Damien/arista-evpn-vxlan-clab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add dot1x and wpa_supplicant for 802.1X authentication

Browse Source 
- Configure dot1x on access switch host-facing ports (Et3/Et4) with
  RADIUS dynamic VLAN assignment
- Switch host-facing port-channels to access mode (from trunk) to
  align with dot1x dynamic VLAN behavior
- Add wpa_supplicant configs and binds for all hosts
- Remove VLAN subinterfaces from hosts, assign IPs directly to bond0
  (untagged traffic for dot1x access ports)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Damien Arnodo
2026-04-01 08:58:07 +00:00
parent 0f97e3add8
commit 35fdaba993
9 changed files with 131 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
configs/access1.cfg
View File

@@ -14,6 +14,15 @@ management api gnmi
! admin/admin for ssh access
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
!
! RADIUS server
radius-server host 172.16.0.200 key arista123
!
! AAA for dot1x
aaa authentication dot1x default group radius
!
! Enable 802.1X globally
dot1x system-auth-control
!
! VLANs
vlan 40
name test-l2-vxlan
@@ -45,15 +54,21 @@ interface Port-Channel10
interface Ethernet3
description host1
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Ethernet4
description host1
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Port-Channel1
description host1
switchport mode trunk
switchport trunk allowed vlan 40
switchport mode access
switchport access vlan 40
port-channel lacp fallback timeout 5
port-channel lacp fallback individual
spanning-tree portfast

19
configs/access2.cfg
View File

@@ -14,6 +14,15 @@ management api gnmi
! admin/admin for ssh access
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
!
! RADIUS server
radius-server host 172.16.0.200 key arista123
!
! AAA for dot1x
aaa authentication dot1x default group radius
!
! Enable 802.1X globally
dot1x system-auth-control
!
! VLANs
vlan 34
name vrf-gold-subnet
@@ -45,15 +54,21 @@ interface Port-Channel10
interface Ethernet3
description host2
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Ethernet4
description host2
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Port-Channel1
description host2
switchport mode trunk
switchport trunk allowed vlan 34
switchport mode access
switchport access vlan 34
port-channel lacp fallback timeout 5
port-channel lacp fallback individual
spanning-tree portfast

19
configs/access3.cfg
View File

@@ -14,6 +14,15 @@ management api gnmi
! admin/admin for ssh access
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
!
! RADIUS server
radius-server host 172.16.0.200 key arista123
!
! AAA for dot1x
aaa authentication dot1x default group radius
!
! Enable 802.1X globally
dot1x system-auth-control
!
! VLANs
vlan 40
name test-l2-vxlan
@@ -45,15 +54,21 @@ interface Port-Channel10
interface Ethernet3
description host3
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Ethernet4
description host3
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Port-Channel1
description host3
switchport mode trunk
switchport trunk allowed vlan 40
switchport mode access
switchport access vlan 40
port-channel lacp fallback timeout 5
port-channel lacp fallback individual
spanning-tree portfast

19
configs/access4.cfg
View File

@@ -14,6 +14,15 @@ management api gnmi
! admin/admin for ssh access
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
!
! RADIUS server
radius-server host 172.16.0.200 key arista123
!
! AAA for dot1x
aaa authentication dot1x default group radius
!
! Enable 802.1X globally
dot1x system-auth-control
!
! VLANs
vlan 78
name vrf-gold-subnet
@@ -45,15 +54,21 @@ interface Port-Channel10
interface Ethernet3
description host4
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Ethernet4
description host4
channel-group 1 mode active
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode single-host
!
interface Port-Channel1
description host4
switchport mode trunk
switchport trunk allowed vlan 78
switchport mode access
switchport access vlan 78
port-channel lacp fallback timeout 5
port-channel lacp fallback individual
spanning-tree portfast

35
evpn-lab.clab.yml
View File

@@ -94,6 +94,8 @@ topology:
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host1.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -105,9 +107,10 @@ topology:
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip link add link bond0 name bond0.40 type vlan id 40
- ip link set bond0.40 up
- ip addr add 10.40.40.101/24 dev bond0.40
- ip addr add 10.40.40.101/24 dev bond0
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host2:
kind: linux
@@ -115,6 +118,8 @@ topology:
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host2.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -126,10 +131,11 @@ topology:
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip link add link bond0 name bond0.34 type vlan id 34
- ip link set bond0.34 up
- ip addr add 10.34.34.102/24 dev bond0.34
- ip addr add 10.34.34.102/24 dev bond0
- ip route add 10.78.78.0/24 via 10.34.34.1
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host3:
kind: linux
@@ -137,6 +143,8 @@ topology:
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host3.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -148,9 +156,10 @@ topology:
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip link add link bond0 name bond0.40 type vlan id 40
- ip link set bond0.40 up
- ip addr add 10.40.40.103/24 dev bond0.40
- ip addr add 10.40.40.103/24 dev bond0
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host4:
kind: linux
@@ -160,6 +169,7 @@ topology:
- NET_ADMIN
binds:
- hosts/host4_interfaces:/etc/network/interfaces
- hosts/freeradius/wpa_supplicant_host4.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -171,10 +181,11 @@ topology:
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip link add link bond0 name bond0.78 type vlan id 78
- ip link set bond0.78 up
- ip addr add 10.78.78.104/24 dev bond0.78
- ip addr add 10.78.78.104/24 dev bond0
- ip route add 10.34.34.0/24 via 10.78.78.1
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
# FreeRADIUS server for dynamic VLAN assignment
freeradius:

10
hosts/freeradius/wpa_supplicant_host1.conf Normal file
View File

@@ -0,0 +1,10 @@
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="host1_user"
password="host1pass"
}

10
hosts/freeradius/wpa_supplicant_host2.conf Normal file
View File

@@ -0,0 +1,10 @@
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="host2_user"
password="host2pass"
}

10
hosts/freeradius/wpa_supplicant_host3.conf Normal file
View File

@@ -0,0 +1,10 @@
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="host3_user"
password="host3pass"
}

10
hosts/freeradius/wpa_supplicant_host4.conf Normal file
View File

@@ -0,0 +1,10 @@
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="host4_user"
password="host4pass"
}