Credentials and Profiles

You must have switch access credentials to install and upgrade software on a switch. These user authentication credentials are stored in NetQ as access profiles. The profiles must be applied to a switch before you can upgrade or install software.

Access Profiles

Authentication credentials are stored in access profiles which can be assigned to individual switches. You can create credentials with either basic (SSH username/password) or SSH (public/private key) authentication. This section describes how to create, edit, and delete access profiles. After you create a profile, attach it to individual switches so that you can perform upgrades on those switches.

By default, NVIDIA supplies an access profile called Netq-Default. You must create a new access profile or update the default profile with unique credentials to perform upgrades and other lifecycle management tasks. You cannot delete the default profile.

Create Access Profiles

  1. Expand the Menu and select Manage switches.

  2. On the Access Profiles card, select Add profile.

  3. Enter a name for the profile, then select the authentication method you want to use: SSH or Basic

The SSH user must have sudoer permission to configure switches when using the SSH key method. To provide sudo access to the SSH user on a switch, create a file in the /etc/sudoers.d/ directory with the following content. Replace <USER> with the SSH access profile username:

“<USER>” ALL=(ALL) NOPASSWD: ALL

  1. Create a pair of SSH private and public keys on the NetQ appliance:

    ssh-keygen -t rsa -C "<USER>"
    

When prompted, hit the enter/return key.

  1. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch
  2. Copy the SSH private key into the entry field:

card displaying field for ssh private key

For security, your private key is stored in an encrypted format, and only provided to internal processes while encrypted.

  1. (Optional) To verify that the new profile is listed among available profiles, select View profiles from the Access Profiles card.

  2. (Optional) Attach the profile to a switch so that you can perform upgrades.

  1. Enter a username and password.

  2. Click Create, then confirm.

  3. (Optional) To verify that the new profile is listed among available profiles, select View profiles from the Access Profiles card.

  4. (Optional) Attach the profile to a switch so that you can perform upgrades.

To configure basic authentication, run:

cumulus@netq-server:~$ netq lcm add credentials profile_name NEWPROFILE username cumulus password cumulus

Specify a unique name for the configuration after profile_name.

The default credentials for Cumulus Linux have changed from cumulus/CumulusLinux! to cumulus/cumulus for releases 4.2 and later. For details, read Cumulus Linux User Accounts.

To configure SSH authentication using a public/private key:

You must have sudoer permission to properly configure switches when using the SSH key method.

  1. If the keys do not yet exist, create a pair of SSH private and public keys on the NetQ appliance.

    ssh-keygen -t rsa -C "<USER>"
    

When prompted, hit the enter/return key.

  1. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch

  2. Add these credentials to the switch. Specify a unique name for the configuration after profile_name.

    cumulus@netq-server:~$ netq lcm add credentials profile_name NEWPROFILE username <USERNAME> ssh-key PUBLIC_SSH_KEY
    

Edit Access Profiles

  1. Expand the Menu and select Manage switches.

  2. On the Access Profiles card, select View profiles.

  3. Select the the profile you’d like to edit. Then select Edit above the table.

  4. Make your changes, then click Update.

The syntax for editing access profiles is:

cumulus@netq-server:~$ netq lcm edit credentials 
    profile_id <text-switch-profile-id> 
    [profile_name <text-switch-profile-name>] 
    [auth-type <text-switch-auth-type>] 
    [username <text-switch-username>] 
    [password <text-switch-password> | ssh-key <text-ssh-key>]

Run netq lcm show credentials to obtain the profile ID. See the command line reference for further details.

To configure SSH authentication using a public/private key (requires sudoer permission):

  1. If the new keys do not yet exist, create a pair of SSH private and public keys:

    ssh-keygen -t rsa -C "<USER>"
    
  2. Copy the SSH public key to each switch that you want to upgrade using one of the following methods:

    • Manually copy the SSH public key to the /home/<USER>/.ssh/authorized_keys file on each switch, or
    • Run ssh-copy-id USER@<switch_ip> on the server where you generated the SSH key pair for each switch

  3. Add these new credentials to the switch:

    cumulus@netq-server:~$ netq lcm edit credentials ssh-key PUBLIC_SSH_KEY
    

Delete Access Profiles

You cannot delete a profile that is currently attached to a switch. You must attach a different profile to the switch first. Note that you cannot delete the Netq-Default profile (but you can edit it).

