encoded keys, the copy fails and displays an error message.
    switch# copy file:tmp/ssl/multi.key sslkey:
    % Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)

     

  • The source file must contain a valid PEM encoded RSA key. If the file contains an invalid RSA key, the copy fails and displays an error message.
    switch# copy file:tmp/ssl/bad.key sslkey:
    % Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)

     

  • EOS does not support password protected keys. If the source file contains a password protected key, the copy fails and displays an error message.
    switch# copy file:/tmp/ssl/pass.key sslkey:
    % Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)

Example

This command copies an SSL key in the file server.key to the sslkey: file system.
switch(config)# copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
switch(config)#

delete certificate:

The delete certificate: command deletes a specified certificate from the certificate: file system on the switch.

 

Command Mode

Global Configuration

 

Command Syntax

delete certificate: certificate_name

 

Parameter

certificate_name name of the certificate to delete.

 

Example

This command deletes the server.crt certificate from the switch.
switch(config)# delete certificate:server.crt

delete sslkey:

The delete sslkey: command deletes a SSL key from the sslkey: file system on a switch.

 

Command Mode

Global Configuration

 

Command Syntax

delete sslkey: key_name

 

Parameter

key_name name of the key.

Example

This command deletes the server.key SSL key on the switch.
switch(config)# delete sslkey:server.key

dir certificate:

The dir certificate: command displays the directory output of the certificate: file system on the switch.

 

Command Mode

Global Configuration

 

Command Syntax

dir certificate:

 

Example

This command shows the directory output of certificate: file system on the switch.
switch(config)# dir certificate:
Directory of certificate:/
   -rw- 3319 Apr 10 11:50 server.crt
No space information available

dir sslkey:

The dir sslkey: command displays the directory output of sslkey: file system on the switch.

 

Command Mode

Global Configuration

 

Command Syntax

dir sslkey:

 

Example

This command shows the directory output of sslkey: file system on the switch.
switch(config)# dir sslkey:
Directory of sslkey:/
   -rw- 1675 Apr 10 12:55 server.key
No space information available

reset ssl diffie-hellman parameters

The reset ssl diffie-hellman parameters command resets the Diffie-Hellman parameters file after a system reboot.

 

Command Mode

Global Configuration

 

Command Syntax

reset ssl diffie-hellman parameters

 

Example

This command resets the Diffie-Hellman parameters file.
switch(config)# reset ssl diffie-hellman parameters
switch(config)#

security pki certificate generate

The security pki certificate generate command generates a self-signed certificate or a Certificate Signing Request (CSR) certificate. The CLI displays the generated CSR, and a self-signed certificate saves to the certificate: file system.

Many other parameters can be entered and applied to the certificate as shown in the following examples.

 

Command Mode

Global Configuration

 

Command Syntax

security pki certificate generate {self-signed | signing-request} certificate_name Key key_name

 

Parameters
  • certificate_name - name of the certificate to generate. Options include the following:
    • Self-signed request to generate self-signed certificate.
    • Signing-request request to generate signing-request.
    • digest - Signs the certificate or key with the following cryptographic hash algorithm (sha256, sha384, sha512).
    • key_name - Name of the key to modify.

       

  • parameters - Signing request parameters for a certificate. Option include the following:
    • common-name - Common name to use in the subject.
    • country- Two-letter country code to use in the subject.
    • email - Email address to use in the subject.
    • locality - Locality name to use in the subject.
    • organization - Organization name to use in the subject.
    • organization-unit - Organization Unit Name for use in the subject.
    • state - State to use in the subject.
    • subject-alternative-name - Subject alternative name extension.
    • rotation - Generate a unique rotation ID.

       

  • validity- Validity of the certificate in days. Value ranges from 1 to 30000.

     

Examples
  • This command generates a self-signed certificate or CSR certificate. This example uses an existing private key (test.key) to generate the certificates.
    switch(config)# security pki certificate generate self-signed test.crt key test.key

     

  • This command specifies the digest and the validity, in days, of the certificate or key.
    switch(config)# security pki certificate generate signing-request key test.key digest sha256 validity 365 

     

  • This command adds the certificate parameters such as common-name, country, email, and others.
    switch(config)# security pki certificate generate signing-request key test.key parameters common-name Test [country US ...] 

     

security pki key generate

The security pki key generate command generates a RSA key used to validate a specific certificate.

The key generated can be modified and saved by entering the value of the length in the generate rsa length parameter.

 

Command Mode

Global Configuration

 

Command Syntax

security pki key generate rsa key_name

 

Parameters
  • rsa - Use the Rivest-Shamir-Adleman (RSA) algorithm. Options include the following.
    • 2048 - Use 2048-bit keys.
    • 3072 - Use 3072-bit keys.
    • 4096 - Use 4096-bit keys.

       

  • key_name - The name of the key to generate.

     

Examples
  • This command generates a a 2048-bit long RSA private key,test.key, and saves it to sslkey:test.key.
    switch(config)# security pki key generate rsa 2048 test.key

     

  • This command modifies the generated RSA key length value.
    switch(config)# security pki certificate generate self-signed test.crt key 
    test.key generate rsa 4096
    switch(config)# security pki certificate generate signing-request key test.key 
    generate rsa 2048

show management security ssl certificate

The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate to view more information about the certificate. If you do not provide a name, this command displays information about all of the certificates.

 

Command Mode

EXEC

 

Command Syntax

show management security ssl certificate [certificate_name]

 

Parameter

certificate_name - The name of the certificate (optional).

 

Example

This command displays the server.crt certificate information.
switch# show management security ssl certificate server.crt
Certificate server.crt:
 Version:                    1
 Serial Number:              9
 Issuer:
    Common name:             ca
    Email address:           This email address is being protected from spambots. You need JavaScript enabled to view it.
    Organizational unit:     Myorg Org
    Organization:            Myorg
    Locality:                SC
    State:                   CA
    Country:                 US
 Validity:
    Not before:             Aug 11 21:44:17 2014 GMT
    Not After:              May 14 21:44:17 2069 GMT
 Subject:
    Common name:            server
    Email address:          This email address is being protected from spambots. You need JavaScript enabled to view it.
    Organizational unit:    Org Org
    Organization:           ORg
    Locality:               SC
    State:                  CA
    Country:                US
 Subject public key info:
    Encryption Algorithm:   RSA
    Size:                   2048 bits
    Public exponent:        65537
    Modulus:                e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                            2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                            0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                            9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
                            b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
                            c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
                            ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
                            97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
                            f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
                            635a831d5ec96d841

show management security ssl crl

The show management security ssl crl command displays the basic information about the installed Certificate Revocation List (CRLs). To view information of a specific CRL provide the name of the CRL. If you do not provide a name, this command displaysinformation about all of the CRLs.

 

Note: The command only displays basic information and does not display any information on the revocation status of certificates.

 

Command Mode

EXEC

 

Command Syntax

show management security ssl crl

 

Example

This command displays the basic information of the intermediate.crl CRL.
switch# show management security ssl crl intermediate.crl
CRL intermediate.crl:
   CRL Number: 11
   Issuer:
      Common name: intermediate
      Email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
      Organizational unit: mycompany Org
      Organization: mycompany
      State: CA
      Country: US
   Validity:
      Last Update: Jul 19 19:27:34 2016 GMT
      Next Update: Dec 05 19:27:34 2043 GMT

show management security ssl diffie-hellman

The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.

 

Command Mode

EXEC

 

Command Syntax

show management security ssl diffie-hellman

 

Example

This command displays the Diffie-Hellman parameter information.
switch# show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
 Generator: 2
 Prime:     dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
            664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
            6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
            9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b

show management security ssl key

The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If you do not provide a name, this command displays information about all of the keys.

 

Note: For security reasons, the output displays only the public part of the key.

 

Command Mode

EXEC

 

Command Syntax

show management security ssl key [key_name]

 

Parameter

key_name name of the key (optional).

 

Example

This command displays the server.key key information.
switch# show management security ssl key server.key
Key server.key:    
Encryption Algorithm: RSA
Size:                 2048 bits
Public exponent:      65537
Modulus:              e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                      2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                      0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                      9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
                      b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
                      c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
                      ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
                      97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
                      f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
                      635a831d5ec96d841

show management security ssl profile

The show management security ssl profile command displays the SSL profile status information. To display information about a specific SSL profile, provide the name of the profile. If you do not provide a name, this command displays profile status of all the SSL profiles.

