Advanced Login Options

Multi-Factor Authentication (MFA) and One-Time Passwords authenticate all CVP managed devices when you authenticate with CVP. CVP runs CLIs on managed devices by sending eAPI requests over the gRPC connection established by TerminAttr.

  • Under Cluster Management on the settings screen, enable Advanced login options for device provisioning to use MFA and one-time passwords.
  • CVP needs TACACS to perform command authorization and accounting as per EOS configuration.
  • Use the new Device class to make eAPI requests for using this mechanism in Configlet Builder python scripts.
Pre-requisities to install this feature are:
  • Devices must run CVP 2018.2.3 or later releases
  • Managed devices must have TerminAttr version 1.5.0 or later versions
    Note: TerminAttr is included with EOS, but may be a version earlier than v1.5.0. Newer versions are available as an extension (swix)

    Refer to CVP and TerminAttr release notes available at for detailed information on compatible TerminAttr versions with CVP and EOS.

  • Ensure that the eAPI unix domain socket is enabled with management api http-commands and protocol unix-socket configurations in devices running EOS releases prior to 4.20

To enable MFA and One-Time Passwords authentication, enable Advanced login options for device provisioning using the toggle button under Cluster Management on the Settings page. See the figure below.

Figure 1. Advanced Login Options for Device Provisioning Toggle Button