Sample SecureStack Configuration for 802.1x, EAP, RFC3580, and MUA

FAQ_User — Thu, 05 Sep 2013 06:04:00 GMT

Article ID: 10283

Products
SecureStack C3, all firmware
SecureStack C2, firmware 4.00.24 and higher
SecureStack B3, all firmware
SecureStack B2, firmware 3.01.16 and higher
SecureStack A2, firmware 1.03.17 and higher

Goals
Sample configuration

Solution
Here is a sample SecureStack configuration which activates Radius Server access to use the dot1x/eapol protocols (basic 802.1x authentication), and then adds vlanauthorization (RFC3580 VLAN Assignment) and multiauth (Multi-User Authentication, MUA) on top of that.

#eapol
set dot1x enable [globally enable 802.1x for server support]
set dot1x auth-config authcontrolled-portcontrol forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
set eapol enable [globally enable EAP for supplicant support]
set eapol auth-mode forced-auth fe.1.48 [assumed authentication on the server and ISL ports]
!
#ip
set ip address 10.20.1.2 mask 255.255.255.0 gateway 10.20.1.254 [assign a switch host IP address]
!
#multiauth [multi (vs strict) mode is enabled by default]
set multiauth port mode auth-reqd fe.1.1 [force the supplicant ports to authenticate]
set multiauth port mode force-auth fe.1.48 [assumed authentication on the server and ISL ports]
!
#radius
set radius enable [globally enable radius for server support]
set radius server 1 10.20.1.5 1812 :60d37a4d84c19a3c29672b16f71665479d0fd9b152c5f54c0227070b
!
#vlanauthorization
set vlanauthorization enable [globally enable RFC3580 VLAN assignment]
set vlanauthorization enable fe.1.1 [specifically enable RFC3580 for supplicant ports]
A common issue with use of multiauth is that users are by default not forced to authenticate (though they may optionally initiate authentication via an EAPOL Start frame). With this non-Strict multiauth configuration, users are required to 802.1x-authenticate for a possible Policy/VLAN reassignment, but will fall back to their default port Role/VLAN if authentication fails.

An exception to the use of the 'set multiauth port mode force-auth fe.1.48' command is if RADIUS Snooping is being used, in which case use "multiauth auth-opt" (e.g. 'set multiauth port mode auth-opt fe.1.48') for Snooping ports as advised in 11759.

See also: 5532, 7312, 11537, and 12499.

topic Sample SecureStack Configuration for 802.1x, EAP, RFC3580, and MUA in FAQs

Sample SecureStack Configuration for 802.1x, EAP, RFC3580, and MUA