If the SSL profile contains errors, the state displays as invalid and lists the errors are listed in the third column.

 

Command Mode

EXEC

 

Command Syntax

show management security ssl profile [profile_name]

 

Parameter

profile_name - Name of the SSL profile (optional).

 

Examples
  • This command displays the SSL profile status of profile server.
    switch# show management security ssl profile server
     Profile      State
    ------------- -----------
     server       valid

     

  • If the certificate server.crt does not match with the key, the following error displays.
    switch# show management security ssl profile server
    Profile       State         Error
    ------------- ------------- ----------------------------------------
    server        invalid       Certificate 'server.crt' does not match
                                with key

     

  • If a trusted certificate ca2.crt does not exist ,the following error displays.
    switch# show management security ssl profile server
    Profile       State         Error
    ------------- ------------- ----------------------------------------
    server        invalid       Certificate 'ca2.crt' does not exist

     

  • If a trusted certificate mycert.crt is not a self-signed root certificate, the following error displays.
    switch# show management security ssl profile server
    Profile       State         Error
    ------------- ------------- ----------------------------------------
    server         invalid      Certificate 'mycert.crt' is trusted and not
                                a root certificate

     

  • Ifthe certificate server.crt expired,the following error displays.
    switch# show management security ssl profile server
    Profile       State         Error
    ------------- ------------- ----------------------------------------
     server       invalid       Certificate 'server.crt' has expired

     

  • If the certificate chain is missing an intermediate certificate, the following error occurs.
    switch# show management security ssl profile server
    Profile        State         Error
    -------------- ------------- ---------------------------------------------
    server         invalid       Profile has invalid certificate chain
                                 Certificate 'intermediate.crt' does not exist

ssl profile

The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.

Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.

The no form of the command deletes the SSL profile management configuration from running-config.

 

Command Mode

Management Security Mode

SSL Profile Mode

 

Command Syntax

ssl profile profile_name

 

Parameter

profile_name name of the profile.

 

Examples
  • These commands place the switch in SSL profile mode.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)#

     

  • These commands configure SSL profile server with a certificate and its corresponding RSA key. The no command deletes the certificate configuration.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
    switch(config-mgmt-sec-ssl-profile-server)# no certificate server.crt key server.key

     

  • These commands configure the trust certificate ca1.crt to an SSL profile. The no command deletes a trusted certificate configuration.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# trust certificate ca1.crt
    switch(config-mgmt-sec-ssl-profile-server)# no trust certificate ca1.crt

     

  • These commands configure the intermediate.crt chain certificate to an SSL profile. The no command deletes a chain certificate configuration.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# certificate server.crt key server.key
    switch(config-mgmt-sec-ssl-profile-server)# chain certificate intermediate.crt
    switch(config-mgmt-sec-ssl-profile-server)# no chain certificate intermediate.crt

     

  • These commands provides Certificate Revocation List (CRL) to a SSL profile to check the revocation status of the certificate chain. The no command deletes the CRL configuration.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# crl intermediate.crl
    switch(config-mgmt-sec-ssl-profile-server)# crl ca.crl
    switch(config-mgmt-sec-ssl-profile-server)# no crl ca.crl

     

  • These commands configure TLSv1.2 to be used in the SSL profile.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# tls versions 1.2

     

  • These commands build a cipher suite list.
    switch# config
    switch(config)# management security
    switch(config-mgmt-security)# ssl profile server
    switch(config-mgmt-sec-ssl-profile-server)# cipher-list AESGCM
    switch(config-mgmt-sec-ssl-profile-server)# cipher-list SHA256:SHA38
    switch(config-mgmt-sec-ssl-profile-server)# cipher-list ECDHE-ECDSA-AES256-GCM-SHA384

     

  • This command check that the certificate has an extended key usage attribute.
    switch(config-mgmt-sec-ssl-profile-client)# certificate requirement extended-key-usage

     

  • These commands check that all the trusted certificates or certificates in the chain have a CA basic constraints set to true.
    switch(config-mgmt-sec-ssl-profile-client)# trust certificate requirement basic-constraints ca true
    switch(config-mgmt-sec-ssl-profile-client)# chain certificate requirement basic-constraints ca true

     

  • This command enables the Federal Information Processing Standards (FIPS) mode for a SSL profile.
    switch(config-mgmt-sec-ssl-profile-client)# fips restrictions

802.1X Port Security

This section explains the basic concepts behind 802.1X port security, including switch roles, how the switches communicate, and the procedure used for authenticating clients.

802.1X Port Security Introduction

802.1X is an IEEE standard protocol that prevents unauthorized devices from accessing the network.

802.1X defines three device roles,
  • Supplicant (client).

     

  • Authenticator (switch).

     

  • Authentication server (RADIUS).

     

Before authentication can succeed, the switch port is in unauthorized mode and blocks all traffic, but after authentication has succeeded, normal data can flow through the switch port.

Port security controls who can send or receive traffic from an individual switch port. An end node cannot send or receive traffic through a port until a RADIUS server authenticates the node.

This security prevents unauthorized individuals from connecting to a switch port to access the network. Only designated valid users on a RADIUS server can use the switch to access the network.

Overview of 802.1X Port Security

802.1X port security controls can send traffic through and receive traffic from the individual switch ports. A supplicant must authenticate using EAPOL packets with the switch before obtaining full access to the port. Arista switches act as an authenticator, passing the messages from 802.1X supplicants through to the RADIUS server and vice versa. 802.1X can operate in three different modes:
  • Single Host Mode - Once the 802.1X supplicant authenticates on the port, the port only allows the traffic from the supplicant's MAC address.

     

  • Multi-Host Mode: Once the 802.1X supplicant authenticates on the port, the port allows any traffic from any source MAC.

     

  • Multi-Host Authenticated Mode - Allows multiple 802.1X supplicants and allows the incoming traffic from all authenticated supplicants MAC addresses through the port.

     

The Single Host and the Multi-Host modes allow only one 802.1X supplicant to authenticate for one port. After successfully authenticating, no other 802.1X supplicant can authenticate unless the current one logs off. However, the Multi-Host Authenticated Mode allows multiple 802.1X supplicants to authenticate and provide access to the network.

In addition to 802.1X authentication, EOS supports MAC-Based Authentication (MBA) and allows devices without 802.1X to access the network. The authenticator uses the MAC address of such devices as username/password in its RADIUS request packets. Depending on the MAC-Based Authentication configuration on the RADIUS server, the server permits or denies authentication to the supplicant. Unlike 802.1X supplicants, a single port allows multiple MBA supplicants. The MBA configuration does not require the 802.1X host modes. MBA supplicants permit or reject unauthenticated traffic based on the host mode.

EOS also supports Dynamic VLAN assignment, which permits the RADIUS server to assign the desired VLAN for the supplicant, using the tunnel attributes with the Access-Accept message. The RADIUS server assigns VLANs to the 802.1X and MBA supplicants. EOS supports only one VLAN per port. When the first host authenticates, the authenticator port assigns the respective VLAN through dynamic VLAN assignment, and subsequently, all other hosts must belong to that VLAN as well.

802.1X features support 802.1Q trunk ports that permit the user to use Port-Based Network Access Control (PNAC) on a port. With this feature, traffic arriving at an 802.1X-enabled port with a VLAN tag authenticates the 802.1X and MBA supplicants.

By default, traffic from any unauthenticated device on an 802.1X-enabled port drops. However, by configuring the Authentication Failure VLAN on the authenticator switch, the 802.1X or MBA supplicant traffic can be put into a specific VLAN, if the supplicant fails to authenticate via the RADIUS server.

 

Note: EOS supports one configurable VLAN for failure events such as failure due to server timeout, server unreachable, server AUTH-FAIL, or Quarantine.

 

Switch Roles for 802.1X Configurations

The 802.1X standard specifies the roles of Supplicant (client), Authenticator, and Authentication Server in a network. Switch Roles for 802.1X Configurations illustrates these roles.

 

Authentication Server- The switch that validates the client and specifies if the client may access services on the switch. The switch supports Authentication Servers running RADIUS.

 

Authenticator - The switch that controls access to the network. In an 802.1X configuration, the switch serves as the Authenticator. As the Authenticator, it moves messages between the client and the Authentication Server. The Authenticator either grants or does not grant network access to the client based on the identity data provided by the client, and the authentication data provided by the Authentication Server.

