Access SD-WAN Edges Using Key-based Authentication

This section details how to enable key-based authentication, add SSH keys, and access Edges more securely. The Secure Shell (SSH) key-based authentication is a secure and robust authentication method to access VeloCloud Edges. It provides a strong, encrypted verification and communication process between users and Edges. The SSH keys bypass the need to enter login credentials manually and automate the secure access to Edges.

Note: Both the Edge and the Orchestrator must be using Release 5.0.0 or later for this feature to be available.
Note: Users with Operator Business or Business Specialist account roles cannot access Edges using key-based authentication.
Perform the following tasks to access Edges using key-based authentication:
  1. Configure privileges for a user to access Edges securely. You must choose the user's basic access level. You can configure the access level when you create a new user and modify it at a later point in time. Ensure that you have Super User role to modify the access level for a user. See the following topics:
    • Add New User <cite>Arista VeloCloud SASE Global Settings Guide</cite>
    • API Token <cite>Arista VeloCloud SASE Global Settings Guide</cite>
  2. Generate a new pair of SSH keys or import an existing SSH key. See Add SSH Key.
  3. Enable key-based authentication to access Edges. See Enable Secure Edge Access for an Enterprise.

Add SSH Key

Key-based authentication to access Edges generates a pair of SSH keys: Public and Private.

The database stores the public key and shares with the Edges. Your computer has the private key, and you can use this key along with the SSH username to access Edges. You can generate only one pair of SSH keys at a time. If you need to add a new pair of SSH keys, delete the existing pair and then generate a new one. If a previously generated private key is lost, you cannot recover it from the Orchestrator. You must delete the key and then add a new key to gain access. For details about how to delete SSH keys, see Revoke SSH Keys.

Users can perform the following actions based on their roles: add an SSH key. Ensure you enable secure Edge access for the Enterprise and switch the authentication mode from Password-based to Key-based. See Enable Secure Edge Access for an Enterprise.

  • All users, except those with Operator Business or Business Specialist account roles, can create and revoke SSH keys for themselves.
  • Operator Super users can manage SSH keys of other Operator users, Partner users, and Enterprise users, if the Partner user and Enterprise user have delegated user permissions to the Operator.
  • Partner Super users can manage SSH keys of other Partner users and Enterprise users, if the Enterprise user has delegated user permissions to the Partner.
  • Enterprise Super users can manage the SSH keys of all the users within that Enterprise.
  • Super users can only view and revoke the SSH keys for other users.
Note: Enterprise and Partner customers without SD-WAN service access cannot configure or view SSH key-related details.
To add an SSH key:
  1. In the Enterprise portal, click the User icon that appears at the top-right side of the Window. The User Information panel appears.
  2. Click Add SSH Key. The Add SSH Key pop-up window appears.
  3. Select one of the following options to add the SSH key:
    • Generate Key: This option generates a new pair of public and private SSH keys. The generated key gets downloaded automatically. By default, the generated SSH key is in a .pem file. If you are using a Windows operating system, ensure that you convert the file format from .pem to .ppk and then import the key. For instructions to convert .pem to .ppk, see Convert Pem to PpK File Using PuTTYgen.
    • Import Key: Use this option to paste or enter the public key if you already have a pair of SSH keys.
  4. In the PassPhrase field, you can enter a unique passphrase to safeguard further the private key stored on your computer.
    Note: This optional field is available only if you selected the Generate Key option.
  5. In the Duration drop-down list, select the number of days by which the SSH key must expire.
  6. Click Add Key.

Next steps:

Ensure you enable secure Edge access for the Enterprise and switch the authentication mode from Password-based to Key-based. See Enable Secure Edge Access for an Enterprise.

Revoke SSH Keys

You must have the Super User role to delete the SSH keys for other users.

