EFA User Authentication and Authorization

EFA users are validated with Unix authentication or LDAP and managed with Role-based Access Control (RBAC).

In addition, at installation time, starting with EFA 2.5.0, all EFA users of services such as MySQL and RabbitMQ are assigned random passwords that are stored in EFA configuration files. This satisfies the requirement to enforce the change of default passwords, and no two EFA installations share identical passwords.

For more information, see EFA RBAC Policy Enforcement and Assign and View EFA Roles.

Authentication

EFA validates users and their credentials with the following mechanisms:
  • Unix authentication (local and remote) on the host where EFA is installed. Host credentials are the default validation method if LDAP validation fails.
  • External LDAP server: Users configured in LDAP use their LDAP credentials to log in to EFA.
  • Authentication support:
    1. Unix authentication
    2. Local users -- Users created in EFA and stored in the database
    3. External authentication
      1. LDAP
      2. TACACS

    This structure helps users to check all the modes of authentication at the same time. Define the authentication preference to help users to configure multiple modes of authentication at once.

Click to expand in new window
LDAP authentication example
sample

Operational or maintenance tasks are propagated to SLX devices through OAuth2 and JWT access tokens. TLS is used for connections with SLX devices. The OpenStack ML2 plugin also uses TLS and OAuth2 tokens. When EFA is installed in secure mode, traffic to northbound interfaces uses TLS. For more information about secure mode, see the "EFA Installation Modes" topic in the Extreme Fabric Automation Deployment Guide, 3.1.0 .

EFA is always installed in secure mode.

Authentication Policy CLI configuration

For CLI users, the auth preference configuration is available under efa auth authentication preference.

.
KVM:~$ efa auth authentication preference

Available Commands:
  add         Add the authentication preference
  update      Update the authentication preference
  delete      Delete the authentication preference
  show        show authentication preference

Show authentication preference:

KVM:~$ efa auth authentication preference show
+-----------+------------+------------+
| Auth Type | Identifier | Preference |
+-----------+------------+------------+
| HOST      | HOST       | 1          |
+-----------+------------+------------+

Add authentication preference:

KVM:~$ efa auth authentication preference add --authType=LOCAL --identifier=LOCAL --preference=3
Successfully updated the auth preference.

+-----------+------------+------------+
| Auth Type | Identifier | Preference |
+-----------+------------+------------+
| LOCAL     | LOCAL      | 3          |
+-----------+------------+------------+

Show authentication preference:

KVM:~$ efa auth authentication preference show
+-----------+------------+------------+
| Auth Type | Identifier | Preference |
+-----------+------------+------------+
| HOST      | HOST       | 1          |
+-----------+------------+------------+
| LOCAL     | LOCAL      | 3          |
+-----------+------------+------------+

Update authentication preference:

KVM:~$ efa auth authentication preference update --authType=LOCAL --identifier=LOCAL --preference=2
Successfully updated the auth preference.

+-----------+------------+------------+
| Auth Type | Identifier | Preference |
+-----------+------------+------------+
| LOCAL     | LOCAL      | 2          |
+-----------+------------+------------+

KVM:~$ efa auth authentication preference delete --authType=LOCAL --identifier=LOCAL

Add authentication preference for TACACS authentication:

efa auth authentication preference add --authType=TACACS --identifier=10.37.135.12 --preference=3
Successfully added the auth preference.

+-----------+--------------+------------+
| Auth Type | Identifier   | Preference |
+-----------+--------------+------------+
| TACACS    | 10.37.135.12 | 3          |
+-----------+--------------+------------+

efa auth authentication preference add --authType=LDAP --identifier=kvm12.com --preference=4
Successfully added the auth preference.

Add authentication preference for LDAP authentication:

efa auth authentication preference add --authType=LDAP --identifier=kvm12.com --preference=4
Successfully added the auth preference.

+-----------+------------+------------+
| Auth Type | Identifier | Preference |
+-----------+------------+------------+
| LDAP      | kvm12.com  | 4          |
+-----------+------------+------------+

Show authentication preference:

efa auth authentication preference show
+-----------+--------------+------------+
| Auth Type | Identifier   | Preference |
+-----------+--------------+------------+
| HOST      | HOST         | 1          |
+-----------+--------------+------------+
| LOCAL     | LOCAL        | 2          |
+-----------+--------------+------------+
| TACACS    | 10.37.135.12 | 3          |
+-----------+--------------+------------+
| LDAP      | kvm12.com    | 4          |
+-----------+--------------+------------+

Authorization

After EFA is deployed, the installer has the role of SystemAdmin and has complete access to EFA functionality. For installation on TPVM, this user has the user name ‘extreme‘. By default, no other host OS users can access EFA unless the SystemAdmin assigns the appropriate roles. RBAC occurs on EFA and API.