 

Supplicant/Client - The client provides a username or password data to the Authenticator. The Authenticator sends this data to the Authentication Server. Based on the supplicants information, the Authentication Server determines whether the supplicant can use services given by the Authenticator. The Authentication Server sends this data to the Authenticator, which then provides services to the client, based on the authentication result.

Figure 3. Authenticator, Supplicant, and Authentication Server in an 802.1X configuration

 

Authentication Process

The authentication that occurs between a supplicant, authenticator, and authentication server include the following processes.
  • Either the authenticator (a switch port) or the supplicant starts an authentication message exchange. The switch starts an exchange when it detects a change in the status of a port, or if it gets a packet on the port with a source MAC address that is not included in the MAC address table.

     

  • An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicant starts the negotiation with an EAPOL-Start packet, to which the authenticator answers with a EAP-Request/Identity packet.

     

  • The supplicant answers with an EAP-Response/Identity packet to the authentication server via the authenticator.

     

  • The authentication server responds with an EAP-Request packet to the supplicant via the authenticator.

     

  • The supplicant responds with an EAP-Response.

     

  • The authentication server transmits either an EAP-Success packet or EAP-Reject packet to the supplicant.

     

  • If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their traffic will not be forwarded.

     

Communication Between the Switches

802.1X port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol For communication between the switches.

The 802.1X standard defines a method for encapsulating and sendingEAP messages over a LAN. This type of encapsulated EAP is known as EAP over LAN (EAPOL). The standard also specifies a method for transferring the EAPOL information between the client or Supplicant, Authenticator, and Authentication Server.

Supplicants and Authenticators pass the EAPOL messages between the Port Access Entity (PAE). The following figure displays the relationship between the Authenticator PAE and the Supplicant PAE.

Figure 4. Authenticator PAE and Supplicant PAE

 

Authenticator PAE - The Authenticator PAE communicates with the Supplicant PAE to receive the Supplicants identifying information. Behaving as a RADIUS client, the Authenticator PAE passes the Supplicants information to the Authentication Server, which decides whether to grant the Supplicant access. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.

 

Supplicant PAE - The Supplicant PAE provides information about the client to the Authenticator PAE and replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authentication procedure with the Authenticator PAE, as well as send logoff messages.

Dot1x Dropped Counters

The Dot1x Dropped Counters count the packets dropped by dot1x interfaces. The dropped counter will not represent all the dropped packets in case of high volume dropping, and the CPU queue drop counter will reflect the rest of the dropped packet counter. This is due to the fact that EOS limits the bandwidth for the packets that get sent to the CPU.

The following counters are supported and increment depending on the dot1x interface configuration mode:
  • EAPOL unauthorized port (indicates the dropped packet number due to the unauthorized EAPOL port when Mac Base Authorization is disabled).

     

  • EAPOL unauthorized host ( indicates the dropped packet number due to the unauthorized EAPOL host).

     

  • MBA unauthorized host (counts the dropped packet due to the unauthorized host when Mac Base Authorization is enabled.)

     

Enabling 802.1X Port Control

To enable 802.1X port authentication on the switch, use the following command:

switch(config)# dot1x system-auth-control

 

Port mode can be set to access or trunk port and 802.1X port access entity set to authenticator:

switch(config-if-Et1)# switchport mode access
switch(config-if-Et1)# dot1x pae authenticator

 

Controlled and Uncontrolled Ports

A physical port on the switch used with 802.1X has two virtual access points that include a controlled port and an uncontrolled port. The controlled port grants full access to the network. The uncontrolled port only gives access for EAPOL traffic between the client and the Authentication Server. When a client is authenticated successfully, the controlled port is opened to the client.

Figure 5. Ports Before and After Client Authentication

 

Control Port State

Before authenticating the port, the port is unauthorized. In this state, the 802.1X agent only processes EAPOL packets and drops all other packets. After the port successfully authenticates, the port becomes authorized and allows all packets to pass. The authentication exchange controls the state transition between the supplicant and the authentication server. However, you can control the state by using any one of the following commands:

 

dot1x port-control force-authorized

force-authorized - disables 802.1X authentication and directly put the port to the authorized state. This is the default setting.

 

dot1x port-control force-unauthorized

force-unauthorized - also disables 802.1X authentication and directly put the port to unauthorized state, ignoring all attempts by the client to authenticate.

 

dot1x port-control auto

auto - enables 802.1X authentication and put the port to unauthorized state first. The port state remains in an unauthorized state or transit to authorized state according to authentication result and configuration.

Uncontrolled Port State

The Authenticator only opens one uncontrolled port before authenticating a client. The client and the Authentication Server swap EAPOL frames through the uncontrolled port. No other traffic passes through the controlled port in the unauthorized state.

During authentication, the Supplicant PAE and the Authenticator PAE exchange EAPOL messages, and the Authenticator PAE and the Authentication Server exchange RADIUS messages. If the client successfully authenticates, the controlled port becomes authorized, and traffic from the client can flow through the port normally.

By default, all controlled ports on the switch become authorized and allow all traffic. When initially authenticating, the controlled port on the interface initially sets to the unauthorized state. If a client connected to the port authenticates successfully, the controlled port sets in the authorized state.

Message Exchange During Authentication

The following figure illustrates an exchange of messages between an 802.1X-enabled client, an Authenticator switch, and a RADIUS server operating as an Authentication Server.

Arista switches support MD5-challenge TLS and other EAP-encapsulated authentication types in EAP Request or Response messages. In other words, the switches are transparent to the authentication scheme used.
Figure 6. Message Exchange During Authentication

 

Authenticating Multiple Clients Connected to the Same Port

Arista switches support 802.1X authentication for ports with more than one client connected to them. Figure 7 illustrates a sample configuration where multiple clients are connected to a single 802.1X port. 802.1X authentication may use multi-host mode, or, on selected switches, single-host mode. In both modes, the port authenticates the packets received from any one client, and drops the packets received from other clients, until authentication of the connected client by the RADIUS server.

Single-host Mode

In single-host mode, the 802.1X client has authenticated on the RADIUS server and does not require further authentication. However, the port accepts packets only from the MAC address of the authenticated client.

Multi-Host Mode

In multi-host mode, once the 802.1X client authenticates with the RADIUS server, the port accepts all packets from any connected client, and these packets do not require any authentication.

802.1X MAC-based Authentication

802.1X MAC-based authentication allows programming a set of MAC addresses into the RADIUS server. These MAC addresses (MAC-based authentication supplicants) do not connect to 802.1X profiles but are still allowed access to the network. The authenticator identifies devices that do not support 802.1X and uses the MAC address of these devices as username and password in its RADIUS request packets.

In MAC-based authentication, every supplicant attempting to access the authenticator port individually authenticates, as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X. Different behavior occurs for MAC-based authentication supplicants when an 802.1X supplicant authenticates in single-host and multi-host 802.1X modes.

To enable Mac-based authentication, use the following command:

switch(config)#dot1x mac based authentication

 

 

Note: By adding this command to the existing 802.1X configuration on the port, a typical 802.1X interface configuration with MAC-Based Authentication enabled may look something like this:
switch(config-if-Et1/1)# show active
speed forced 1000full
dot1x pae authenticator
dot1x port-control auto
dot1x mac based authentication

 

Figure 7. Multiple clients connected to a 802.1X-enabled port

 

Mac-Based Authentication Delay

Use the mac based authentication delay command to configure a MAC-based Authentication delay. By default, the delay triggers after 5 seconds.

 

Command Syntax

mac based authentication delay 0-300 seconds

 

Mac-based Authentication Hold-Period

When an AAA server rejects a MAC-based Authentication, a default hold period of 60 seconds occurs before the MAC-based Authentication retries again even if the host continues to send traffic. However, the hold-period can be configured manually using the mac based authentication hold period command.

 

Command Syntax

mac based authentication hold period 0-300 seconds

 

 

Note: Configuring a low value for the hold-period can significantly increase the load on a AAA server when MAC-based Authentication is not enabled for a host.

 

Dot1x Web Authentication FQDN Allowlist

When using dot1x captive portal authentication, supplicants receive the WEB-AUTH-START page to begin redirecting the HTTPS requests to a captive portal as a second step in the authentication process. The Dot1x Web Authentication Fully Qualified Domain Name (FQDN) Allowlist provides a list of FQDN masks that bypass the redirection and allows the supplicant to access URLs on these hosts before completing the second step of the authentication process.

