Address multiple comments.

aristanetworks · Jul 9, 2024 · 9556189 · 9556189
1 parent e0891c1
commit 9556189
Show file tree

Hide file tree

Showing 12 changed files with 177 additions and 148 deletions.
diff --git a/...ta/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md b/...ta/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md
@@ -1025,6 +1025,7 @@ interface Ethernet70
    switchport
    dot1x aaa unresponsive phone action apply cached-results timeout 10 hours else traffic allow
    dot1x aaa unresponsive action traffic allow vlan 10
+   dot1x aaa unresponsive eap response success
    dot1x mac based access-list
 ```
 

diff --git a/...llections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg b/...llections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg
@@ -677,6 +677,7 @@ interface Ethernet70
    switchport
    dot1x aaa unresponsive phone action apply cached-results timeout 10 hours else traffic allow
    dot1x aaa unresponsive action traffic allow vlan 10
+   dot1x aaa unresponsive eap response success
    dot1x mac based access-list
 !
 interface Management1

diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/dot1x.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/dot1x.yml
@@ -24,10 +24,9 @@ dot1x:
         apply_alternate: true
       recovery_action_reauthenticate: true
     accounting_update_interval: 6
-  mac_based_auth:
-    radius:
-      delimiter: colon
-      mac_string_letter_case: lowercase
+  mac_based_auth_radius:
+    delimiter: colon
+    mac_string_letter_case: lowercase
   captive_portal:
     enabled: true
     url: http://portal-nacm08/captiveredirect/

diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/dot1x.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/dot1x.md
@@ -15,10 +15,9 @@
     | [<samp>&nbsp;&nbsp;mac_based_authentication</samp>](## "dot1x.mac_based_authentication") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;delay</samp>](## "dot1x.mac_based_authentication.delay") | Integer |  |  | Min: 0<br>Max: 300 |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;hold_period</samp>](## "dot1x.mac_based_authentication.hold_period") | Integer |  |  | Min: 1<br>Max: 300 |  |
-    | [<samp>&nbsp;&nbsp;mac_based_auth</samp>](## "dot1x.mac_based_auth") | Dictionary |  |  |  | Dot1x mac based auth. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;radius</samp>](## "dot1x.mac_based_auth.radius") | Dictionary |  |  |  | RADIUS parameters. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;delimiter</samp>](## "dot1x.mac_based_auth.radius.delimiter") | String |  |  | Valid Values:<br>- <code>colon</code><br>- <code>hyphen</code><br>- <code>none</code><br>- <code>period</code> | Delimiter to use in MAC address string. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mac_string_letter_case</samp>](## "dot1x.mac_based_auth.radius.mac_string_letter_case") | String |  |  | Valid Values:<br>- <code>lowercase</code><br>- <code>uppercase</code> | MAC address string in lowercase/uppercase. |
+    | [<samp>&nbsp;&nbsp;mac_based_auth_radius</samp>](## "dot1x.mac_based_auth_radius") | Dictionary |  |  |  | Dot1x mac based RADIUS auth. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;delimiter</samp>](## "dot1x.mac_based_auth_radius.delimiter") | String |  |  | Valid Values:<br>- <code>colon</code><br>- <code>hyphen</code><br>- <code>none</code><br>- <code>period</code> | Delimiter to use in MAC address string. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;mac_string_letter_case</samp>](## "dot1x.mac_based_auth_radius.mac_string_letter_case") | String |  |  | Valid Values:<br>- <code>lowercase</code><br>- <code>uppercase</code> | MAC address string in lowercase/uppercase. |
     | [<samp>&nbsp;&nbsp;radius_av_pair</samp>](## "dot1x.radius_av_pair") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;service_type</samp>](## "dot1x.radius_av_pair.service_type") | Boolean |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;framed_mtu</samp>](## "dot1x.radius_av_pair.framed_mtu") | Integer |  |  | Min: 68<br>Max: 9236 |  |
@@ -71,17 +70,14 @@
         delay: <int; 0-300>
         hold_period: <int; 1-300>
 
-      # Dot1x mac based auth.
-      mac_based_auth:
+      # Dot1x mac based RADIUS auth.
+      mac_based_auth_radius:
 
-        # RADIUS parameters.
-        radius:
+        # Delimiter to use in MAC address string.
+        delimiter: <str; "colon" | "hyphen" | "none" | "period">
 
-          # Delimiter to use in MAC address string.
-          delimiter: <str; "colon" | "hyphen" | "none" | "period">
-
-          # MAC address string in lowercase/uppercase.
-          mac_string_letter_case: <str; "lowercase" | "uppercase">
+        # MAC address string in lowercase/uppercase.