  1. On the Access Profiles card, select View profiles.

  2. From the list of profiles, select Delete in the profile’s row.

The delete icon only appears next to custom profiles that are not attached to a switch.

  1. Select Remove.
  1. Run netq lcm show credentials. Identify the profiles you’d like to delete and copy their identifiers from the Profile ID column. The following example deletes the n-1000 profile:
cumulus@netq-server:~$ netq lcm show credentials
Profile ID           Profile Name             Type             SSH Key        Username         Password         Number of switches                   Last Changed
-------------------- ------------------------ ---------------- -------------- ---------------- ---------------- ------------------------------------ -------------------------
credential_profile_d Netq-Default             BASIC                           cumulus          **************   11                                   Fri Feb  3 18:20:33 2023
9e875bd2e6784617b304
c20090ce28ff2bb46a4b
9bf23cda98f1bdf91128
5c9
credential_profile_3 n-1000                   BASIC                           admin            **************   0                                    Fri Feb  3 21:49:10 2023
eddab251bddea9653df7
cd1be0fc123c5d7a42f8
18b68134e42858e54a9c
289
  1. Run netq lcm del credentials profile_ids <text-credential-profile-ids>:
cumulus@netq-server:~$ netq lcm del credentials profile_ids credential_profile_3eddab251bddea9653df7cd1be0fc123c5d7a42f818b68134e42858e54a9c289
  1. Verify that the profile is deleted with netq lcm show credentials.

View Access Profiles

You can view the type of credentials used to access your switches in the NetQ UI. You can view the details of the credentials using the NetQ CLI.

  1. Open the LCM dashboard.

  2. On the Access Profiles card, select View profiles.

To view a list of access profiles and their associated credentials, run netq lcm show credentials.

If you use an SSH key for the credentials, the public key appears in the command output.

If you use a username and password for the credentials, the username appears in the command output with the password masked.

Attach an Access Profile to a Switch

NetQ uses access profiles to store user authentications credentials. After creating an access profile from your credentials, you can attach a profile to one or multiple switches.

  1. Expand the Menu and select Manage switches. On the Switches card, select Manage.

  2. The table displays a list of switches. The Access type column specifies whether the type of authentication is basic or SSH. The Profile name column displays the access profile that is assigned to the switch.

Select the switches to which you’d like to assign access profiles, then select Manage access profile above the table:

  1. Select the profile from the list, then click Apply. If the profile you want to use isn’t listed, select Add new profile and follow the steps to create an access profile.

  2. Select Ok on the confirmation dialog. The updated access profiles are now reflected in the Profile name column.

The command syntax to attach a profile to a switch is:

netq lcm attach credentials 
    profile_id <text-switch-profile-id> 
    hostnames <text-switch-hostnames>
  1. Run netq lcm show credentials to display a list of access profiles. Note the profile ID that you’d like to assign to a switch.

  2. Run netq lcm show switches to display a list of switches. Note the hostname of the switch(es) you’d like to attach a profile to.

  3. Next, attach the credentials to the switch:

netq lcm attach credentials profile_id credential_profile_3eddab251bddea9653df7cd1be0fc123c5d7a42f818b68134e42858e54a9c289 hostnames tor-1,tor-2
Attached profile to switch(es).
  1. Run netq lcm show switches and verify the change in the credential profile column.

Reassign or Detach an Access Profile

Detaching a profile from a switch restores it to the default access profile, Netq-Default.

  1. On the Switches card, click Manage.

  2. From the table of switches, locate the switch whose access profile you’d like to manage. Hover over the access type column and select Manage access:

  1. To assign a different access profile to the switch, select it from the list. To detach the access profile, select Detach.

After you detach the profile from the switch, NetQ reassigns it to the Netq-Default profile.

The syntax for the detach command is netq lcm detach credentials hostname <text-switch-hostname>.

  1. To obtain a list of hostnames, run netq lcm show switches.

  2. Detach the access profile and specify the hostname. The following example detaches spine-1 from its assigned access profile:

cumulus@switch:~$ netq lcm detach credentials hostname spine-1
Detached profile from switch.
  1. Run netq lcm show switches and verify the change in the credential profile column.