The Dot1x Web Authentication captures the IP address that the supplicant attempts to access and performs a reverse DNS resolution to check if the FQDN matches an entry on the configured Allowlist.

802.1X AAA Unresponsive VLAN

Overview

Devices connected to 802.1X controlled ports must perform authentication before their generic traffic is allowed into the network. During this process, the switch contacts a configured AAA server that determines if the device’s access to the network is accepted or denied. When the AAA server is unresponsive, the default behavior is to deny all authentication attempts. The AAA Unresponsive VLAN feature allows the user to specify different behavior for this case, accepting authentication attempts and assigning devices to the native VLAN or a specified VLAN. As in other failure scenarios, the switch tries to authenticate the supplicant after the quiet period has passed.

Configuring 802.1X AAA Unresponsive VLAN

Configure the aaa unresponsive action traffic allow vlan command to enable the dot1x AAA unresponsive VLAN feature on the switch. When configured, the switch changes the action taken with authentication attempts when the AAA server becomes unresponsive. Unresponsiveness occurs when the AAA communication times out.

 

Example

These commands places the switch in the dot1x configuration mode and enables the dot1x AAA unresponsive VLAN feature on the switch.
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan

 

Limitations

  • AAA unresponsive VLAN does not act on devices that tried to authenticate using VLAN-tagged frames.

     

  • When AAA unresponsive VLAN is enabled without a VLAN, devices get assigned to the native VLAN – even phones that would otherwise be assigned to the phone VLAN. If phones should be assigned to the phone VLAN when AAA is unavailable, the knob aaa unresponsive phone vlan action allow should be additionally used.

     

802.1X Web Authentication

The 802.1X Web authentication feature provides authentication for a supplicant through a Web page, referred to as a captive portal. Redirection to a captive portal provides support for guest devices or supplicants where 802.1X is not sufficient and an additional Web based authentication is required.

Configuring 802.1X Web Authentication

Use the following global command under the 802.1X node to enable the 802.1X Web authentication:

captive portal url URL][ssl profile profile]

Enabling the 802.1X Web authentication starts the redirection agent (Dot1xWeb) and the internal HTTP redirector. Then, 802.1X acts on the RADIUS web-auth-start VSAs. If specifying a URL, the URL redirects the authentication when AAA does not provide a specific URL. If providing a valid SSL profile, the 802.1X Web internal HTTPS redirector uses the configured certificate and key.

For ACL based Web Authentication, an additional parameter provides more functionality:
switch(config-dot1x)# captive portal access-list ipv4 test-ACL

 

An ACL can be defined locally on the switch and be configured to use for Web Authentication, for cases, when AAA is not able to send ACL with web auth = start.

Here are the details about the radius VSAs.
 
AttributeName Attribute ID Type Value
Arista-WebAuth 6 integer

start = 1

complete = 2

Arista-Captive-Portal 10 string any valid url

 

Show Commands

The show commands that display the state of a host includes the new values for WebAuth stage as well.

 

Example
switch(config)# show dot1x hosts
Interface: Ethernet36
Supplicant MAC     Auth Method     State               VLAN Id
--------------     -----------     -----               -------
00:1c:73:73:f9:38  MAC-BASED-AUTH  WEB-AUTH-START
00:1c:73:73:f9:39  MAC-BASED-AUTH  WEB-AUTH-FAILED

 

Limitations

The following limitations apply to the 802.1X feature.
  • Only one device per port is supported (MAC ACLs are not supported), connected in wired fashion.

     

  • HTTPS redirection is only attempted when the connection is to the default TCP port 443.

     

  • Limitations present in versions lower than RIO RELEASE.
    • HTTPS is not supported.

       

  • Limitations present in versions EOS Release 4.25.0 and 4.25.1:
    • There is no downloadable ACL support - only implicit ACL support is available. This might not suffice if there is a need to allow multiple intranet websites.
    • There is only support of one Captive portal at a time.

       

  • Limitations in version EOS Release 4.25.0:
    • IPv4 Management IP needs to be configured on the management interface. If the management ip address is changed, then captive portal configuration needs to be reconfigured.
    • SVI needs to be configured for the VLAN where the host is going to be after the first phase of authentication - be it EAPOL or MBA.

       

Configuring 802.1X Port Security

Basic steps to implementing 802.1X Port-based Network Access Control and RADIUS accounting on the switch:

  1. A RADIUS server is required on one or more of your network servers or management stations. 802.1X is not supported with the TACACS+ authentication protocol.
     
  2. You must create supplicant accounts on the RADIUS server:
    • The account for a supplicant connected to an authenticator port must have a username and password combination when set to the 802.1X authentication mode.
      • An account for the supplicant connected to an authenticator port and placed in the MAC address-based authentication mode needs use the MAC address of the node as both the username and password.
      • Connected clients to an 802.1X authenticator port will require 802.1X client software.

         

  3. The RADIUS client must be configured by entering the IP addresses and encryption keys of the authentication servers on your network.
     
  4. The port access control settings must be configured on the switch. This includes the following:
    • Specifying the port roles.
      • Configuring 802.1X port parameters.
        • Enabling 802.1X Port-based Network Access Control.

           

    Guidelines
    • Do not set a port that is connected to a RADIUS authentication server to the authenticator role as an authentication server cannot authenticate itself.

       

    • A supplicant connected to an authenticator port set to the 802.1X username and password authentication method must have 802.1X client software.

       

    • To prevent unauthorized individuals from accessing the network through unattended network workstations, end users of 802.1X port-based network access control should always log off when they are finished with a work session.

       

    • The RADIUS client should be configured on the switch before activating port-based access control.

       

Configuring 802.1X Authentication Methods

Configure external client authentication methods for IEEE 802.1X port security. Arista currently supports RADIUS authentication. Use the aaa authentication dot1x command to configure the switch to use a RADIUS server for client authentication.

 

Example

This command configures the switch to use RADIUS authentication.
switch(config)# aaa authentication dot1x default group radius
switch(config)#

 

Configuring Dot1x Dropped Counters

Use the statistics packets dropped command to configure the dot1x dropped counters on the switch in the dot1x configuration mode. By default, EOS turns off the dot1x dropped counters. The no form of the command disables them from the running configuration.

 

Example

These commands places the switch in the dot1x mode and enables the dot1x dropped counters.
switch(config-dot1x)# statistics packets dropped

 

Globally Enabling IEEE 802.1X

To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-control command.

 

Example

This command enables IEEE 802.1X globally on the switch.
switch(config)# dot1x system-auth-control
switch(config)#

 

Designating Authenticator Ports

To set the port access entity (PAE) type of an Ethernet or management interface to the authenticator, use the dot1x pae authenticator command.

 

Example

These commands configure the PAE type to authenticator on the Ethernet interface 1 to enable IEEE 802.1X on the port.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x pae authenticator
switch(config-if-Et1)#

 

Example

For ports to act as authenticator ports to connected supplicants, those ports must be designated using the dot1x port-control command.

The auto option of the dot1x port-control command designates an authenticator port for immediate use, blocking all traffic that is not authenticated by the AAA server.

 

Example

This command configures Ethernet 1 to immediately begin functioning as an authenticator port.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-control auto
switch(config-if-Et1)#

 

The force-authorized option of the dot1x port-control command sets the state of the port to authorized without authentication, allowing traffic to continue uninterrupted.

 

Example

These commands designate Ethernet 1 as an authenticator port that forwards packets without authentication.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#

 

To designate a port as an authenticator but prevent it from authorizing any traffic, use the force-unauthorized option of the dot1x port-control command.

 

Example

The force-unauthorized option of the dot1x port-control command places the specified port in the unauthorized state, which will deny any access requests from users of the ports.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x port-controlforce-authorized
switch(config-if-Et1)#

 

Specifying the Authentication Mode for Multiple Clients

By default, Arista switches authenticate in multi-host mode, allowing packets from any source MAC address once 802.1X authentication has taken place. To configure the switch for single-host mode (allowing traffic only from the authenticated clients MAC address), use the dot1x host-mode command.

 

Example

These commands configure Ethernet interface 1 to use single-host mode for 802.1X authentication.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#

 

Configuring Re-authentication

The dot1x reauthentication command enables the authenticator ports to re-authenticate with the default values..

The dot1x timeout reauth-period command allows the customization of the re-authentication period of authenticator ports.

