Certificate-Based TerminAttr Authentication

Arista/EOS switches use TerminAttr for streaming network data to CVP in the following network configurations:
  • Firewalls or dynamic NAT is deployed between CloudVision and EOS devices
  • Multi-Factor Authentication (MFA) or One-Time-Passwords (OTPs) are used for authentication
Note: When terminattr authentication is enabled,CVP does not require EAPI-over-HTTPS connections. Any CVP authenticated user is also authenticated with the devices that CVP manages.

Each TerminAttr connection must be authenticated using either shared keys or certificate. The certificate-based TerminAttr authentication provides the following additional security features:

  • Eliminates the shared key from the switch's configuration
  • Uniquely authenticates each TerminAttr connection between the switch and CVP
Note: Third party devices can use only the shared key authentication. The minimum required version of TerminAttr to use this feature is v1.6.1.
The following sections describes configuring devices with certificate-based TerminAttr authentication:

Enabling Certificate-Based TerminAttr Authentication

When on-boarding a device through Zero Touch Provisioning (ZTP) or direct import, the certificate-based TerminAttr authentication uses a temporary token to enroll client certificates from CVP. The SYS_TelemetryBuilderV3 generates the TerminAttr configuration that uses certificate-based TerminAttr authentication.

Note: By default, CVP authenticates TerminAttr connections using shared keys.

Perform the following steps to enable certificate-based TerminAttr authentication:

  1. In CloudVision portal, click the gear icon at the upper right corner of the page.

    The system displays the Settings screen.

  2. Under the Cluster Management pane, enable Device authentication via certificates using the toggle button.
    Figure 1: Enable Device Authentication via Certificates

Switching the Authentication from Certificates to Shared Keys

Perform the following steps for switching the authentication from certificates to shared keys:

  1. Disable the Device authentication via certificates option on the settings page.

    See Enabling Certificate-Based TerminAttr Authentication.

  2. Regenerate the configlets for all devices using SYS_TelemetryV3 builder.

    The generated configlets starts using shared key authentication.

  3. Execute resulting tasks.

Switching the Authentication from Shared Keys to Certificates

Perform the following steps for switching the authentication from shared keys to certificates:

  1. Enable the Device authentication via certificates option on the settings page.

    See Enabling Certificate-Based TerminAttr Authentication

  2. Replace any configlet mapping using the SYS_TelemetryV2 configlet builder with the SYS_TelemetryV3 builder.
  3. Regenerate device configlets.
  4. Execute resulting tasks.

    Devices stop streaming as their certificates are not enrolled.

  5. On-board all currently provisioned devices to restart streaming to CVP.

    See Reboarding Existing Devices.

Reboarding Existing Devices

You must reboard a device when the certificate-based TerminAttr authentication fails due to missing or invalid client certificates.

Perform the following steps to reboard devices:

  1. In CloudVision portal, click the Devices tab.

    The system displays the Inventory screen.

    Figure 2: Inventory Screen
  2. Select Onboard Devices from the Add Device drop-down menu at the upper right corner of the Inventory screen.

    The system displays the Onboard Devices pop-up window.

  3. Click the Existing Device Registration tab at the lower end of the Onboard Devices pop-up window.
    Figure 3: Existing Device Registration Tab
    Note: To view all devices, disable the Show only inactive devices option using the toggle button.
  4. Select the required device.
  5. Click Register n Device(s) where n is the count of selected devices.

    The system refreshes the selected device with new certificates, returns to the last provisioning state, and resumes streaming to CVP.

Re-ZTP On-Boarded Devices

Manual intervention is required to re-ZTP on-boarded devices after enabling the certificate-based TerminAttr authentication. This prevents unauthorized or malicious software from spoofing previously on-boarded devices.

Perform the following steps to re-ZTP devices:

  1. In CloudVision portal, click the Devices tab.

    The system displays the Inventory screen.

  2. Select Re-ZTP Devices from the Add Device drop-down menu at the upper right corner of the Inventory screen.

    The system displays the Re-ZTP Devices pop-up window.

    Figure 4: Re-ZTP Devices Pop-Up Window
    Note: To view all devices, disable the Show only inactive devices option using the toggle button.
  3. Select the required device.
  4. (Optional) Click the time next to Global ZTP Deadline and configure the preferred time to re-ZTP selected devices.
  5. Click Grant ZTP Access to n Device(s) where n is the count of selected devices.

    Devices must complete their re-ZTP before the enrollment window closes.