To revoke your SSH key:
  1. Log in to the Orchestrator, and then select the Open New Orchestrator UI option available at the top of the Window.
  2. Select Open New Orchestrator UI in the pop-up window. The UI opens in a new tab.
  3. In the new Orchestrator UI, select the User icon that appears at the top-right side of the Window. The User Information panel appears.
  4. Select Revoke SSH Key.
To revoke the SSH keys of other Enterprise users:
  1. In the Enterprise portal, select the Open New Orchestrator UI, which is available at the top of the Window.
  2. Select Open New Orchestrator UI in the pop-up window. The UI opens in a new tab.
  3. Select Enterprise Applications > Global Settings > User Management .
  4. From the SSH Key List, select the SSH usernames for which you want to delete the SSH keys.
  5. Select Revoke.
The SSH keys for a user are automatically deleted when:
  • You change the user role to Operator Business or Business Specialist because these roles cannot access Edges using key-based authentication.
  • You delete a user from the Orchestrator.
    Note: When a user is deleted or deactivated from the external SSO providers, the user can no longer access the Orchestrator. However, the user's Secure Edge Access keys remain active until the user is explicitly deleted from the Orchestrator as well. Therefore, you must first delete the user from the IdP before deleting from the Orchestrator.

Enable Secure Edge Access for an Enterprise

After adding the SSH key, you must switch the authentication mode from Password-based, the default mode, to Key-based to access Edges using the SSH username and SSH key. When you create a new user, it automatically creates the SSH username.

To enable secure Edge access:
  1. In the SD-WAN service of the Enterprise portal, go to Service Settings > Edge Management .
  2. Select the Enable Secure Edge Access check box to access Edges using Key-based authentication. After you have activated Secure Edge Access, you cannot deactivate it.
    Note: Only Operator users can enable secure Edge access for an Enterprise.
  3. Select Switch to Key-Based Authentication and confirm your selection.
    Note: You must have the Super User role to switch the authentication mode.

Next steps:

Use the SSH keys to securely login to the Edge’s CLI and run the required commands. See Secure Edge CLI Commands.

Secure Edge CLI Commands

You can run the following CLI commands based on the Access Level configured:
Note: Run the help <command name> to view a brief description of the command.
Table 1. Secure Edge CLI Commands
Commands Description Access Level = Basic Access Level = Privileged
Interaction Commands
help Displays a list of available commands. Yes Yes
pagination Paginates the output. Yes Yes
clear Clears the screen. Yes Yes
EOF Exits the secure Edge CLI. Yes Yes
Debug Commands
edgeinfo Displays the Edge’s hardware and firmware information. For a sample output of the command, see edgeinfo. Yes Yes
seainfo Displays details about the secure Edge access of the user. For a sample output of the command, see seainfo. Yes Yes
ping, ping6 Pings a URL or an IP address. Yes Yes
tcpdump Displays TCP/IP and other packets being transmitted or received over a network to which the Edge is attached. For a sample output of the command, see tcpdump. Yes Yes
pcap Captures the packet data pulled from the network traffic and prints the data to a file. For a sample output of the command, see pcap. Yes Yes
debug Runs the debug commands for Edges. Run debug-h to view a list of available commands and options. For a sample output of one of the debug commands, see debug. Yes Yes
diag Runs the remote diagnostics commands. Run diag-h to view a list of available commands and options. For a sample output of one of the diag commands, see diag. Yes Yes
ifstatus Fetches the status of all interfaces. For a sample output of the command, see ifstatus. Yes Yes
getwanconfig Fetches the configuration details of all WAN interfaces. Use the logical names such as "GE3" or "GE4" as arguments to fetch the configuration details of that interface. Do not use the physical names such as "ge3" or "ge4" of the WAN interfaces. For example, run getwanconfig GE3 to view the configuration details of the GE3 WAN interface. Run the ifstatus command to know the interface name mappings. For a sample output of the command, see getwanconfig. Yes Yes
Configuration Command
setwanconfig Configures WAN interfaces (wired interfaces only). Run setwanconfig-h to view configuration options. Yes Yes
Edge Actions Commands
deactivate Deactivates the Edges and reapplies the initial default configuration. No Yes
restart Restarts the SD-WAN service. No Yes
reboot Reboots the Edge. No Yes
shutdown Powers off the Edge. No Yes
hardreset Deactivates the Edges, restores the Edge’s default configuration, and restores original software version. No Yes
edged Activates or deactivates the Edge processes. No Yes
restartdhcpserver Restarts the DHCP server. No Yes
Linux Shell Command
shell Takes you into the Linux shell. Type exit to return to the secure Edge CLI. No Yes