 

Examples
  • These commands configure the configuration mode interface to require re-authentication from clients at regular intervals.
    switch(config)# interface Ethernet 1
    switch(config-if-Eth)# dot1x reauthentication

     

  • These commands configure the Ethernet interface 1 authenticator to require re-authentication from clients every 6 hours (21600 seconds).
    switch(config)# interface Ethernet 1
    switch(config-if-Et1)# dot1x reauthentication
    switch(config-if-Et1)# dot1x timeout reauth-period 21600
    switch(config-if-Et1)#

     

  • These commands deactivate re-authentication on the Ethernet interface 1.
    switch(config)# interface Ethernet 1
    switch(config-if-Et1)# no dot1x reauthentication
    switch(config-if-Et1)#

     

Setting the EAP Request Maximum

The dot1x reauthorization request limit command configures the number of times the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.

 

Example

These commands set the number of times the authenticator sends an EAP request packet to the client before restarting authentication.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x reauthorization request limit 4
switch(config-if-Et1)#

 

The default value is 2.

Disabling Authentication on a Port

To disable authentication on an authenticator port, use the no form of the dot1x port-control command.

 

Example

These commands disable authentication on Ethernet interface 1.
switch(config)# interface ethernet 1
switch(config-if-Et1)# no dot1x port-control
switch(config-if-Et1)#

 

Setting the Quiet Period

If the switch fails to immediately authenticate the client, the dot1x timeout quiet-period command specifies the time the switch waits before trying again. This timer also indicates how long a client that failed authentication is blocked.

 

Example

These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30

 

The default value is 60 seconds.

Setting the Dot1x Timeout Reauth-period

The dot1x timeout reauth-period command specifies the time period in seconds that the configuration mode interface waits before requiring re-authentication from clients.

 

Example

These commands configure the timeout reauth-period to 21600 seconds.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600

 

The default value is 3600 seconds.

Setting the Transmission Timeout

The authenticator sends an Extensible Authentication Protocol (EAP) request to the supplicant, and the supplicant sends a response that the authenticator forwards to an authentication server. If the authenticator doesn't receive a reply to the EAP request, it waits a specified time before retransmitting the request. To configure the wait time, use the dot1x timeout tx-period command.

 

Example

These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP requests to the supplicant.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#

 

The default value is 5 seconds.

Enabling Authentication Failure VLAN

Configure Authentication Failure VLAN on a dot1x-enabled port using the dot1x authentication failure action traffic allowCLI command under the interface-config mode. Set VLAN10 as authentication failure VLAN:

switch(config-if-Et1/1)# dot1x authentication failure action traffic allow vlan 10

 

When configuring a VLAN with no authentication failure VLAN on a dot1x-enabled port, the default action drops any unauthorized traffic on the port. This behavior can also be specified using the following command:

 

Example

switch(config-if-Et1/1)# dot1x authentication failure action traffic drop

 

802.1X Guest VLANs

802.1X provides a guest VLAN that allows access to hosts unable to communicate over EAPoL and then perform actions to become EAPoL capable. Then, the host can move out of the guest VLAN. A typical use case includes situations where hosts perform PXE booting and become capable of responding to EAPoL requests.

Note: You cannot configure Guest VLANs and MBA on the same network.

Example

To configure a guest VLAN on Ethernet6/1 and VLAN 25, use the following commands:

switch(config)#interface Ethernet6/1
switch(config-if-Et6/1)#dot1x
switch(config-dot1x)#eapol unresponsive action traffic allow vlan 25

Disable the feature on an interface and override the global configuration:

switch(config-dot1x)#eapol unresponsive action traffic disable 

Clearing 802.1X Statistics

The clear dot1x statistics command resets the 802.1X counters.

 

Examples
  • This command clears the 802.1X counters on all interfaces.
    switch# clear dot1x statistics all
    switch#

     

  • This command clears the 802.1X counters on Ethernet interface 1.
    switch# clear dot1x statistics interface ethernet 1
    switch#

     

Configuring Dot1x Web Authentication FQDN Allowlist

Use the following command to add a hostname to the captive portal redirection bypass list:

switch(config)#dot1x
switch(config-dot1x)#captive-portal bypass fqdn_wildcard

Repeat the configuration statement to add more FQDNs to the list. The wildcard * can be used once at the start of the FQDN and must be followed by a dot, for example *.myfqdn.com.

Example

Use the following commands to add the FQDN, *.mycompany.com to the FQDN Allowlist:

switch(config)#dot1x
switch(config-dot1x)#captive-portal bypass *.mycompany.com
Clearing Dot1x Captive Portal Resolutions

Use the clear dot1x captive-portal resolutions command to clear all reverse DNS entries and active bypass and redirect decisions.

switch#clear dot1x captive portal resolutions
Displaying Dot1x Web Authentication FQDN Allowlist Information

Use the show captive-portal bypass command to display the active bypass entries:

switch#show captive-portal bypass
Captive portal bypass:
*.eng.mycompany.com matched by 10.0.1.3, 1.0.2.4
web5.it.mycompany.com matched by 10.0.5.7

Use the show captive-portal resolutions command to display all reverse DNS resolution entries in use by the captive portal, including redirected IP addresses.

switch#show dot1x captive-portal resolutions
  Address         Hostnames                       Expiration
--------------- ------------------------- -------------------
 1.0.2.4         www1.eng.mycompany.com    2033-05-17 20:33:20
 10.0.5.7        web4.it.mycompany.com     2033-05-17 20:33:23
                 web5.it.mycompany.com
 10.10.1.3       -                      2033-05-17 20:33:26
 10.20.1.3       (pending)
 80.0.6.3        www1.eng.mycompany.com    2033-05-17 20:33:21

Displaying 802.1X Information

You can display information about 802.1X on the switch and on individual ports.

Displaying 802.1X statistics

Use the show dot1x statistics command to display 802.1X statistics for the specified port or ports.

 

Example
  • This command displays IEEE 802.1X statistics for Ethernet interface 5.
    switch# show dot1x interface ethernet 5 statistics
    Dot1X Authenticator Port Statistics for Ethernet5
    -------------------------------------------------
    RxStart = 0      RxLogoff = 0    RxRespId = 0
    RxResp = 0       RxInvalid = 0   RxTotal = 0
    TxReqId = 0      TxReq = 0       TxTotal = 0
    RxVersion = 0    LastRxSrcMAC = 0000.0000.0000
    switch#

     

  • This command displays the dot1x dropped counters for all the dot1x interfaces.
    switch# show dot1x all statistics
    Dot1X Authenticator Port Statistics for Ethernet51/1
    -------------------------------------------------
    RX start = 1     RX logoff = 0   RX response ID = 1
    RX response = 10         RX invalid = 0  RX total = 12
    TX request ID = 2        TX request = 11         TX total = 13
    RX version = 2   Last RX src MAC = ded6.404b.ec94
    Data packet drop counters:
    EAPOL unauthorized port = 2
    EAPOL unauthorized host = 1
    MBA unauthorized host = 0
    
    Dot1X Authenticator Port Statistics for Ethernet49
    -------------------------------------------------
    RX start = 1     RX logoff = 0   RX response ID = 1
    RX response = 10         RX invalid = 0  RX total = 12
    TX request ID = 2        TX request = 11         TX total = 13
    RX version = 2   Last RX src MAC = ded6.404b.ec94
    Data packet drop counters:
    EAPOL unauthorized port = 2
    EAPOL unauthorized host = 1
    MBA unauthorized host = 0

     

Displaying 802.1X supplicant information

Use the show dot1x hosts command to display information for all the supplicants.

 

Example

This command displays 802.1X supplicant information.
switch# show dot1x hosts
    Interface: Ethernet1/1
    Supplicant MAC       Auth Method      State     VLAN Id
    --------------       -----------      -----     -------
    e2:29:cb:11:2f:4a    EAPOL            SUCCESS   300
    e2:29:cb:11:2f:4b    MAC-BASED-AUTH   SUCCESS   300

 

Displaying MAC Address Tables

Use the show mac address-table command to display the MAC address of the supplicants allowed to pass the traffic through the port.

 

Example

switch# show mac address-table
    Mac Address Table
    ------------------------------------------------------------------
    
    Vlan    Mac Address       Type        Ports      Moves   Last Move
    ----    -----------       ----        -----      -----   ---------
    300     e229.cb11.2f4a    STATIC      Et1/1
    300     e229.cb11.2f4b    STATIC      Et1/1
    Total Mac Addresses for this criterion: 2

 

Displaying Port Security Configuration Information

The show dot1x command shows information about the 802.1X configuration on the specified port or ports.

