Breaking the how to in to two documents

sushantjrao · sushantjrao · commit 863f3252df37 · 2024-11-13T22:41:46.000+05:30
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -193,6 +193,8 @@
             href: howto-upgrade-nexus-fabric.md
           - name: How to setup break glass access
             href: howto-setup-break-glass-access-.md
+          - name: How to use-break-glass-access.md
+            href: howto-use-break-glass-access.md
           - name: How to enable-Micro-BFD on CE and PE devices.md
             href: howto-enable-micro-bfd.md
     - name: Cluster
diff --git a/articles/operator-nexus/howto-setup-break-glass-access-.md b/articles/operator-nexus/howto-setup-break-glass-access-.md
@@ -21,13 +21,30 @@ For Network Fabric environments, the current break-glass model, known as Method
 
 - **Enhanced security**: Unauthorized access attempts are logged for audit and investigation purposes.
 
-## Prerequisites for upgrading or installing runtime version 4.0.0
+## FIDO2 token 
 
-With the installation or upgrade to Runtime Fabric version 4.0.0, **MethodDV2.0** is enabled by default, enhancing security for BreakGlass access on on-premises network devices. Follow these steps to ensure secure and effective access control.
+In the Method D v2.0 model, break-glass users are issued a FIDO2 token to create and upload a public key linked to their Entra identity. This provides secure SSH access to Fabric devices. Entra RBAC manages authorization, allowing administrators to assign appropriate access levels to users or teams.
 
-### Step 1: Register NexusIdentity Resource Provider
+For offline accessibility, usernames, public keys, and permissions are pre-provisioned on all Fabric devices, allowing break-glass SSH login without requiring an active Azure connection.
 
-Customers must register the **Microsoft.NexusIdentity** user resource provider on their subscription.
+Each FIDO2 token serves as a physical USB device, typically with a fingerprint reader, offering unphishable, multi-factor authentication through user presence and PIN verification.
+
+## Method D v2.0 setup and operations
+
+This guide is divided into two sections 
+
+1.	**MethodDV2 infrastructure setup** - Mandatory for both existing and new NF deployments running Runtime Fabric version 4.0.0. 
+
+2. [**Using MethodDV2 breakglass access**](howto-use-break-glass-access.md))
+
+
+### MethodDV2 infrastructure setup
+
+This guide provides an overview of the mandatory infrastructure setup for both existng and new environments using NF Runtime version 4.0.0.
+
+#### Step 1: Register NexusIdentity Resource Provider
+
+Register the **Microsoft.NexusIdentity** resource provider. 
 
 1. Register the resource provider:
 
@@ -43,121 +60,50 @@ Customers must register the **Microsoft.NexusIdentity** user resource provider o
 
    The registration status should display as **"Registered"**.
 
-### Step 2: Assign necessary permissions for Network Fabric access
+#### Step 2: Assign necessary permissions for Network Fabric access
 
-As part of the **Secure Future Initiative (SFI)**, **On-Behalf-Of (OBO) tokens** are now required to grant access to customer resources. This token provides **reader permissions** to Microsoft’s 1P service for the Network Fabric instance, allowing access to NNF built-in roles assigned to BreakGlass users. Assign the following permissions to the end-user for Create, Read, Update, and Delete (CRUD) operations on Network Fabric (NF) resources.
+As part of the **Secure Future Initiative (SFI)**, **On-Behalf-Of (OBO) tokens** are now required to grant access to customer resources. This token grants NexusIdentity permissions scoped at the subscription, resource group, or network fabric level to enable **read access** to Network Fabric role assignments. The following role permissions should be assigned to end users or groups responsible for NF create, NF upgrade, and NF delete operations. These permissions can be granted temporarily, limited to the duration required to perform these operations.
 
-#### Required permissions
+##### Required permissions
 
-1. `Microsoft.NexusIdentity/identitySets/read`
-2. `Microsoft.NexusIdentity/identitySets/write`
-3. `Microsoft.NexusIdentity/identitySets/delete`
+1. Microsoft.NexusIdentity/identitySets/read
+2. Microsoft.NexusIdentity/identitySets/write
+3. Microsoft.NexusIdentity/identitySets/delete
 
-#### Configure Azure RBAC for NexusIdentityRP
+
+##### Configure Azure RBAC for Network Fabric Runtime version 4.0.0
 
 1. Under **Privileged Administrator Roles**, select **Azure RBAC Administrator** as the built-in role and click **Next**.
 
    :::image type="content" source="media/breakglass-role-assignment.png" alt-text="Screenshot of adding role-assignment":::
 
-2. In the **Members** tab, add **NexusIdentityRP** with the following details:
-
-   - **Object ID:** `71949d44-2def-42f7-b10b-993a3f952347`
-
-   - **Type:** `App`
+2. In the **Members** tab, add the identity of the user or security group responsible for performing NF create, update, and delete operations.
    
