diff --git a/configs/access1.cfg b/configs/access1.cfg index 2c5a20f..37593f5 100644 --- a/configs/access1.cfg +++ b/configs/access1.cfg @@ -14,6 +14,15 @@ management api gnmi ! admin/admin for ssh access username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0 ! +! RADIUS server +radius-server host 172.16.0.200 key arista123 +! +! AAA for dot1x +aaa authentication dot1x default group radius +! +! Enable 802.1X globally +dot1x system-auth-control +! ! VLANs vlan 40 name test-l2-vxlan @@ -45,15 +54,21 @@ interface Port-Channel10 interface Ethernet3 description host1 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Ethernet4 description host1 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Port-Channel1 description host1 - switchport mode trunk - switchport trunk allowed vlan 40 + switchport mode access + switchport access vlan 40 port-channel lacp fallback timeout 5 port-channel lacp fallback individual spanning-tree portfast diff --git a/configs/access2.cfg b/configs/access2.cfg index 0437f31..af8425c 100644 --- a/configs/access2.cfg +++ b/configs/access2.cfg @@ -14,6 +14,15 @@ management api gnmi ! admin/admin for ssh access username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0 ! +! RADIUS server +radius-server host 172.16.0.200 key arista123 +! +! AAA for dot1x +aaa authentication dot1x default group radius +! +! Enable 802.1X globally +dot1x system-auth-control +! ! VLANs vlan 34 name vrf-gold-subnet @@ -45,15 +54,21 @@ interface Port-Channel10 interface Ethernet3 description host2 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Ethernet4 description host2 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Port-Channel1 description host2 - switchport mode trunk - switchport trunk allowed vlan 34 + switchport mode access + switchport access vlan 34 port-channel lacp fallback timeout 5 port-channel lacp fallback individual spanning-tree portfast diff --git a/configs/access3.cfg b/configs/access3.cfg index a6c4d4f..64a793f 100644 --- a/configs/access3.cfg +++ b/configs/access3.cfg @@ -14,6 +14,15 @@ management api gnmi ! admin/admin for ssh access username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0 ! +! RADIUS server +radius-server host 172.16.0.200 key arista123 +! +! AAA for dot1x +aaa authentication dot1x default group radius +! +! Enable 802.1X globally +dot1x system-auth-control +! ! VLANs vlan 40 name test-l2-vxlan @@ -45,15 +54,21 @@ interface Port-Channel10 interface Ethernet3 description host3 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Ethernet4 description host3 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Port-Channel1 description host3 - switchport mode trunk - switchport trunk allowed vlan 40 + switchport mode access + switchport access vlan 40 port-channel lacp fallback timeout 5 port-channel lacp fallback individual spanning-tree portfast diff --git a/configs/access4.cfg b/configs/access4.cfg index bde8efe..9743972 100644 --- a/configs/access4.cfg +++ b/configs/access4.cfg @@ -14,6 +14,15 @@ management api gnmi ! admin/admin for ssh access username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0 ! +! RADIUS server +radius-server host 172.16.0.200 key arista123 +! +! AAA for dot1x +aaa authentication dot1x default group radius +! +! Enable 802.1X globally +dot1x system-auth-control +! ! VLANs vlan 78 name vrf-gold-subnet @@ -45,15 +54,21 @@ interface Port-Channel10 interface Ethernet3 description host4 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Ethernet4 description host4 channel-group 1 mode active + dot1x pae authenticator + dot1x port-control auto + dot1x host-mode single-host ! interface Port-Channel1 description host4 - switchport mode trunk - switchport trunk allowed vlan 78 + switchport mode access + switchport access vlan 78 port-channel lacp fallback timeout 5 port-channel lacp fallback individual spanning-tree portfast diff --git a/evpn-lab.clab.yml b/evpn-lab.clab.yml index add2749..540e1e2 100644 --- a/evpn-lab.clab.yml +++ b/evpn-lab.clab.yml @@ -94,6 +94,8 @@ topology: image: ghcr.io/hellt/network-multitool cap-add: - NET_ADMIN + binds: + - hosts/freeradius/wpa_supplicant_host1.conf:/etc/wpa_supplicant/wpa_supplicant.conf exec: - ip link add bond0 type bond mode 802.3ad - ip link set dev bond0 type bond xmit_hash_policy layer3+4 @@ -105,9 +107,10 @@ topology: - ip link set dev eth2 up - ip link set dev bond0 