AMLS-NM-000430 - The Arista Multilayer Switch must employ AAA service to centrally manage authentication settings - aaa policy on-failure
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Configure AAA services via a remote AAA server for all nonlocal accounts. Configuration: aaa group server [radius/tacacs] [name] [radius/tacacs]-server host [IP Address] vrf [name] key [key] aaa authentication login default group [group name] [radius/tacacs] [local] aaa authentication login console [group] [group name/radius/tacacs+] [local] aaa authentication dot1x default group [group] [radius] aaa authentication policy on-success log aaa authentication policy on-failure log aaa authorization console aaa authorization exec default [radius/tacacs] local aaa authorization commands all default local aaa accounting exec default start-stop logging aaa accounting system default start-stop logging aaa accounting commands all default start-stop logging no aaa root Example RBAC roles: role administrator 10 permit command .* role operator 10 permit command show running-config [all|detail] sanitized 20 deny command >|>>|extension|\||session|do|delete|copy|rmdir|mkdir|python-shell|bash|platform|scp|append|redirect|tee|more|less|who|show run.* 25 deny command bash 30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*) 40 permit command .* 30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*) 40 permit command .*