C-03 | AGNI and Wired EAP-TLS 802.1X

Overview

In this lab we enhance the port security to our Raspberry Pi! We will do the following:

• Update our port profile
• Configure our switch to communicate over RadSec to AGNI
• Configure the AGNI EAP-TLS wired policy
• Verify it all works!

Topology

Lab Topology

Important: Your switches need to be onboarded in AGNI with RadSec before proceeding. Follow the steps here

Configuring RadSec on EOS

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI. RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate. The steps below assumes the use of AGNI's internal PKI.

Follow the steps to create, upload and establish the RadSec tunnel.

1. Generate private key and CSR
2. Generate client certificate for the Switch in AGNI.
3. Upload the Certificate to the Switch.
4. Configure an SSL profile and and RadSec profile

AGNI Login

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Configuration Steps

1. Generate the key pair

   security pki key generate rsa 2048 switch.key
   

2. Generate the certificate signing request using the key just created.

   Common Name must correspond to the Switch MAC address and the DNS needs to match the hostname of the switch

   security pki certificate generate signing-request key switch.key
   

   Certificate Signing Request

   Common Name for use in subject: 2c:dd:e9:fe:cd:68 
   Two-Letter Country Code for use in subject: US 
   State for use in subject: FL 
   Locality Name for use in subject: NFM 
   Organization Name for use in subject: Arista 
   Organization Unit Name for use in subject: acws 
   Email address for use in subject:
   IP addresses (space separated) for use in subject-alternative-name:
   DNS names (space separated) for use in subject-alternative-name: pod00-leaf1a 
   Email addresses (space separated) for use in subject-alternative-name:
   URIs (space separated) for use in subject-alternative-name:
   -----BEGIN CERTIFICATE REQUEST-----
   MIIC0DCCAbgCAQAwYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkZMMQwwCgYDVQQH
   DANORk0xDTALBgNVBAoMBGFjd3MxDDAKBgNVBAsMA2NzZTEaMBgGA1UEAwwRMmM6
   ZGQ6ZTk6ZmY6MzI6YjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1
   UDFDsidF4qhGzIEgNUlcNPtfvAGic/hQelaD9MgvOUbbVUhEg0hcbA/LLcyZQ+f/
   B0f/UK7eyuNhtS3lTYf7A1TqCQ7md8d4opcKbiP7vFg6+dpvAXT8giBlstv790LY
   wEpuCKX4igkLx+jMlNNOP7tKnuX2tuK/EYi20O2a0e4LR77ebBZpztiia9prCyvk
   neNhtAPMeb/O/kUBnmPwpPDy4jtpPhp8I+xX9zo4nRNjVlFcRRNao/N72kIpnmX8
   nnAXIcG/I1bLsgspWIwwiV3MUL3pOKUNqXaKf824/ZJgPAtUA2zgp9JayMbbddOE
   A3dKTwBkGOXihZkVDTnrAgMBAAGgKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQ
   MA6CDHBvZDAwLWxlYWYxYTANBgkqhkiG9w0BAQsFAAOCAQEAp8pxdX1qJ8uPFrQW
   ZmMmOZ+RM3lEDOJkhNA2aRVonWeejp0bz5qToT8E41RPyLIdQ56Pa+zeGx5occg8
   3nK3aFAu1ARPR1EJ8E04656c9v6zpF9np3juwLJm0uiM16XgUMvEmQd1anRELndn
   r53jlXKAcsKdFMSaW0MqXY6DN8a1PmI3KL0zzOKpwtcRSjvAXFTN8viSPOL/vrRL
   XTqVaa+P1d7PgRBoSi5DFY6U9nwHD42yP0kCbq98wxDrLyTfMV20ymY083XHdKPz
   Y4dI+YfHeK48QLBSLUKB9CrOC0XyhIMtCxBGkJ+umZy3wktZHCCkvDej7NoiNZal
   4uEbIg==
   -----END CERTIFICATE REQUEST-----
   

3. Copy the certificate including the text “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”

4. Select your Access Device from the list and select Get Client Certificate.

5. Select Use CSR (Single Device) and Paste CSR.

   Note 1: CSR can also be uploaded from file by selecting action Upload CSR File
   Note 2: For signing multiple CSRs select Upload Zip with multiple CSRs

   

6. Click Generate Certificate. A certificate pod00-leaf1a.pem will be generated and downloaded. Rename this file to switch.pem

7. Go to RadSec Setting in the Navigator under Administration section to download the CA certificate.

8. Download the RadSec CA certificate (radsec_ca_certificate.pem) by clicking Download Certificate.

   In AGNI Click on Configuration → System → RadSec Settings on the left hand side.

   

   Copy the FQDN radsec.beta.agni.arista.io and Download the Certificate at the bottom.

   

9. Copy certificates to the switch The certificate and root certificate need to be copied to the switch flash using SCP. Prerequisites: Settings on switch to be able to SCP over the certs. Provide a username and password with network-admin role. Ensure the following settings are configured on the switch:

   aaa authentication login console local
   aaa authorization exec default local
   

10. Copy the certificates to the switch flash using SCP.

    scp switch.pem radsec_ca_certificate.pem arista@<switch_ip>:/mnt/flash:
    

11. Login to your switch using the arista user credentials and verify the certificates are present in the flash.

    dir
    

12. Copy the certificates to the certificate store.

    copy flash:switch.pem certificate:switch.pem
    copy flash:radsec_ca_certificate.pem certificate:radsec_ca_certificate.pem
    dir certificate:
    

13. Verify the certificate validity.

    show management security ssl profile agni-server
    

        Profile     State
        ----------- -----
        agni-server valid
    

Reminder on logging in and creating a workspace

CloudVision Login

If you're not already logged into CloudVision (CVaaS), navigate to the Arista CVaaS for your lab.

Open CVaaS

Create a Workspace

We are going to create a workspace to propose changes to the Network Infrastructure. A workspace acts as a sandbox where you can stage your configuration changes before deploying them.

What is a Workspace?

To make a comparison, a workspace is like a configuration session in EOS or a branch in Git!

Studios Step 1Studios Step 2

Click on the Provisioning on the left side, then choose Studios.

Click Create a Workspace, give it any name you would like and click Create.

Update Port Profile

Here we will update our existing raspberry pi port profile to enable 802.1X

Single Workspace

You and your fellow student will work together to create the port profile for your campus fabric in a single workspace.

1. From the Studios home page, disable the Active Studios toggle to display all available CloudVision Studios (which when enabled will only show used/active Studios).

   The toggle may already be in the disabled position

   

2. Let's update the Wired-RasPi port profile for our Raspberry Pi and enable 802.1x, click the arrow on the right and enable the following:

   Wired-RasPi

   Key	Value
   802.1X	Enabled
   MAC Based Authentication	Yes

3. Our port profiles have been staged, click Review Workspace

4. We can see the only studio changed is the Access Interface Configuration, we will see the ports assigned are updated.

5. Go ahead and Submit the Workspace when you ready

6. Click View Change Control

7. Review the Change Control and select Review and Approve

8. Toggle the Execute Immediately button and select Approve and Execute

9. The port is now enabled for 802.1X, let's now get your switch talking back to AGNI.

Enable RadSec

In this lab you will be configuring RadSec on your lab switches by adding the RadSec configuration to the switches via the Static Configuration Studio.

1. Click on the Provisioning menu option, then choose Studios.
2. Let's open the Static Configuration Studio

1. Select your respective switch
2. In the Device Container window, click on + Configlet followed by Configlet Library.

1. Select the configlet named for your switch, should be radsec and click Assign to add the configlet to the switch

1. Click Review Workspace to review all the changes proposed to the CloudVision Studio

2. Review the workspace details showing the summary of modified studios, the build status, and the proposed configuration changes for each device. When ready click Submit Workspace

   

   What does this configuration do?!

   Click below on the lines to understand what each line does

   !
   management security
       ssl profile agni-server #(1)!
           certificate pod00-leaf1a.crt key agni-private.key #(2)!
           trust certificate radsec_ca_certificate.pem #(3)!
   !
   radius-server host radsec.beta.agni.arista.io tls ssl-profile agni-server #(4)!
   !
   aaa group server radius agni-server-group #(5)!
       server radsec.beta.agni.arista.io tls
   !
   aaa authentication dot1x default group agni-server-group
   aaa accounting dot1x default start-stop group agni-server-group
   !
   

   1. Create an SSL profile
   2. This is the switch key and certificate, this certificate was generated on EOS, signed by AGNI, and installed in the store.
   3. This is the trusted certificate downloaded from AGNI and installed on the EOS certificate store
   4. This enabled RadSec on the device, configured to using our SSL profile
   5. Create the AAA radius server group, we use this to enforce client authentication via dot1x later on in this lab

3. Click View Change Control and review the Change Control, hit Review and Approve when ready.

   

4. Select Execute immediately and click Approve and Execute

   

5. The change control will execute and apply all the RadSec configuration changes to the device. This will enable RadSec connectivity between the switch and AGNI.

