Add dot1x and wpa_supplicant for 802.1X authentication

- Configure dot1x on access switch host-facing ports (Et3/Et4) with RADIUS dynamic VLAN assignment - Switch host-facing port-channels to access mode (from trunk) to align with dot1x dynamic VLAN behavior - Add wpa_supplicant configs and binds for all hosts - Remove VLAN subinterfaces from hosts, assign IPs directly to bond0 (untagged traffic for dot1x access ports) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-01 08:58:07 +00:00
parent 0f97e3add8
commit 35fdaba993
9 changed files with 131 additions and 20 deletions
--- a/evpn-lab.clab.yml
+++ b/evpn-lab.clab.yml
@@ -94,6 +94,8 @@ topology:
            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host1.conf:/etc/wpa_supplicant/wpa_supplicant.conf
            exec:
                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -105,9 +107,10 @@ topology:
                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.40 type vlan id 40
-                - ip link set bond0.40 up
-                - ip addr add 10.40.40.101/24 dev bond0.40
+                - ip addr add 10.40.40.101/24 dev bond0
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B

        host2:
            kind: linux
@@ -115,6 +118,8 @@ topology:
            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host2.conf:/etc/wpa_supplicant/wpa_supplicant.conf
            exec:
                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -126,10 +131,11 @@ topology:
                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.34 type vlan id 34
-                - ip link set bond0.34 up
-                - ip addr add 10.34.34.102/24 dev bond0.34
+                - ip addr add 10.34.34.102/24 dev bond0
                - ip route add 10.78.78.0/24 via 10.34.34.1
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B

        host3:
            kind: linux
@@ -137,6 +143,8 @@ topology:
            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host3.conf:/etc/wpa_supplicant/wpa_supplicant.conf
            exec:
                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -148,9 +156,10 @@ topology:
                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.40 type vlan id 40
-                - ip link set bond0.40 up
-                - ip addr add 10.40.40.103/24 dev bond0.40
+                - ip addr add 10.40.40.103/24 dev bond0
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B

        host4:
            kind: linux
@@ -160,6 +169,7 @@ topology:
                - NET_ADMIN
            binds:
                - hosts/host4_interfaces:/etc/network/interfaces
+                - hosts/freeradius/wpa_supplicant_host4.conf:/etc/wpa_supplicant/wpa_supplicant.conf
            exec:
                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -171,10 +181,11 @@ topology:
                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.78 type vlan id 78
-                - ip link set bond0.78 up
-                - ip addr add 10.78.78.104/24 dev bond0.78
+                - ip addr add 10.78.78.104/24 dev bond0
                - ip route add 10.34.34.0/24 via 10.78.78.1
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B

        # FreeRADIUS server for dynamic VLAN assignment
        freeradius: