Sample SecureStack Configuration for 802.1x, EAP, RFC3580, and MUA

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 10283 

SecureStack C3, all firmware
SecureStack C2, firmware 4.00.24 and higher
SecureStack B3, all firmware
SecureStack B2, firmware 3.01.16 and higher
SecureStack A2, firmware 1.03.17 and higher 

Sample configuration 

Here is a sample SecureStack configuration which activates Radius Server access to use the dot1x/eapol protocols (basic 802.1x authentication), and then adds vlanauthorization (RFC3580 VLAN Assignment) and multiauth (Multi-User Authentication, MUA) on top of that. 

set dot1x enable [globally enable 802.1x for server support]
set dot1x auth-config authcontrolled-portcontrol forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
set eapol enable [globally enable EAP for supplicant support]
set eapol auth-mode forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
set ip address mask gateway [assign a switch host IP address]
#multiauth [multi (vs strict) mode is enabled by default]
set multiauth port mode auth-reqd fe.1.1 [force the supplicant ports to authenticate]
set multiauth port mode force-auth fe.1.48 [assumed authentication on the server and ISL ports]
set radius enable [globally enable radius for server support]
set radius server 1 1812 :60d37a4d84c19a3c29672b16f71665479d0fd9b152c5f54c0227070b
set vlanauthorization enable [globally enable RFC3580 VLAN assignment]
set vlanauthorization enable fe.1.1 [specifically enable RFC3580 for supplicant ports]

A common issue with use of multiauth is that users are by default not forced to authenticate (though they may optionally initiate authentication via an EAPOL Start frame). With this non-Strict multiauth configuration, users are required to 802.1x-authenticate for a possible Policy/VLAN reassignment, but will fall back to their default port Role/VLAN if authentication fails. 

An exception to the use of the 'set multiauth port mode force-auth fe.1.48' command is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt fe.1.48') for Snooping ports as advised in 11759

See also: 5532, 7312, 11537, and 12499.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.