   <!-- !!! tip "Automating Certificates"

   The switch and AGNI certs were generated, signed, and installed using automation before hand. Specifically ansible and leveraging both the switch eAPI and AGNI API. You can read more on how this role works [EOS AGNI Radsec (GitHub)](https://github.com/carl-baillargeon/eos_agni_radsec/tree/main){target="_blank"}
   

   

6. See the Configuring RadSec in EOS for additional information. →

AGNI Login

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

Create Wired EAP-TLS Network and Segment

1. Click on Access Devices > Devices to confirm the RadSec connection is up.

   

2. In this section we will create a Network and Segment in CloudVision AGNI to utilize a certificate based TLS authentication method on a wired connection with a Raspberry Pi.

3. Click on Networks and select + Add Network

   

4. Before configuring the network, see Access Device Group, click on the + to create a new device group.

   Network Settings

   Field	Student 1	Student 2
   Name	WIRED-A	WIRED-A
   Description	WIRED-A	WIRED-A
   Available Devices (+ Add)	pod##-leaf1	pod##-leaf1

5. Fill in and select the Following fields on the Add Network page.

   Network Settings

   Field	Student 1	Student 2
   Name	ATD-##-WIRED	ATD-##-WIRED
   Connection Type	Wired	Wired
   Access Device Group	WIRED-A	WIRED-A
   Status	Enabled	Enabled
   Authentication type	Client Certificate (EAP-TLS)	Client Certificate (EAP-TLS)
   Fallback to mac Authentication	Enabled	Enabled
   MAC Authentication Type	Allow Registered Clients Only	Allow Registered Clients Only
   Onboarding	Enabled	Enabled
   Authorized User Groups	Arista	Arista

   

6. When done, click on Add Network at the bottom of the screen.

7. Next, click on Segments and then + Add Segment

   

8. Configure the network segment with the following settings:

   Segment Settings

   Field	Student 1	Student 2
   Name	ATD-##-WIRED	ATD-##-WIRED
   Description	ATD-##-WIRED	ATD-##-WIRED
   Condition #1	Network:Name is ATD-##A-WIRED	Network:Name is ATD-##-WIRED
   Condition #2	Network:Authentication Type is Client Certificate (EAP-TLS)	Network:Authentication Type is Client Certificate (EAP-TLS)
   Action #1	Allow Access	Allow Access

   

9. Finally, select Add Segment at the bottom of the page.

10. You should now be able to expand and review your segment.

    

11. Next, click on Sessions to see if your ATD Raspberry Pi has a connection via the Wired connection.

    

    Client Certificate

    The Client Certificate has already been applied to the Raspberry Pi.

Validate and Verify Wired EAP-TLS Device

AGNI

1. Once the device is connected you will be able to view the status of the connection and additional session details if you click on the Eye to the right of the device.
2. AGNI will then display more in depth session information regarding the device and connection.

CloudVision Endpoint Overview

Show Endpoint Overview, search for a device on the students pod, sflow will be enabled, should be able to see more info about authentication, traffic flows, and

EOS CLI

You can also validate the session on the switch by issuing the following commands in the switch CLI

show dot1x host
show dot1x host mac d83a.dd98.6183 detail

pod00-leaf1a#show dot1x host
Port      Supplicant MAC Auth  State                   Fallback               VLAN
--------- -------------- ----- ----------------------- ---------------------- ----
Et2       d83a.dd98.6183 EAPOL SUCCESS                 NONE

pod00-leaf1a#show dot1x host mac d83a.dd98.6183 detail
Operational:
Supplicant MAC: d83a.dd98.6183
User name: aristaatd01@outlook.com
Interface: Ethernet2
Authentication method: EAPOL
Supplicant state: SUCCESS
Fallback applied: NONE
Calling-Station-Id: D8-3A-DD-98-61-83
Reauthentication behaviour: DO-NOT-RE-AUTH
Reauthentication interval: 0 seconds
VLAN ID:
Accounting-Session-Id: 1x00000004
Captive portal:
AAA Server Returned:
Arista-WebAuth:
Class: Rcnlkerh9ci3s72u197e0|C4151a596-baab-444b-a4fd-ad40946d8b5f
Filter-Id:
Framed-IP-Address: 192.168.101.21 sourceArp
NAS-Filter-Rule:
Service-Type: None
Session-Timeout: 86400 seconds
Termination-Action: RADIUS-REQUEST
Tunnel-Private-GroupId:
Arista-PeriodicIdentity:

🎉 CONGRATS! You have completed the Security labs! 🎉