    :::image type="content" source="media/breakglass-add-member-nexusidenitityrp.png" alt-text="Screenshot of adding member to role assignment":::
 
 3. In the **Conditions** tab, select "Allow users to only assign selected roles to selected principals (fewer privileges).
 
    :::image type="content" source="media/breakglass-conditions-roles-assignment.png" alt-text="Screenshot of adding member to role assignment":::
 
-3. Edit Conditions then assign:
+   -  Select Constrain roles and principals and click Configure, 
 
-   - **Role:** Reader
+   - Select the following parameters:
 
-   - **Principal:** NexusIdentityRP
+      **Role:** Reader
+      
+      **Principal:** NexusIdentityRP
 
 :::image type="content" source="media/breakglass-constrain-roles-principals.png" alt-text="Screenshot of adding roles and principals":::
 
-4. Click **Save** to finalize the configuration.
-
-### Deployment scenario permissions
-
-- **New deployment scenarios:** Grant constrained delegated permissions at the **resource group scope**.
-
-- **Existing deployment scenarios:** Grant constrained delegated permissions at the **Network Fabric scope**.
-
->[!NOTE] These steps are required for creating, deleting, or upgrading Network Fabric to runtime version 4.0.0, even if MethodDV2.0 is not utilized. Failure to complete these steps will cause CRUD operations to fail.
-
-#### Additional Prerequisites for Method DV2.0
-
-To use Method DV2.0, complete the following setup steps on the end-user machine:
-
-1. **Python requirement**  
-
-   Ensure that Python version 3.11 is installed on the end-user machine.
-
-2. **Azure CLI requirement**  
-
-   - If Azure CLI is not installed, download and install the latest 64-bit MSI installer.
-
-   - If Azure CLI is already installed, upgrade to version 2.61 or higher.
-
-   > [!NOTE]
-   > Only the 64-bit Azure CLI installer is supported, as certain Python packages required by Method DV2.0 are incompatible with the 32-bit version.
-
-## Setting Up Method D v2.0 for break-glass access
-
-### Step 1: Configure FIDO-2 token and register the public key in Microsoft Entra
-
-To set up secure access, users need a FIDO-2 hardware token, which provides unphishable multi-factor authentication using both a fingerprint and a personal PIN.
-
-1. **Connect the FIDO-2 token**: Insert the FIDO-2 token into your computer.
-
-2. **Run the AZ CLI command**: Log in to your Azure account and execute the following command:
-
-   ```Azure CLI
-   az nexusidentity gen-keys
-   ```
-   This command, available from Azure CLI 2.65.0, detects the attached hardware token, prompts for a fingerprint scan and PIN, and stores the public key in your Entra account.
-
-> [!NOTE] 
-> Re-run this command anytime you need to refresh your break-glass credentials.
-
-### Step 2: Assign break-lgass permissions to a Network Fabric instance
-
-With assistance from Microsoft, customer administrators can assign one of two roles scoped to a specific Network Fabric instance:
-
-- **Nexus Network Fabric Service reader**: Allows users to view configuration but restricts access to modification commands.
-
-- **Nexus Network Fabric Service writer**: Provides permission to modify the running configuration.
-
-These roles match permissions provided under the TelcoRO and TelcoRW accounts in Method D v1.5.
-
-After assigning read or write access, usernames and public keys are synced across all devices within the instance. This sync occurs within a four-hour window or can be triggered immediately by running a Nexus Network Fabric reconcile operation.
-
-### Day-to-day break-glass access workflow
-
-To log into a Fabric device:
-
-1. **Connect FIDO-2 token**: Ensure the FIDO-2 token is plugged into your computer.
-
-2. **Log In with SSH**: Use one of the following methods:
-
-   - **Direct SSH access with jump host**:
-
-     ```bash
-     ssh -J JumpBoxUsername@JumpBoxIp EntraUsername@FabricDeviceIP
-     ```
+4. Click Review + Assign to finalize the configuration.
 
-> [!NOTE] 
-> This command authenticates first on the jump server, then on the Fabric device.
+5. Activate role
 
-   - **Indirect access using SSH-agent forwarding**:
+   - To activate the role, select **Role Based Access Control Administrator** from Eligible assignments tab.
 
-     First, connect to the jump server and then SSH into the Fabric device. SSH-agent forwarding relays authentication requests to your local machine, using the token to complete the process.
+>[!NOTE:] 
+>Ensure that **Role Based Access Control Administrator** is sucessfully activated.
 
