Certificate-Based TerminAttr Authentication
Arista/EOS switches use TerminAttr for streaming network data to CVP. Each TerminAttr connection must be authenticated using either shared keys or certificate. The certificate-based TerminAttr authentication provides the following additional security features:
- Eliminates the shared key from the switch's configuration
- Uniquely authenticates each TerminAttr connection between the switch and CVP
Enabling Certificate-Based TerminAttr Authentication
When on-boarding a device through Zero Touch Provisioning (ZTP) or direct import, the certificate-based TerminAttr authentication uses a temporary token to enroll client certificates from CVP. The SYS_TelemetryBuilderV3 generates the TerminAttr configuration that uses certificate-based TerminAttr authentication.
Perform the following steps to enable certificate-based TerminAttr authentication:
Switching the Authentication from Certificates to Shared Keys
Perform the following steps for switching the authentication from certificates to shared keys:
Switching the Authentication from Shared Keys to Certificates
Perform the following steps for switching the authentication from shared keys to certificates:
Reboarding Existing Devices
You must reboard a device when the certificate-based TerminAttr authentication fails due to missing or invalid client certificates.
Perform the following steps to reboard devices:
Re-ZTP On-Boarded Devices
Manual intervention is required to re-ZTP on-boarded devices after enabling the certificate-based TerminAttr authentication. This prevents unauthorized or malicious software from spoofing previously on-boarded devices.
Perform the following steps to re-ZTP devices: