Add dot1x and wpa_supplicant for 802.1X authentication

- Configure dot1x on access switch host-facing ports (Et3/Et4) with
  RADIUS dynamic VLAN assignment
- Switch host-facing port-channels to access mode (from trunk) to
  align with dot1x dynamic VLAN behavior
- Add wpa_supplicant configs and binds for all hosts
- Remove VLAN subinterfaces from hosts, assign IPs directly to bond0
  (untagged traffic for dot1x access ports)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

configs/access3.cfg

@@ -14,6 +14,15 @@ management api gnmi
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 !
+! RADIUS server
+radius-server host 172.16.0.200 key arista123
+!
+! AAA for dot1x
+aaa authentication dot1x default group radius
+!
+! Enable 802.1X globally
+dot1x system-auth-control
+!
 ! VLANs
 vlan 40
    name test-l2-vxlan
@@ -45,15 +54,21 @@ interface Port-Channel10
 interface Ethernet3
    description host3
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Ethernet4
    description host3
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Port-Channel1
    description host3
-   switchport mode trunk
-   switchport trunk allowed vlan 40
+   switchport mode access
+   switchport access vlan 40
    port-channel lacp fallback timeout 5
    port-channel lacp fallback individual
    spanning-tree portfast