-3. **Authenticate**: During authentication, you’ll be prompted to verify via fingerprint and PIN, ensuring robust security.
+## Next Steps
 
-> [!Fallback] 
-> Method D v1.5 remains available as a fallback for emergency access if Method D v2.0 is temporarily unavailable.
+[How to use break-glass access](howto-use-break-glass-access.md)
diff --git a/articles/operator-nexus/howto-use-break-glass-access.md b/articles/operator-nexus/howto-use-break-glass-access.md
@@ -0,0 +1,127 @@
+---
+title:  How to use Method D v2.0 secure break-glass access
+description: Process of using Method D v2.0 Breakglass access
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 11/04/2024
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# Method D v2.0 Breakglass Access
+Breakglass access using Method D v2.0 is a streamlined approach for administrators to grant secure, emergency access to critical network fabric devices. This guide will walk you through setting up and using Breakglass access, including generating SSH keys, granting permissions, and accessing network fabric devices.
+
+# How to Use Method D v2.0 Breakglass Access
+
+Breakglass access using Method D v2.0 is a streamlined approach for administrators to grant secure, emergency access to critical network fabric devices. This guide will walk you through setting up and using Breakglass access, including generating SSH keys, granting permissions, and accessing network fabric devices.
+
+---
+
+## 1. Generating SSH Keys Using the Nexusidentity az CLI
+
+To start with Breakglass IAM configuration, you’ll need to set up SSH keys using the Nexusidentity CLI. Make sure you have the following prerequisites installed and updated.
+
+### Prerequisites
+
+- **Windows Computer** with PowerShell
+- **OpenSSH**: Version 9.4 or higher
+- **Python**: Version 3.11 or higher (64-bit)
+- **AZ CLI**: Version 2.61 or higher (64-bit)
+- **Nexusidentity Extension**: This extension must be added to AZ CLI.
+
+### Steps to Install Nexusidentity Extension and Generate SSH Keys
+
+1. **Open PowerShell**:
+
+>[!Note:] 
+>Use non-admin mode for this process.
+
+2. **Update AZ CLI**:
+
+   - Run the following command to update Azure CLI to the latest version:
+
+     ```Azure CLI
+     az upgrade
+     ```
+
+3. **Install Nexusidentity extension**:
+
+   - To add the Nexusidentity extension
+
+     ```Azure CLI
+     az extension add --name nexusidentity
+     ```
+
+4. **Generate SSH Keys with Nexusidentity**:
+
+   a. Download the [Yubico Key Manager](https://www.yubico.com/support/download/yubikey-manager) to reset your YubiKey for initial setup.
+   
+   b. Attach your **YubiKey** to your computer.
+
+   c. Log in to Azure with:
+
+      ```Azure CLI
+      az login
+      ```
+
+   d. Run the following command to generate SSH keys:
+
+      ```Azure CLI
+      az nexusidentity gen-keys
+      ```
+
+   e. During this process:
+
+      - If prompted to overwrite keys, press **Enter**.
+
+      - Select the **Security Key** in the popup window and follow the prompts.
+
+      - Enter your **YubiKey PIN** and touch the device when prompted.
+
+      - If prompted to enter a passphrase, press **Enter**.
+   
+   f. After successful key generation, you should see:
+
+      ```
+      Successfully uploaded public key to Microsoft Entra Id account {user.mail}
+      ```
+
+## Granting break-glass permissions to an Entra user on a Network Fabric
+
+To enable Breakglass access for an Entra user on a network fabric, assign the appropriate roles to the user. Below are the role options and their permissions:
+
+- **Nexus Network Fabric Service Reader**:
+
+  - Allows the user to execute show commands on fabric devices.
+
+  - Does not permit access to configuration mode.
+
+- **Nexus Network Fabric Service Writer**:
+
+  - Allows show commands as well as commands to modify the running configuration.
+
+Once these roles are assigned, the corresponding username and public SSH key will be automatically provisioned across all devices within the designated fabric instance.
+
+> [Note:] Breakglass user accounts are reconciled every 4 hours. For immediate reconciliation, open a support ticket with the network fabric support team.
+
+## 3. Using break-glass access
+
+Once permissions are granted, users can access network fabric devices with their FIDO-2 hardware token (e.g., YubiKey). Follow the steps below to use Breakglass access.
+
+1. **Prepare for access**:
+
+   - Make sure your **FIDO-2 hardware token** is plugged into your computer.
+
+2. **Use SSH with the `-J` option**:
+
+   - The `-J` option enables you to log in through a jump server and access a fabric device directly. This involves authentication through both the jump server and the fabric device using SSH keys.
+
+   Use the following command format to access a fabric device:
+
+   ```bash
+   ssh -J JumpBoxUsername@JumpBoxIp EntraUsername@FabricDeviceIP
+   ```
+
+>[!Note:]
+>This command establishes a secure connection, using the jump server as an intermediary for authentication.