 

Example

This commands displays IEEE 802.1X configuration information for Ethernet interface 5.
switch# show dot1x interface ethernet 5
Dot1X Information for Ethernet5
--------------------------------------------
PortControl             : auto
QuietPeriod             : 60 seconds
TxPeriod                : 5 seconds
ReauthPeriod            : 3600 seconds
MaxReauthReq            : 2
switch#

 

Displaying the Status of the 802.1X Attributes for each Port

Use the show dotx1 interface interface-id command to display the status of the 802x1 attributes for each port.

 

Example
switch(config-if-Et1/1)# show dot1x interface ethernet1/1
       Dot1X Information for Ethernet1
       --------------------------------------------
       PortControl             : force-authorized
       HostMode                : multi-host
       QuietPeriod             : 60 seconds
       TxPeriod                : 5 seconds
       ReauthPeriod            : 0 seconds
       MaxReauthReq            : 2
       ReauthTimeoutIgnore     : No
       AuthFailVlan            : 10

 

Displaying 802.1X Information for all Ports

Use the show dot1x all brief command to display IEEE 802.1X status for all ports.

 

Example

The following commands display a summary of IEEE 802.1X status.
switch# show dot1x all brief
Interface   Client   Status
----------  -------- -------------
Ethernet5   None     Unauthorized
switch#

 

Displaying VLANS

Use the show vlan command to display dynamically assigned VLANs on the port.

 

Example

switch# show vlan
    VLAN  Name          Status    Ports
    ----- ------------- --------- ----------------------------------
    1     default        active
    2     VLAN0002       active    Et7, Et17, Et18, Et41
    300*  VLAN0300       active    Et1/1, Et6, Et19, Et20, Et29
                                   Et30, Et31, Et32, Et42, Et43, Et44

* indicates a Dynamic VLAN

 

Displaying EAPOL Fallback to MBA Authentication and MBA Timeout Information

Use the show dotx1 interface interface ID details command to display information about the EAPOL fallback to MBA authentication and MBA timeout details.

 

Example
switch(config-if-Et1)# show dot1x interface Ethernet1 details
Dot1X Information for Ethernet1
--------------------------------------------
Port control: auto
Host mode: multi-host authenticated
Quiet period: 60 seconds
TX period: 5 seconds
Maximum reauth requests: 2
Ignore reauth timeout: No
Auth failure VLAN: 101
Unauthorized access VLAN egress: Yes
Unauthorized native VLAN egress: Yes
EAPOL: enabled
MAC-based authentication: disabled
EAPOL authentication failure fallback: MBA, timeout 200 seconds
  
Dot1X Authenticator Client
   
Port status: Authorized
Supplicant MAC  Reauth Period (in seconds)
--------------  --------------------------
0022.0100.0001  120

 

802.1X Port Security Commands

aaa unresponsive action traffic allow vlan

The aaa unresponsive action traffic allow vlan enables the the dot1x AAA unresponsive VLAN feature on the switch.

The no aaa unresponsive action traffic allow vlan command disbales the dot1x AAA unresponsive VLAN feature from the running-config.

 

Command Mode

Dot1x Configuration Mode

 

Command Syntax

aaa unresponsive action traffic allow vlan VLAN-ID

no unresponsive action traffic allow vlan

 

Parameters

  • unresponsive Configure AAA timeout options.
  • action Set action for supplicant when AAA times out.
  • traffic Set action for supplicant traffic when AAA times out.
  • allow Allow traffic when AAA times out.
  • vlan Allow traffic in VLAN when AAA times out.
  • VLAN-ID Identifier for a Virtual LAN. Value ranges from 1 to 4094.

     

Example

These commands places the switch in the dot1x configuration mode and enables the dot1x AAA unresponsive VLAN feature on the switch.
switch(config)# dot1x
switch(config-dot1x)# aaa unresponsive action traffic allow vlan 50

captive portal

The captive portal command enables the 802.1X Web Authentication on the switch.

The no captive portal command removes the 802.1X Web Authentication configuration from the running-config.

 

Command Mode

Dot1x Configuration Mode

 

Command Syntax

captive portal url URL ssl profile profile access-list ipv4 ACL name bypass fqdn_wildcard

no captive portal url URL ssl profile profile access-list ipv4 ACL name bypass fqdn_wildcard

 

Parameters
  • url - Configure captive portal URL.
  • ssl - Configure SSL related option.
  • access-list - Configure access control list.
  • bypass - Configure Fully Qualified Domain Names (FQDN) for the redirection bypass list.

     

Examples
  • This command enables 802.1X Web Authentication on the switch.
    switch(config)# dot1x
    switch(config-dot1x)# captive portal ssl profile test-ssl_profile

     

  • This command enables the ACL based Web authentication.
    switch(config)# dot1x
    switch(config-dot1x)# captive portal access-list ipv4 test-ACL

     

  • This command enables captive portal bypass redirection with the FQDN, www.mycompany.com.
    switch(config)# dot1x
    switch(config-dot1x)# captive portal bypass www.mycompany.com

     

clear dot1x statistics

The clear dot1x statistics command resets the 802.1X counters on the specified interface or all interfaces.

 

Command Mode

Privileged EXEC

 

Command Syntax

clear dot1x statistics INTERFACE_NAME

 

Parameters
INTERFACE_NAME Interface type and number. Options include:
  • all Display information for all interfaces.
  • interface ethernet e_num Ethernet interface specified by e_num.
  • interface loopback l_num Loopback interface specified byl_num.
  • interface management m_num Management interface specified by m_num.
  • interface port-channel p_num Port-Channel Interface specified by p_num.
  • interface vlan v_num VLAN interface specified by v_num.

     

Example

This command resets the 802.1X counters on all interfaces.
switch# clear dot1x statistics all
switch#

dot1x eapol

The dot1x eapol command places the switch into 802.1X Configuration Mode and configures the EAPoL actions for Guest VLAN access. The [no | default] options reverts the configuration to match the global configuration.

Command Mode

Dot1x Configuration Mode

Command Syntax

dot1x eapol unresponsive action traffic allow vlan vlan_id

Parameters

  • eapol - Configure Dot1x EAPOL attributes.
  • unresponsive - Configure unresponsive hosts.
  • action - Configure the action in case of EAPOL unresponsive hosts.
  • traffic - Configure the traffic action in case of EAPOL unresponsive hosts.
  • allow - Allow traffic in case of EAPOL unresponsive hosts.
  • vlan vlan_id - Specify the VLAN to allow traffic in case of EAPOL unresponsive hosts.

Example

To configure a guest VLAN on Ethernet6/1 and VLAN 25, use the following commands:

switch(config)#interface Ethernet6/1
switch(config-if-Et6/1)#dot1x
switch(config-dot1x)#eapol unresponsive action traffic allow vlan 25

dot1x mac based authentication

The dot1x mac based authentication command enables MAC-based authentication on the existing 802.1X authenticator port.

The no dot1x mac based authentication and the default dot1x mac based authentication commands restore the switch default by disabling the corresponding dot1x mac based authentication command for the specific 802.1X authenticator port.

 

Command Mode

Interface-Ethernet Configuration

 

Command Syntax

dot1x mac based authentication

no dot1x mac based authentication

default dot1x mac based authentication

 

Related Command

show dot1x hosts

 

Example

These commands configure MAC-based authentication on Ethernet interface 1.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x mac based authentication
switch(config-if-Et1)#

dot1x mac based authentication delay

The dot1x mac based authentication delay command enables MAC-based authentication delay. By default, the delay is triggered after 5 seconds.

The no dot1x mac based authentication delay and the default dot1x mac based authentication delay commands restore the switch default by disabling the corresponding dot1x mac based authentication delay command.

 

Command Mode

Dot1x Configuration

 

Command Syntax

dot1x mac based authentication delay delay-time seconds

no dot1x mac based authentication delay

default dot1x mac based authentication delay

 

Parameters
  • delay-time Delay in seconds. The value is from 0 to 300.
  • seconds Unit in seconds.