+        mac_string_letter_case: <str; "lowercase" | "uppercase">
       radius_av_pair:
         service_type: <bool>
         framed_mtu: <int; 68-9236>

diff --git a/...lections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md b/...lections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md
@@ -284,15 +284,16 @@
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;timeout</samp>](## "ethernet_interfaces.[].dot1x.eapol.authentication_failure_fallback_mba.timeout") | Integer |  |  | Min: 0<br>Max: 65535 |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;aaa</samp>](## "ethernet_interfaces.[].dot1x.aaa") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;unresponsive</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive") | Dictionary |  |  |  | Configure AAA timeout options. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eap_response</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.eap_response") | String |  |  | Valid Values:<br>- <code>success</code><br>- <code>disabled</code> | EAP response to send. |
-    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action") | Dictionary |  |  |  | Set action for supplicant when AAA times out. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eap_response</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.eap_response") | String |  |  | Valid Values:<br>- <code>success</code><br>- <code>disabled</code> | EAP response to send. EOS default is `success`. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;action</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;apply_cached_results</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.apply_cached_results") | Boolean |  |  |  | Use results from a previous AAA response. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cached_results_timeout</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.cached_results_timeout") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;time_duration</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.cached_results_timeout.time_duration") | Integer |  |  | Min: 1 | Enable caching for a specific duration -<br><1-10000>      duration in days<br><1-14400000>   duration in minutes<br><1-240000>     duration in hours<br><1-864000000>  duration in seconds |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;time_duration_unit</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.cached_results_timeout.time_duration_unit") | String | Required |  | Valid Values:<br>- <code>days</code><br>- <code>hours</code><br>- <code>minutes</code><br>- <code>seconds</code> |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;apply_alternate</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.apply_alternate") | Boolean |  |  |  | Apply alternate action if primary action fails.<br>eg. aaa unresponsive action apply cached-results else traffic allow |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;traffic_allow</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.traffic_allow") | Boolean |  |  |  | Set action for supplicant traffic when AAA times out. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;traffic_allow_vlan</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.traffic_allow_vlan") | Integer |  |  | Min: 1<br>Max: 4094 |  |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;traffic_allow_access_list</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.action.traffic_allow_access_list") | String |  |  |  | Name of standard access-list to apply when AAA times out. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phone_action</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.phone_action") | Dictionary |  |  |  | Set action for supplicant when AAA times out. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;apply_cached_results</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.phone_action.apply_cached_results") | Boolean |  |  |  | Use results from a previous AAA response. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cached_results_timeout</samp>](## "ethernet_interfaces.[].dot1x.aaa.unresponsive.phone_action.cached_results_timeout") | Dictionary |  |  |  |  |
@@ -928,10 +929,8 @@
             # Configure AAA timeout options.
             unresponsive:
 
-              # EAP response to send.
+              # EAP response to send. EOS default is `success`.
               eap_response: <str; "success" | "disabled">
-
-              # Set action for supplicant when AAA times out.
               action:
 
                 # Use results from a previous AAA response.
@@ -954,6 +953,9 @@
                 traffic_allow: <bool>
                 traffic_allow_vlan: <int; 1-4094>
 
+                # Name of standard access-list to apply when AAA times out.
+                traffic_allow_access_list: <str>
+
               # Set action for supplicant when AAA times out.
               phone_action:
 

diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/dot1x.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/dot1x.j2
@@ -20,7 +20,7 @@ dot1x dynamic-authorization
 {%     endif %}
 {%     if dot1x.mac_based_authentication is arista.avd.defined or dot1x.radius_av_pair is arista.avd.defined or
          dot1x.aaa.unresponsive is arista.avd.defined or dot1x.captive_portal is arista.avd.defined
-         or dot1x.supplicant is arista.avd.defined %}
+         or dot1x.supplicant is arista.avd.defined  or dot1x.mac_based_auth_radius is arista.avd.defined %}
 dot1x
 {%         for profile in dot1x.supplicant.profiles | arista.avd.natural_sort("name") %}
    supplicant profile {{ profile.name }}
@@ -99,8 +99,8 @@ dot1x
    radius av-pair framed-mtu {{ dot1x.radius_av_pair.framed_mtu }}
 {%             endif %}
 {%         endif %}
-{%         if dot1x.mac_based_auth.radius.delimiter is arista.avd.defined and dot1x.mac_based_auth.radius.mac_string_letter_case is arista.avd.defined %}
-   mac-based-auth radius av-pair user-name delimiter {{ dot1x.mac_based_auth.radius.delimiter }} {{ dot1x.mac_based_auth.radius.mac_string_letter_case }}
+{%         if dot1x.mac_based_auth_radius.delimiter is arista.avd.defined and dot1x.mac_based_auth_radius.mac_string_letter_case is arista.avd.defined %}
+   mac-based-auth radius av-pair user-name delimiter {{ dot1x.mac_based_auth_radius.delimiter }} {{ dot1x.mac_based_auth_radius.mac_string_letter_case }}
 {%         endif %}
 {%         if dot1x.supplicant.disconnect_cached_results_timeout is arista.avd.defined %}
    supplicant disconnect cached-results timeout {{ dot1x.supplicant.disconnect_cached_results_timeout }} seconds

diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ethernet-interfaces.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ethernet-interfaces.j2
