Add dot1x and wpa_supplicant for 802.1X authentication
- Configure dot1x on access switch host-facing ports (Et3/Et4) with RADIUS dynamic VLAN assignment - Switch host-facing port-channels to access mode (from trunk) to align with dot1x dynamic VLAN behavior - Add wpa_supplicant configs and binds for all hosts - Remove VLAN subinterfaces from hosts, assign IPs directly to bond0 (untagged traffic for dot1x access ports) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -14,6 +14,15 @@ management api gnmi
|
||||
! admin/admin for ssh access
|
||||
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
|
||||
!
|
||||
! RADIUS server
|
||||
radius-server host 172.16.0.200 key arista123
|
||||
!
|
||||
! AAA for dot1x
|
||||
aaa authentication dot1x default group radius
|
||||
!
|
||||
! Enable 802.1X globally
|
||||
dot1x system-auth-control
|
||||
!
|
||||
! VLANs
|
||||
vlan 40
|
||||
name test-l2-vxlan
|
||||
@@ -45,15 +54,21 @@ interface Port-Channel10
|
||||
interface Ethernet3
|
||||
description host1
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Ethernet4
|
||||
description host1
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Port-Channel1
|
||||
description host1
|
||||
switchport mode trunk
|
||||
switchport trunk allowed vlan 40
|
||||
switchport mode access
|
||||
switchport access vlan 40
|
||||
port-channel lacp fallback timeout 5
|
||||
port-channel lacp fallback individual
|
||||
spanning-tree portfast
|
||||
|
||||
@@ -14,6 +14,15 @@ management api gnmi
|
||||
! admin/admin for ssh access
|
||||
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
|
||||
!
|
||||
! RADIUS server
|
||||
radius-server host 172.16.0.200 key arista123
|
||||
!
|
||||
! AAA for dot1x
|
||||
aaa authentication dot1x default group radius
|
||||
!
|
||||
! Enable 802.1X globally
|
||||
dot1x system-auth-control
|
||||
!
|
||||
! VLANs
|
||||
vlan 34
|
||||
name vrf-gold-subnet
|
||||
@@ -45,15 +54,21 @@ interface Port-Channel10
|
||||
interface Ethernet3
|
||||
description host2
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Ethernet4
|
||||
description host2
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Port-Channel1
|
||||
description host2
|
||||
switchport mode trunk
|
||||
switchport trunk allowed vlan 34
|
||||
switchport mode access
|
||||
switchport access vlan 34
|
||||
port-channel lacp fallback timeout 5
|
||||
port-channel lacp fallback individual
|
||||
spanning-tree portfast
|
||||
|
||||
@@ -14,6 +14,15 @@ management api gnmi
|
||||
! admin/admin for ssh access
|
||||
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
|
||||
!
|
||||
! RADIUS server
|
||||
radius-server host 172.16.0.200 key arista123
|
||||
!
|
||||
! AAA for dot1x
|
||||
aaa authentication dot1x default group radius
|
||||
!
|
||||
! Enable 802.1X globally
|
||||
dot1x system-auth-control
|
||||
!
|
||||
! VLANs
|
||||
vlan 40
|
||||
name test-l2-vxlan
|
||||
@@ -45,15 +54,21 @@ interface Port-Channel10
|
||||
interface Ethernet3
|
||||
description host3
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Ethernet4
|
||||
description host3
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Port-Channel1
|
||||
description host3
|
||||
switchport mode trunk
|
||||
switchport trunk allowed vlan 40
|
||||
switchport mode access
|
||||
switchport access vlan 40
|
||||
port-channel lacp fallback timeout 5
|
||||
port-channel lacp fallback individual
|
||||
spanning-tree portfast
|
||||
|
||||
@@ -14,6 +14,15 @@ management api gnmi
|
||||
! admin/admin for ssh access
|
||||
username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
|
||||
!
|
||||
! RADIUS server
|
||||
radius-server host 172.16.0.200 key arista123
|
||||
!
|
||||
! AAA for dot1x
|
||||
aaa authentication dot1x default group radius
|
||||
!
|
||||
! Enable 802.1X globally
|
||||
dot1x system-auth-control
|
||||
!
|
||||
! VLANs
|
||||
vlan 78
|
||||
name vrf-gold-subnet
|
||||
@@ -45,15 +54,21 @@ interface Port-Channel10
|
||||
interface Ethernet3
|
||||
description host4
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Ethernet4
|
||||
description host4
|
||||
channel-group 1 mode active
|
||||
dot1x pae authenticator
|
||||
dot1x port-control auto
|
||||
dot1x host-mode single-host
|
||||
!
|
||||
interface Port-Channel1
|
||||
description host4
|
||||
switchport mode trunk
|
||||
switchport trunk allowed vlan 78
|
||||
switchport mode access
|
||||
switchport access vlan 78
|
||||
port-channel lacp fallback timeout 5
|
||||
port-channel lacp fallback individual
|
||||
spanning-tree portfast
|
||||
|
||||
Reference in New Issue
Block a user