     

Example

These commands configure a MAC-based authentication delay of 30 seconds on a switch.
switch(config)# dot1x
switch(config-dot1x)# mac based authentication delay 30 seconds

dot1x mac based authentication hold period

The dot1x mac based authentication hold period command enables MAC-based authentication hold period. By default, the hold period is 60 seconds.

The no dot1x mac based authentication hold period and the default dot1x mac based authentication hold period commands restore the switch default by disabling the corresponding dot1x mac based authentication hold period command.

 

Command Mode

Dot1x Configuration

 

Command Syntax

dot1x mac based authentication hold period hold period-time seconds

no dot1x mac based authentication hold period

default dot1x mac based authentication hold period

 

Parameters
  • hold period-time Hold period in seconds. The value is from 1 to 300 in seconds.
  • seconds Unit in seconds.

 

Example

These commands configure a MAC-based authentication hold period of 100 seconds on a switch.
switch(config)# dot1x
switch(config-dot1x)# mac based authentication hold period 100 seconds

dot1x pae authenticator

The dot1x pae authenticator command sets the port access entity (PAE) type of the configuration mode interface to authenticator, which enables IEEE 802.1X on the port. EOS disables IEEE 802.1X on all ports by default.

The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switch default by deleting the corresponding dot1x pae authenticator command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x pae authenticator

no dot1x pae authenticator

default dot1x pae authenticator

 

Examples
  • These commands configure interface ethernet 2 as a port access entity (PAE) authenticator, enabling IEEE 802.1X on the port.
    switch(config-if-Et1)# interface ethernet 2
    switch(config-if-Et1)# dot1x pae authenticator
    switch(config-if-Et1)#

     

  • These commands disable IEEE 802.1X authentication on interface ethernet 2.
    switch(config-if-Et1)# interface ethernet 2
    switch(config-if-Et1)# no dot1x pae authenticator
    switch(config-if-Et1)#

dot1x reauthentication

The dot1x reauthentication command configures the configuration mode interface to require re-authentication from clients at regular intervals. Use the dot1x timeout reauth-period command to set the interval.

The no dot1x reauthentication and default dot1x reauthentication commands restore the default setting by deleting the corresponding dot1x reauthentication command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x reauthentication

no dot1x reauthentication

default dot1x reauthentication

 

Example

These commands configure the interface Ethernet 1 authenticator to require periodic re-authentication from clients.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)#

dot1x reauthorization request limit

The dot1x reauthorization request limit command configures how often the switch retransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting authentication.

The no dot1x reauthorization request limit and default dot1x reauthorization request limit commands restore the default value of 2 by deleting the corresponding dot1x reauthorization request limit command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x reauthorization request limit attempts

no dot1x reauthorization request limit

default dot1x reauthorization request limit

 

Parameter

attempts Maximum number of attempts. Values range from 1 to 10; default value is 2.

 

Examples
  • This command sets the 802.1X EAP-request retransmit limit to 6.
    switch(config)# interface ethernet 1 
    switch(config-if-Et1)# dot1x reauthorization request limit 6
    switch(config-if-Et1)#

     

  • This command restores the default request repetition value of 2.
    switch(config)# interface ethernet 1 
    switch(config-if-Et1)# no dot1x reauthorization request limit
    switch(config-if-Et1)#

     

dot1x system-auth-control

The dot1x system-auth-control command enables 802.1X authentication on the switch.

The no dot1x system-auth-control and default dot1x system-auth-control commands disables 802.1X authentication by removing the dot1x system-auth-control command from running-config.

 

Command Mode

Global Configuration

 

Command Syntax

dot1x system-auth-control

no dot1x system-auth-control

default dot1x system-auth-control

 

Examples
  • This command enables 802.1X authentication on the switch.
    switch(config)# dot1x system-auth-control
    switch(config)#

     

  • This command disables 802.1X authentication on the switch.
    switch(config)# no dot1x system-auth-control
    switch(config)#

dot1x timeout quiet-period

If the switch fails to immediately authenticate the client, the switch waits a specified time configured with thedot1x timeout quiet-period command. This timer also indicates the blocked time for a client with failed authentication.

The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore the default quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-period command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x timeout quiet-period quiet_time

no dot1x timeout quiet-period

default dot1x timeout quiet-period

 

Parameter

quiet_time Interval in seconds. Values range from 1 to 65535. Default value is 60.

 

Example

These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout quiet-period 30
switch(config-if-Et1)#

dot1x timeout reauth-period

The dot1x timeout reauth-period command specifies the time period that the configuration mode interface waits before requiring re-authentication from clients.

The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restore the default period of 60 minutes by removing the corresponding dot1x timeout reauth-period command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x timeout reauth-period reauth_time

no dot1x timeout reauth-period

default dot1x timeout reauth-period

 

Parameter

reauth_time The number of seconds the interface passes traffic before requiring re-authentication. Values range from 1 to 65535. Default value is 3600.

 

Example

These commands configure the interface Ethernet 1 authenticator to require re-authentication from clients every 6 hours (21600 seconds).
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x reauthentication
switch(config-if-Et1)# dot1x timeout reauth-period 21600
switch(config-if-Et1)#

dot1x timeout tx-period

The authenticator establishes authentication and re-authentication by sending Extensible Authentication Protocol (EAP) requests to the supplicant, and the supplicant sends a reply which the authenticator forwards to an authentication server. If the authenticator does not receive a reply to the EAP request, it waits a specified time before retransmitting the request. The dot1x timeout tx-period command configures the wait time.

The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the default wait time by removing the corresponding dot1x timeout tx-period command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x timeout tx-period tx_time

no dot1x timeout tx-period

default dot1x timeout tx-period

 

Parameter

tx_time Values range from 1 to 65535. Default value is 5.

 

Example

These commands configure interface Ethernet 1 to wait 30 seconds before retransmitting EAP requests to the supplicant.
switch(config)# interface Ethernet 1
switch(config-if-Et1)# dot1x timeout tx-period 30
switch(config-if-Et1)#

dot1x host-mode

When multiple clients are connected to an Ethernet interface providing 802.1X authentication, the port can accept packets from all MAC addresses once the supplicant has been authenticated (multi-host mode), or it can accept only those packets originating from the MAC address of the authenticated client (single-host mode) or ultiple authenticated clients (multi-host authenticated mode) . The dot1x host-mode command specifies the host mode for authentication of multiple clients on the configuration mode interface.

The no dot1x host-mode and default dot1x host-mode commands restore the switch default (multi-host mode) by removing the corresponding dot1x host-mode command for the configuration mode interface.

 

Command Mode

Interface-Ethernet Configuration

 

Command Syntax

dot1x host-mode [multi-host | single-host | multi-host authenticated]

no dot1x host-mode

default dot1x host-mode

 

Parameters
  • multi-host Configures the interface to use multi-host mode (the default).
  • single-host Configures the interface to use single-host mode.
  • multi-host authenticated Configures the interface to use multi-host authenticated mode.

     

Example

These commands configure interface Ethernet 1 to use single-host mode for 802.1X authentication.
switch(config)# interface ethernet 1
switch(config-if-Et1)# dot1x host-mode single-host
switch(config-if-Et1)#

dot1x port-control

The dot1x port-control command configures the configuration mode interface as an authenticator port and specifies whether it will authenticate traffic.

The no dot1x port-control and default dot1x port-control commands configure the port to pass traffic without authorization by removing the corresponding dot1x port-control command from running-config.

 

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

 

Command Syntax

dot1x port-control STATE

no dot1x port-control

default dot1x port-control

 

Parameters
STATE Specifies whether the interface will authenticate traffic. The default value is force-authorized. Options include:
  • auto Configures the port to authenticate traffic using Extensible Authentication Protocol messages.
  • force-authorized Configures the port to pass traffic without authentication.
  • force-unauthorized Configures the port to block all traffic regardless of authentication.

     

Examples
  • These commands configure interface Ethernet 1 to pass traffic without authentication. This is the default setting.
    switch(config)# interface Ethernet 1
    switch(config-if-Et1)# dot1x port-control force-authorized
    switch(config-if-Et1)#

     

  • These commands configure interface Ethernet 1 to block all traffic.
    switch(config)# interface Ethernet 1
    switch(config-if-Et1)# dot1x port-control force-unauthorized
    switch(config-if-Et1)#

     

  • These commands configure interface Ethernet 1 to authenticate traffic using EAP messages.
    switch(config)# interface Ethernet 1
    switch(config-if-Et1)# dot1x port-control auto
    switch(config-if-Et1)#

show dot1x all brief

The show dot1x all brief command displays the IEEE 802.1X status for all ports.

 

Command Mode

EXEC

 

Command Syntax

show dot1x all brief

 

Example

This command displays the IEEE 802.1X status.
switch# show dot1x all brief
Interface           Client          Status
-------------------------------------------------
Ethernet5           None            Unauthorized
switch#

show dot1x hosts

The show dot1x hosts command displays 802.1X information for all the supplicants.

 

Command Mode

EXEC

 

Command Syntax

show dot1x hosts [ethernet]

 

Parameter

ethernet e_num Ethernet interface specified by e_num.

 

Examples

  • This command displays 802.1X information for all the supplicants.
    switch# show dot1x hosts
    Legend:
    * - Statically configured VLAN                                                                            
    Port      Supplicant MAC Username           Auth  State         Fallback       VLAN   VLAN Name 
    --------- -------------- —----------------- ----- ------------- -------------- ------ —--------
    Et1/4     36d4.b67b.67c6 user101            EAPOL SUCCESS       NONE            123   DATA
    Et2/4     36d4.b67b.67c7 user102            EAPOL SUCCESS       NONE            124   VLAN0124
    Et1/4     36d4.b67b.68e3 36:d4:b6:7b:68:e3  MBA   SUCCESS       NONE            1*    default

     

  • Use the following command to display 802.1X details for an interface:

    switch# show dot1x hosts interface Ethernet2/4 detail
                                   
    Supplicant: user1 (36d4.b67b.67c8)
    Operational: 
    Supplicant MAC: 36d4.b67b.67c8 
    Supplicant IP: 192.168.1.4 sourceLldp 
    User name: user1 
    Interface: Ethernet2/4 
    Authentication method: EAPOL 
    Supplicant state: SUCCESS 
    Fallback Applied: AUTH-FAIL-VLAN 
    Reauthentication behaviour: DO-NOT-RE-AUTH 
    Reauthentication interval: 0 seconds 
    VLAN ID: 200 (static) 
    VLAN Name: VLAN0200 
    Device type: Phone 
    Accounting-Session-Id: 1x00000005 
    Captive portal:
                    
    AAA Server Returned: 
    Arista-WebAuth: 
    Filter-Id: WEB-AUTH-ACL 
    NAS-Filter-Rule: permit in ip from 11.0.0.0/8 to 12.0.0.0/8 
                     deny in ip from 10.1.0.0/16 to 20.1.0.0/16 
    Session-Timeout: 28800 seconds
    Idle-Timeout: 200 seconds

     

show dot1x statistics

The show dot1x statistics command displays 802.1X statistics for the specified port or ports.

 

Command Mode

EXEC

 

Command Syntax

show dot1x INTERFACE_NAME statistics

 

Parameters
  • INTERFACE_NAME Interface type and number. Options include:
    • all Display information for all interfaces.
    • ethernet e_num Ethernet interface specified by e_num.
    • loopback l_num Loopback interface specified by l_num.
    • management m_num Management interface specified by m_num.
    • port-channel p_num Port-Channel Interface specified by p_num.
    • vlan v_num VLAN interface specified by v_num.

       

  • Output Fields
    • RxStartNumber of EAPOL-Start frames received on the port.
    • TxReqIdNumber of EAP-Request/Identity frames transmitted on the port.
    • RxVersionVersion number of the last EAPOL frame received on the port.
    • RxLogoffNumber of EAPOL-Logoff frames received on the port.
    • RxInvalidNumber of invalid EAPOL frames received on the port.
    • TxReqNumber of transmitted EAP-Request frames that were not EAP-Request/Identity.
    • LastRxSrcMAC The source MAC address in the last EAPOL frame received on the port.
    • RxRespId The number of EAP-Response/Identity frames received on the port.
    • RxTotal The total number of EAPOL frames transmitted on the port.
    • TxTotal The total number of EAPOL frames transmitted on the port.

       

Example

This command displays the 802.1X statistics for interface ethernet 5.
switch# show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
-------------------------------------------------
RxStart = 0      RxLogoff = 0    RxRespId = 0
RxStart= 0       RxInvalid = 0   RxTotal = 0
TxReqId = 0      TxReq = 0       TxTotal = 0
RxVersion = 0    LastRxSrcMAC = 0000.0000.0000
switch#

show dot1x

The show dot1x command displays 802.1X information for the specified interface.

 

Command Mode

EXEC

 

Command Syntax

show dot1x INTERFACE_NAME INFO

 

Parameters
  • INTERFACE_NAME Interface type and number. Options include:
    • all Display information for all interfaces.
    • ethernet e_num Ethernet interface specified by e_num.
    • loopback l_num Loopback interface specified by l_num.
    • management m_num Management interface specified by m_num.
    • port-channel p_num Port-Channel Interface specified by p_num.
    • vlan v_num VLAN interface specified by v_num.

       

  • INFO Type of information the command displays. Values include:
    • no parameter displays summary of the specified interface.
    • detail displays all 802.1X information for the specified interface.

       

Examples
  • This command displays 802.1X summary information for interface ethernet 5.
    switch# show dot1x interface ethernet 5
    Dot1X Information for Ethernet5
    --------------------------------------------
    PortControl             : auto
    QuietPeriod             : 60 seconds
    TxPeriod                : 5 seconds
    ReauthPeriod            : 3600 seconds
    MaxReauthReq            : 2
    switch#

     

  • This command displays detailed 802.1X information for interface ethernet 5.
    switch# show dot1x interface ethernet 5 detail
    Dot1X Information for Ethernet5
    --------------------------------------------
    PortControl             : auto
    QuietPeriod             : 60 seconds
    TxPeriod                : 5 seconds
    ReauthPeriod            : 3600 seconds
    MaxReauthReq            : 2
    
    Dot1X Authenticator Client
    
    Port Status             : Unauthorized
    switch#

     

show dot1x captive-portal bypass

The show dot1x captive-portal bypass command displays information about dot1x captive portal bypass configurations.

 

Command Mode

EXEC

 

Command Syntax

show dot1x captive-portal bypass address [ipv4 | ipv6]

 

Parameters

  • [ipv4 | ipv6] - Display dot1x captive portal bypass information for a specific IP address.

 

Use the following command to display information about dot1x captive portal bypass entries:

switch#show captive-portal bypass 
Captive portal bypass:
*.eng.mycompany.com matched by 10.0.1.3, 1.0.2.4
web5.it.mycompany.com matched by 10.0.5.7

show dot1x captive-portal resolutions

The show dot1x captive-portal resolutions command displays information for all reverse DNS resolution entries in use by the captive portal.

 

Command Mode

EXEC

 

Command Syntax

show dot1x captive-portal resolutions address [ipv4 | ipv6]

 

Parameters

  • [ipv4 | ipv6] - Display dot1x captive portal resolutions information for a specific IP address.

The table displays the following information:

  • Address - Displays the IP address the supplicant attempted to access and used to find the hostname through reverse DNS.
  • Hostnames - Displays the hostnames reported by the DNS server. The entry displays pending if the resolution has not completed, and - if the resolution completed but no hostname found or if the resolution timed out.
  • Expiration - The DNS server provided a valid resolution and provided a time-to-live (TTL) before updating the resolution.

 

Use the following command to display information about dot1x captive portal resolution entries:

switch#show dot1x captive-portal resolutions 
   Address         Hostnames                       Expiration
--------------- ------------------------- -------------------
   1.0.2.4         www1.eng.arista.com    2033-05-17 20:33:20
   10.0.5.7        web4.it.arista.com     2033-05-17 20:33:23
   web5.it.mycompany.com
   10.10.1.3       -                      2033-05-17 20:33:26
   10.20.1.3       (pending)
   80.0.6.3        www1.eng.mycompany.com 2033-05-17 20:33:21

statistics packets dropped

The statistics packets droppedcommand to configure the dot1x dropped counters on the switch in the dot1x configuration mode. By default, EOS disable the dot1x dropped counters. The no form of the command disables the dot1x dropped counters from the running configuration.

The no statistics packets dropped command disables the dot1x dropped counters from the running configuration.

 

Command Mode

Dot1x Configuration

 

Command Syntax

statistics packets dropped

no statistics packets dropped

 

Example

These commands places the switch in the dot1x mode and enables the dot1x dropped counters.
switch(config-dot1x)# statistics packets dropped