Sample SecureStack Configuration for 802.1x, EAP, RFC3580, and MUA

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 10283 

Products
SecureStack C3, all firmware
SecureStack C2, firmware 4.00.24 and higher
SecureStack B3, all firmware
SecureStack B2, firmware 3.01.16 and higher
SecureStack A2, firmware 1.03.17 and higher 

Goals
Sample configuration 

Solution
Here is a sample SecureStack configuration which activates Radius Server access to use the dot1x/eapol protocols (basic 802.1x authentication), and then adds vlanauthorization (RFC3580 VLAN Assignment) and multiauth (Multi-User Authentication, MUA) on top of that. 

#eapol
set dot1x enable [globally enable 802.1x for server support]
set dot1x auth-config authcontrolled-portcontrol forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
set eapol enable [globally enable EAP for supplicant support]
set eapol auth-mode forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
!
#ip
set ip address 10.20.1.2 mask 255.255.255.0 gateway 10.20.1.254 [assign a switch host IP address]
!
#multiauth [multi (vs strict) mode is enabled by default]
set multiauth port mode auth-reqd fe.1.1 [force the supplicant ports to authenticate]
set multiauth port mode force-auth fe.1.48 [assumed authentication on the server and ISL ports]
!
#radius
set radius enable [globally enable radius for server support]
set radius server 1 10.20.1.5 1812 :60d37a4d84c19a3c29672b16f71665479d0fd9b152c5f54c0227070b
!
#vlanauthorization
set vlanauthorization enable [globally enable RFC3580 VLAN assignment]
set vlanauthorization enable fe.1.1 [specifically enable RFC3580 for supplicant ports]

A common issue with use of multiauth is that users are by default not forced to authenticate (though they may optionally initiate authentication via an EAPOL Start frame). With this non-Strict multiauth configuration, users are required to 802.1x-authenticate for a possible Policy/VLAN reassignment, but will fall back to their default port Role/VLAN if authentication fails. 

An exception to the use of the 'set multiauth port mode force-auth fe.1.48' command is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt fe.1.48') for Snooping ports as advised in 11759

See also: 5532, 7312, 11537, and 12499.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.