type bond lacp_rate fast - ip link set dev bond0 up - - ip link add link bond0 name bond0.40 type vlan id 40 - - ip link set bond0.40 up - - ip addr add 10.40.40.101/24 dev bond0.40 + - ip addr add 10.40.40.101/24 dev bond0 + - apk add --no-cache wpa_supplicant + - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B + - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B host2: kind: linux @@ -115,6 +118,8 @@ topology: image: ghcr.io/hellt/network-multitool cap-add: - NET_ADMIN + binds: + - hosts/freeradius/wpa_supplicant_host2.conf:/etc/wpa_supplicant/wpa_supplicant.conf exec: - ip link add bond0 type bond mode 802.3ad - ip link set dev bond0 type bond xmit_hash_policy layer3+4 @@ -126,10 +131,11 @@ topology: - ip link set dev eth2 up - ip link set dev bond0 type bond lacp_rate fast - ip link set dev bond0 up - - ip link add link bond0 name bond0.34 type vlan id 34 - - ip link set bond0.34 up - - ip addr add 10.34.34.102/24 dev bond0.34 + - ip addr add 10.34.34.102/24 dev bond0 - ip route add 10.78.78.0/24 via 10.34.34.1 + - apk add --no-cache wpa_supplicant + - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B + - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B host3: kind: linux @@ -137,6 +143,8 @@ topology: image: ghcr.io/hellt/network-multitool cap-add: - NET_ADMIN + binds: + - hosts/freeradius/wpa_supplicant_host3.conf:/etc/wpa_supplicant/wpa_supplicant.conf exec: - ip link add bond0 type bond mode 802.3ad - ip link set dev bond0 type bond xmit_hash_policy layer3+4 @@ -148,9 +156,10 @@ topology: - ip link set dev eth2 up - ip link set dev bond0 type bond lacp_rate fast - ip link set dev bond0 up - - ip link add link bond0 name bond0.40 type vlan id 40 - - ip link set bond0.40 up - - ip addr add 10.40.40.103/24 dev bond0.40 + - ip addr add 10.40.40.103/24 dev bond0 + - apk add --no-cache wpa_supplicant + - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B + - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B host4: kind: linux @@ -160,6 +169,7 @@ topology: - NET_ADMIN binds: - hosts/host4_interfaces:/etc/network/interfaces + - hosts/freeradius/wpa_supplicant_host4.conf:/etc/wpa_supplicant/wpa_supplicant.conf exec: - ip link add bond0 type bond mode 802.3ad - ip link set dev bond0 type bond xmit_hash_policy layer3+4 @@ -171,10 +181,11 @@ topology: - ip link set dev eth2 up - ip link set dev bond0 type bond lacp_rate fast - ip link set dev bond0 up - - ip link add link bond0 name bond0.78 type vlan id 78 - - ip link set bond0.78 up - - ip addr add 10.78.78.104/24 dev bond0.78 + - ip addr add 10.78.78.104/24 dev bond0 - ip route add 10.34.34.0/24 via 10.78.78.1 + - apk add --no-cache wpa_supplicant + - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B + - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B # FreeRADIUS server for dynamic VLAN assignment freeradius: diff --git a/hosts/freeradius/wpa_supplicant_host1.conf b/hosts/freeradius/wpa_supplicant_host1.conf new file mode 100644 index 0000000..5832aee --- /dev/null +++ b/hosts/freeradius/wpa_supplicant_host1.conf @@ -0,0 +1,10 @@ +ctrl_interface=/var/run/wpa_supplicant +eapol_version=2 +ap_scan=0 + +network={ + key_mgmt=IEEE8021X + eap=MD5 + identity="host1_user" + password="host1pass" +} diff --git a/hosts/freeradius/wpa_supplicant_host2.conf b/hosts/freeradius/wpa_supplicant_host2.conf new file mode 100644 index 0000000..6874e8d --- /dev/null +++ b/hosts/freeradius/wpa_supplicant_host2.conf @@ -0,0 +1,10 @@ +ctrl_interface=/var/run/wpa_supplicant +eapol_version=2 +ap_scan=0 + +network={ + key_mgmt=IEEE8021X + eap=MD5 + identity="host2_user" + password="host2pass" +} diff --git a/hosts/freeradius/wpa_supplicant_host3.conf b/hosts/freeradius/wpa_supplicant_host3.conf new file mode 100644 index 0000000..eba082d --- /dev/null +++ b/hosts/freeradius/wpa_supplicant_host3.conf @@ -0,0 +1,10 @@ +ctrl_interface=/var/run/wpa_supplicant +eapol_version=2 +ap_scan=0 + +network={ + key_mgmt=IEEE8021X + eap=MD5 + identity="host3_user" + password="host3pass" +} diff --git a/hosts/freeradius/wpa_supplicant_host4.conf b/hosts/freeradius/wpa_supplicant_host4.conf new file mode 100644 index 0000000..0ad51f5 --- /dev/null +++ b/hosts/freeradius/wpa_supplicant_host4.conf @@ -0,0 +1,10 @@ +ctrl_interface=/var/run/wpa_supplicant +eapol_version=2 +ap_scan=0 + +network={ + key_mgmt=IEEE8021X + eap=MD5 + identity="host4_user" + password="host4pass" +}