Access SD-WAN Edges Using Key-Based Authentication

This section discusses details about how to enable key-based authentication, add SSH keys, and access Edges in a more secure way.

The Secure Shell (SSH) key-based authentication is a secure and robust authentication method to access VeloCloud Edges. It provides a strong, encrypted verification and communication process between users and Edges. The use of SSH keys bypasses the need to manually enter login credentials and automates the secure access to Edges.
Note:
  • Both the Edge and the Orchestrator must be using Release 5.0.0 or later for this feature to be available.
  • Users with Operator Business or Business Specialist account roles cannot access Edges using key-based authentication.

Perform the following tasks to access Edges using key-based authentication:

  1. Configure privileges for a user to access Edges in a secure manner.
    You must choose Basic access level for the user. You can configure the access level when you create a new user and choose to modify it at a later point in time. Ensure that you have Superuser role to modify the access level for a user. For additional information, see Add New User.
  2. Generate a new pair of SSH keys or import an existing SSH key.
    See Add SSH Key
  3. Enable key-based authentication to access Edges.
    See Enable Secure Edge Access for an Enterprise Operator.

Add SSH Key

When using key-based authentication to access Edges, a pair of SSH keys are generated: Public and Private.

The public key is stored in the database and is shared with the Edges. The private key is downloaded to your computer, and you can use this key along with the SSH username to access Edges. You can generate only one pair of SSH keys at a time. If you need to add a new pair of SSH keys, you must delete the existing pair and then generate a new pair. If a previously generated private key is lost, you cannot recover it from the Orchestrator. You must delete the key and then add a new key to gain access. For details about how to delete SSH keys, see Revoke SSH Keys.

Based on their roles, users can perform the following actions:
  • All users, except users with Operator Business or Business Specialist account roles, can create and revoke SSH keys for themselves.
  • Operator Super users can manage SSH keys of other Operator users, Partner users, and Enterprise users, if the Partner user and Enterprise user have delegated user permissions to the Operator.
  • Partner Super users can manage SSH keys of other Partner users and Enterprise users, if the Enterprise user has delegated user permissions to the Partner.
  • Enterprise Super users can manage the SSH keys of all the users within that Enterprise.
  • Super users can only view and revoke the SSH keys for other users.
    Note: Enterprise and Partners customers without SD-WAN service access will not be able to configure or view SSH keys related details.

To add a SSH key:

  1. In the Enterprise portal, select the User icon that appears at the top-right side of the Window. The User Information panel appears.
  2. Select Add SSH Key. The Add SSH Key pop-up window appears.
  3. Select one of the following options to add the SSH key:
    • Generate Key: Use this option to generate a new pair of public and private SSH keys. Note that the generated key gets downloaded automatically. The default file format in which the SSH key is generated is .pem. If you are using a Windows operating system, ensure that you convert the file format from .pem to .ppk, and then import the key. For instructions to convert .pem to .ppk, see https://puttygen.com/convert-pem-to-ppk.
    • Import Key: Use this option to paste or enter the public key if you already have a pair of SSH keys.
  4. In the PassPhrase field, you can choose to enter a unique passphrase to further safeguard the private key stored on your computer.
    Note: This is an optional field and is available only if you have selected the Generate Key option.
  5. In the Duration drop-down list, select the number of days by when the SSH key must expire.
  6. Select Add Key.
Ensure that you enable secure Edge access for the Enterprise and switch the authentication mode from Password-based to Key-based. See Enable Secure Edge Access for an Enterprise Operator.

Revoke SSH Keys

Ensure that you have Super User role to delete the SSH keys for other users.

To revoke your SSH key:

  1. In the Orchestrator, select the User icon that appears at the top-right side of the Window. The User Information panel appears.
  2. Select Revoke SSH Key.

