AAA Servers (Datacenter Blueprint)
AAA Servers Overview
AAA servers are used with interface policies. AAA servers include the following details:
| Parameter | Description |
|---|---|
| Label | To identify the AAA server |
| Server Type |
|
| Hostname | |
| Auth Ports | |
| Accounting Port | optional |
From the blueprint, navigate to Staged > Catalog > AAA Servers to go to the AAA servers catalog. You can create, clone, edit, and delete AAA servers.
Create AAA Server
Edit AAA Server
Delete AAA Server
Configure AAA RADIUS Server
AAA RADIUS servers are configured outside of the software. The example below shows the files to configure for FreeRADIUS.
/etc/freeradius/clients.conf -- has credentials for each switch
client Arista-7280SR-48C6-1 {
shortname = Arista-7280SR-48C6-1
ipaddr = 172.20.191.10
secret = testing123
nastype = other
}/etc/freeradius/users -- has users and MAC addresses to authenticate. Tunnel-Private-Group-Id shows a dynamic VLAN ID, which is optional.
leaf1-server1 ClearText-Password := "password"
"52:54:00:37:d5:e1" Cleartext-Password := "52:54:00:37:d5:e1"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "50"This example shows a simple credential; when you configure you may use any EAP method that both the client and RADIUS server support.
Configure Client Supplicant
Client supplicant is configured outside of the software. The following is an example for wpa_supplicant.
/etc/wpa_supplicant/aos_wpa_supplicant.conf
# Ansible managed
ctrl_interface=/var/run/wpa_supplicant
# Default version is 0 - ensure we're using modern protocols.
eapol_version=2
# Don't scan for wifi.
ap_scan=0
# Hosts will be configured to authenticate with usernames that match their
# Slicer DUT name, configured in radius_server playbook.
network={
key_mgmt=IEEE8021X
eap=TTLS MD5
identity="leaf1-server1"
anonymous_identity="leaf1-server1"
password="password"
phase1="auth=MD5"
phase2="auth=PAP password=password"
eapol_flags=0
}