@@ -234,7 +234,8 @@ interface {{ ethernet_interface.name }}
 {%                         set aaa_action_config = action.config %}
 {%                         if ethernet_interface.dot1x.aaa.unresponsive[action.name].apply_cached_results is arista.avd.defined(true) or
                               ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow is arista.avd.defined(true) or
-                              ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_vlan is arista.avd.defined %}
+                              ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_vlan is arista.avd.defined or
+                              ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_access_list is arista.avd.defined %}
 {%                             if ethernet_interface.dot1x.aaa.unresponsive[action.name].apply_cached_results is arista.avd.defined(true) %}
 {%                                 set action_apply_config = "apply cached-results" %}
 {%                                 if ethernet_interface.dot1x.aaa.unresponsive[action.name].cached_results_timeout.time_duration is arista.avd.defined and ethernet_interface.dot1x.aaa.unresponsive[action.name].cached_results_timeout.time_duration_unit is arista.avd.defined %}
@@ -245,6 +246,8 @@ interface {{ ethernet_interface.name }}
 {%                                 set traffic = "traffic allow" %}
 {%                             elif ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_vlan is arista.avd.defined %}
 {%                                 set traffic = "traffic allow vlan " ~ ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_vlan %}
+{%                             elif ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_access_list is arista.avd.defined %}
+{%                                 set traffic = "traffic allow access-list " ~ ethernet_interface.dot1x.aaa.unresponsive[action.name].traffic_allow_access_list %}
 {%                             endif %}
 {%                             if ethernet_interface.dot1x.aaa.unresponsive[action.name].apply_alternate is arista.avd.defined(true) and action_apply_config is arista.avd.defined and traffic is arista.avd.defined %}
 {%                                 set aaa_action_config = aaa_action_config ~ " " ~ action_apply_config ~ " else " ~ traffic %}
@@ -258,8 +261,8 @@ interface {{ ethernet_interface.name }}
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-{%             if dot1x.aaa.unresponsive.eap_response is arista.avd.defined %}
-   {{ aaa_config }} eap response {{ dot1x.aaa.unresponsive.eap_response }}
+{%             if ethernet_interface.dot1x.aaa.unresponsive.eap_response is arista.avd.defined %}
+   {{ aaa_config }} eap response {{ ethernet_interface.dot1x.aaa.unresponsive.eap_response }}
 {%             endif %}
 {%         endif %}
 {%         if ethernet_interface.dot1x.reauthentication is arista.avd.defined(true) %}

diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.jsonschema.json b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.jsonschema.json
@@ -2264,47 +2264,36 @@
           },
           "title": "MAC Based Authentication"
         },
-        "mac_based_auth": {
+        "mac_based_auth_radius": {
           "type": "object",
-          "description": "Dot1x mac based auth.",
+          "description": "Dot1x mac based RADIUS auth.",
           "properties": {
-            "radius": {
-              "type": "object",
-              "description": "RADIUS parameters.",
-              "properties": {
-                "delimiter": {
-                  "type": "string",
-                  "description": "Delimiter to use in MAC address string.",
-                  "enum": [
-                    "colon",
-                    "hyphen",
-                    "none",
-                    "period"
-                  ],
-                  "title": "Delimiter"
-                },
-                "mac_string_letter_case": {
-                  "type": "string",
-                  "description": "MAC address string in lowercase/uppercase.",
-                  "enum": [
-                    "lowercase",
-                    "uppercase"
-                  ],
-                  "title": "MAC String Letter Case"
-                }
-              },
-              "additionalProperties": false,
-              "patternProperties": {
-                "^_.+$": {}
-              },
-              "title": "Radius"
+            "delimiter": {
+              "type": "string",
+              "description": "Delimiter to use in MAC address string.",
+              "enum": [
+                "colon",
+                "hyphen",
+                "none",
+                "period"
+              ],
+              "title": "Delimiter"
+            },
+            "mac_string_letter_case": {
+              "type": "string",
+              "description": "MAC address string in lowercase/uppercase.",
+              "enum": [
+                "lowercase",
+                "uppercase"
+              ],
+              "title": "MAC String Letter Case"
             }
           },
           "additionalProperties": false,
           "patternProperties": {
             "^_.+$": {}
           },
-          "title": "MAC Based Auth"
+          "title": "MAC Based Auth Radius"
         },
         "radius_av_pair": {
           "type": "object",
@@ -4767,7 +4756,7 @@
                     "properties": {
                       "eap_response": {
                         "type": "string",
-                        "description": "EAP response to send.",
+                        "description": "EAP response to send. EOS default is `success`.",
                         "enum": [
                           "success",
                           "disabled"
@@ -4776,7 +4765,6 @@
                       },
                       "action": {
                         "type": "object",
-                        "description": "Set action for supplicant when AAA times out.",
                         "properties": {
                           "apply_cached_results": {
                             "type": "boolean",
@@ -4827,6 +4815,11 @@
                             "minimum": 1,
                             "maximum": 4094,
                             "title": "Traffic Allow VLAN"
+                          },
+                          "traffic_allow_access_list": {
+                            "type": "string",
+                            "description": "Name of standard access-list to apply when AAA times out.",
+                            "title": "Traffic Allow Access List"
                           }
                         },
                         "additionalProperties": false,