EFA users are validated with Unix authentication or LDAP and managed with Role-based Access Control (RBAC).
In addition, at installation time, starting with EFA 2.5.0, all EFA users of services such as MySQL and RabbitMQ are assigned random passwords that are stored in EFA configuration files. This satisfies the requirement to enforce the change of default passwords, and no two EFA installations share identical passwords.
For more information, see EFA RBAC Policy Enforcement and Assign and View EFA Roles.
This structure helps users to check all the modes of authentication at the same time. Define the authentication preference to help users to configure multiple modes of authentication at once.
Operational or maintenance tasks are propagated to SLX devices through OAuth2 and JWT access tokens. TLS is used for connections with SLX devices. The OpenStack ML2 plugin also uses TLS and OAuth2 tokens. When EFA is installed in secure mode, traffic to northbound interfaces uses TLS. For more information about secure mode, see the "EFA Installation Modes" topic in the Extreme Fabric Automation Deployment Guide, 3.1.0 .
EFA is always installed in secure mode.
For CLI users, the auth preference configuration is available under efa auth authentication preference.
.KVM:~$ efa auth authentication preference Available Commands: add Add the authentication preference update Update the authentication preference delete Delete the authentication preference show show authentication preference
Show authentication preference:
KVM:~$ efa auth authentication preference show +-----------+------------+------------+ | Auth Type | Identifier | Preference | +-----------+------------+------------+ | HOST | HOST | 1 | +-----------+------------+------------+
Add authentication preference:
KVM:~$ efa auth authentication preference add --authType=LOCAL --identifier=LOCAL --preference=3 Successfully updated the auth preference. +-----------+------------+------------+ | Auth Type | Identifier | Preference | +-----------+------------+------------+ | LOCAL | LOCAL | 3 | +-----------+------------+------------+
Show authentication preference:
KVM:~$ efa auth authentication preference show +-----------+------------+------------+ | Auth Type | Identifier | Preference | +-----------+------------+------------+ | HOST | HOST | 1 | +-----------+------------+------------+ | LOCAL | LOCAL | 3 | +-----------+------------+------------+
Update authentication preference:
KVM:~$ efa auth authentication preference update --authType=LOCAL --identifier=LOCAL --preference=2 Successfully updated the auth preference. +-----------+------------+------------+ | Auth Type | Identifier | Preference | +-----------+------------+------------+ | LOCAL | LOCAL | 2 | +-----------+------------+------------+ KVM:~$ efa auth authentication preference delete --authType=LOCAL --identifier=LOCAL
Add authentication preference for TACACS authentication:
efa auth authentication preference add --authType=TACACS --identifier=10.37.135.12 --preference=3 Successfully added the auth preference. +-----------+--------------+------------+ | Auth Type | Identifier | Preference | +-----------+--------------+------------+ | TACACS | 10.37.135.12 | 3 | +-----------+--------------+------------+ efa auth authentication preference add --authType=LDAP --identifier=kvm12.com --preference=4 Successfully added the auth preference.
Add authentication preference for LDAP authentication:
efa auth authentication preference add --authType=LDAP --identifier=kvm12.com --preference=4 Successfully added the auth preference. +-----------+------------+------------+ | Auth Type | Identifier | Preference | +-----------+------------+------------+ | LDAP | kvm12.com | 4 | +-----------+------------+------------+
Show authentication preference:
efa auth authentication preference show +-----------+--------------+------------+ | Auth Type | Identifier | Preference | +-----------+--------------+------------+ | HOST | HOST | 1 | +-----------+--------------+------------+ | LOCAL | LOCAL | 2 | +-----------+--------------+------------+ | TACACS | 10.37.135.12 | 3 | +-----------+--------------+------------+ | LDAP | kvm12.com | 4 | +-----------+--------------+------------+
After EFA is deployed, the installer has the role of SystemAdmin and has complete access to EFA functionality. For installation on TPVM, this user has the user name ‘extreme‘. By default, no other host OS users can access EFA unless the SystemAdmin assigns the appropriate roles. RBAC occurs on EFA and API.