Sample Outputs

This section provides the sample outputs of some of the commands that can be run in a secure Edge CLI.

edgeinfo

o10test_velocloud_net:velocli> edgeinfo
Model:vmware
Serial: VMware-420efa0d2a6ccb35-9b9bee2f04f74b32
Build Version:5.0.0
Build Date: 2021-12-07_20-17-40
Build rev:R500-20211207-MN-8f5954619c
Build Hash: 8f5954619c643360455d8ada8e49def34faa688d

seainfo

o10test_velocloud_net:velocli> seainfo
{
"rootlocked": false,
"seauserinfo": {
"o2super_velocloud_net": {
"expiry": 1641600000000,
"privilege": "BASIC"
}
}
}

tcpdump

o10test_velocloud_net:velocli> tcpdump -nnpi eth0 -c 10
reading from file -, link-type EN10MB (Ethernet)
09:45:12.297381 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21
09:45:12.300520 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
09:45:12.399077 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21
09:45:12.401382 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
09:45:12.442927 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 83
09:45:12.444745 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 83
09:45:12.476765 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 64
09:45:12.515696 IP6 fd00:ff02:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21

pcap

o10test_velocloud_net:velocli> pcap -nnpi eth4 -c 10
The capture will be saved to file o10test_velocloud_net_2021-12-09_09-57-50.pcap
o10test_velocloud_net:velocli> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel

debug

o10test_velocloud_net:velocli> debug --dpdk_ports_dump
name portlinkignorestripspeedduplexautonegdriver
ge3 0 1 01 1000 11 igb
ge6 4 0 210 01 ixgbe
ge5 5 0 210 01 ixgbe
ge4 1 0 210 00 igb
sfp22 0 210 01 ixgbe
sfp13 0 210 01 ixgbe
net_vhost06 0 0110000 10
net_vhost17 0 0110000 10

diag

o10test_velocloud_net:velocli> diag ARP_DUMP --count 10
Stale Timeout: 2min | Dead Timeout: 25min | Cleanup Timeout: 240min 
GE3
192.168.1.2547c:12:61:70:2f:d0ALIVE1s 

LAN-VLAN1
10.10.1.137b2:84:f7:c1:d3:a5ALIVE34s

ifstatus

o10test:velocli> ifstatus
{
"deviceBoardName": "EDGE620-CPU",
"deviceInfo": [],
"edgeActivated": true,
"edgeSerial": "HRPGPK2",
"edgeSoftware": {
"buildNumber": "R500-20210821-DEV-301514018f\n",
"version": "5.0.0\n"
},
"edgedDisabled": false,
"interfaceStatus": {
"GE1": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
"haStandbySerialNumber": "",
"ifindex": 4,
"internet": false,
"ip": "",
"is_sfp": false,
"isp": "",
"linkDetected": false,
"logical_id": "",
"mac": "18:5a:58:1e:f9:22",
"netmask": "",
"physicalName": "ge1",
"reachabilityIp": "8.8.8.8",
"service": false,
"speed": "Unkn",
"state": "DEAD",
"stats": {
"bpsOfBestPathRx": 0,
"bpsOfBestPathTx": 0
},
"type": "LAN"
},
"GE2": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
	…
	…
 }
]
}

getwanconfig

o10test_velocloud_net:velocli> getwanconfig GE3
{
"details": {
"autonegotiation": "on",
"driver": "dpdk",
"duplex": "",
"gateway": "169.254.7.9",
"ip": "169.254.7.10",
"is_sfp": false,
"linkDetected": true,
"mac": "00:50:56:8e:46:de",
"netmask": "255.255.255.248",
"password": "",
"proto": "static",
"speed": "",
"username": "",
"v4Disable": false,
"v6Disable": false,
"v6Gateway": "fd00:1:1:1::1",
"v6Ip": "fd00:1:1:1::2",
"v6Prefixlen": 64,
"v6Proto": "static",
"vlanId": ""
},
"status": "OK"
}