For Other Operator Users

To revoke the SSH keys of other Operator users:
  1. In the Operator portal, go to Orchestrator Authentication.
  2. In the SSH Keys area, select the SSH usernames for which you want to delete the SSH keys.
  3. Select Actions > Revoke SSH Key.
    The SSH keys for a user are automatically deleted when:
    • You change the user role to Operator Business or Business Specialist because these roles cannot access Edges using key-based authentication.
    • You delete a user from the Orchestrator.
      Note: When a user is deleted or deactivated from the external SSO providers, the user can no longer access the Orchestrator. But the user's Secure Edge Access keys remain active until the user is explicitly deleted from the Orchestrator as well. Therefore, you must first delete the user from the IdP, before deleting from the Orchestrator.

Enable Secure Edge Access for an Enterprise

After adding the SSH key, you must switch the authentication mode from Password-based, which is the default mode to Key-based to access Edges using the SSH username and SSH key. The SSH username is automatically created when you create a new user.

To enable secure Edge access:

  1. In the SD-WAN service of the Enterprise portal, go to Service Settings > Edge Management .
  2. Select the Enable Secure Edge Access check box to allow the user to access Edges using Key-based authentication. Once you have activated Secure Edge Access, you cannot deactivate it.
    Note: Only Operator users can enable secure Edge access for an Enterprise.
  3. Select Switch to Key-Based Authentication and confirm your selection.
    Note: Ensure that you have Super User role to switch the authentication mode.

Use the SSH keys to securely login to the Edge’s CLI and run the required commands. See Secure Edge CLI Commands.

Secure Edge CLI Commands

Based on the Access Level configured, you can run the following CLI commands:

Note: Run the help <command name> to view a brief description of the command.
Table 1. Secure Edge Commands
Commands Description Access Level = Basic Access Level = Privileged
Interaction Commands
help Displays a list of available commands. Yes Yes
pagination Paginates the output. Yes Yes
clear Clears the screen. Yes Yes
EOF Exits the secure Edge CLI. Yes Yes
Debug Commands
edgeinfo Displays the Edge’s hardware and firmware information. For a sample output of the command, see edgeinfo. Yes Yes
seainfo Displays details about the secure Edge access of the user. For a sample output of the command, see seainfo. Yes Yes
ping, ping6 Pings a URL or an IP address. Yes Yes
tcpdump Displays TCP/IP and other packets being transmitted or received over a network to which the Edge is attached. For a sample output of the command, see tcpdump. Yes Yes
pcap Captures the packet data pulled from the network traffic and prints the data to a file. For a sample output of the command, see pcap. Yes Yes
debug Runs the debug commands for Edges. Run debug-h to view a list of available commands and options. For a sample output of one of the debug commands, see debug --dpdk_ports_dump. Yes Yes
diag Runs the remote diagnostics commands. Run diag -h to view a list of available commands and options. For a sample output of one of the diag commands, see diag ARP_DUMP. Yes Yes
ifstatus Fetches the status of all interfaces. For a sample output of the command, see ifstatus. Yes Yes
getwanconfig Fetches the configuration details of all WAN interfaces. Use the logical names such as "GE3" or "GE4" as arguments to fetch the configuration details of that interface. Do not use the physical names such as "ge3" or "ge4" of the WAN interfaces. For example, run getwanconfig GE3 to view the configuration details of the GE3 WAN interface. Run the ifstatus command to know the interface name mappings. For a sample output of the command, see getwanconfig. Yes Yes
Configuration Command
setwanconfig Configures WAN interfaces (wired interfaces only). Run setwanconfig -h to view configuration options. Yes Yes
Edge Actions Commands
deactivate Deactivates the Edges and reapplies the initial default configuration. No Yes
restart Restarts the SD-WAN service. No Yes
reboot Reboots the Edge. No Yes
shutdown Powers off the Edge. No Yes
hardreset Deactivates the Edges, restores the Edge’s default configuration, and restores original software version. No Yes
edged Activates or deactivates the Edge processes. No Yes
restartdhcpserver Restarts the DHCP server. No Yes
Linux Shell Command
shell Takes you into the Linux shell. Type exit to return to the secure Edge CLI. No Yes

Sample Outputs

This section provides the sample outputs of some of the commands that can be run in a secure Edge CLI.

edgeinfo

o10test_velocloud_net:velocli> edgeinfo Model: vmware Serial: VMware-420efa0d2a6ccb35-9b9bee2f04f74b32 Build Version: 5.0.0 Build Date: 2021-12-07_20-17-40 Build rev: R500-20211207-MN-8f5954619c Build Hash: 8f5954619c643360455d8ada8e49def34faa688d

seainfo

o10test_velocloud_net:velocli> seainfo { "rootlocked": false, "seauserinfo": { "o2super_velocloud_net": { "expiry": 1641600000000, "privilege": "BASIC" } } }

tcpdump

o10test_velocloud_net:velocli> tcpdump -nnpi eth0 -c 10 reading from file -, link-type EN10MB (Ethernet) 09:45:12.297381 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21 09:45:12.300520 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21 09:45:12.399077 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21 09:45:12.401382 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21 09:45:12.442927 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 83 09:45:12.444745 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 83 09:45:12.476765 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 64 09:45:12.515696 IP6 fd00:ff02:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21

pcap

o10test_velocloud_net:velocli> pcap -nnpi eth4 -c 10 The capture will be saved to file o10test_velocloud_net_2021-12-09_09-57-50.pcap o10test_velocloud_net:velocli> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes 10 packets captured 10 packets received by filter 0 packets dropped by kernel

debug

o10test_velocloud_net:velocli> debug --dpdk_ports_dump name port link ignore strip speed duplex autoneg driver ge3 0 1 0 1 1000 1 1 igb ge6 4 0 2 1 0 0 1 ixgbe ge5 5 0 2 1 0 0 1 ixgbe ge4 1 0 2 1 0 0 0 igb sfp2 2 0 2 1 0 0 1 ixgbe sfp1 3 0 2 1 0 0 1 ixgbe net_vhost0 6 0 0 1 10000 1 0 net_vhost1 7 0 0 1 10000 1 0

diag

o10test_velocloud_net:velocli> diag ARP_DUMP --count 10 Stale Timeout: 2min | Dead Timeout: 25min | Cleanup Timeout: 240min GE3 192.168.1.254 7c:12:61:70:2f:d0 ALIVE 1s LAN-VLAN1 10.10.1.137 b2:84:f7:c1:d3:a5 ALIVE 34s

ifstatus

o10test:velocli> ifstatus { "deviceBoardName": "EDGE620-CPU", "deviceInfo": [], "edgeActivated": true, "edgeSerial": "HRPGPK2", "edgeSoftware": { "buildNumber": "R500-20210821-DEV-301514018f\n", "version": "5.0.0\n" }, "edgedDisabled": false, "interfaceStatus": { "GE1": { "autonegotiation": true, "duplex": "Unknown! (255)", "haActiveSerialNumber": "", "haEnabled": false, "haStandbySerialNumber": "", "ifindex": 4, "internet": false, "ip": "", "is_sfp": false, "isp": "", "linkDetected": false, "logical_id": "", "mac": "18:5a:58:1e:f9:22", "netmask": "", "physicalName": "ge1", "reachabilityIp": "8.8.8.8", "service": false, "speed": "Unkn", "state": "DEAD", "stats": { "bpsOfBestPathRx": 0, "bpsOfBestPathTx": 0 }, "type": "LAN" }, "GE2": { "autonegotiation": true, "duplex": "Unknown! (255)", "haActiveSerialNumber": "", "haEnabled": false, … … } ] }

getwanconfig

o10test_velocloud_net:velocli> getwanconfig GE3 { "details": { "autonegotiation": "on", "driver": "dpdk", "duplex": "", "gateway": "169.254.7.9", "ip": "169.254.7.10", "is_sfp": false, "linkDetected": true, "mac": "00:50:56:8e:46:de", "netmask": "255.255.255.248", "password": "", "proto": "static", "speed": "", "username": "", "v4Disable": false, "v6Disable": false, "v6Gateway": "fd00:1:1:1::1", "v6Ip": "fd00:1:1:1::2", "v6Prefixlen": 64, "v6Proto": "static", "vlanId": "" }, "status": "OK" }