Add dot1x and wpa_supplicant for 802.1X authentication

- Configure dot1x on access switch host-facing ports (Et3/Et4) with
  RADIUS dynamic VLAN assignment
- Switch host-facing port-channels to access mode (from trunk) to
  align with dot1x dynamic VLAN behavior
- Add wpa_supplicant configs and binds for all hosts
- Remove VLAN subinterfaces from hosts, assign IPs directly to bond0
  (untagged traffic for dot1x access ports)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

configs/access1.cfg

@@ -14,6 +14,15 @@ management api gnmi
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 !
+! RADIUS server
+radius-server host 172.16.0.200 key arista123
+!
+! AAA for dot1x
+aaa authentication dot1x default group radius
+!
+! Enable 802.1X globally
+dot1x system-auth-control
+!
 ! VLANs
 vlan 40
    name test-l2-vxlan
@@ -45,15 +54,21 @@ interface Port-Channel10
 interface Ethernet3
    description host1
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Ethernet4
    description host1
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Port-Channel1
    description host1
-   switchport mode trunk
+   switchport mode access
-   switchport trunk allowed vlan 40
+   switchport access vlan 40
    port-channel lacp fallback timeout 5
    port-channel lacp fallback individual
    spanning-tree portfast

configs/access2.cfg

@@ -14,6 +14,15 @@ management api gnmi
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 !
+! RADIUS server
+radius-server host 172.16.0.200 key arista123
+!
+! AAA for dot1x
+aaa authentication dot1x default group radius
+!
+! Enable 802.1X globally
+dot1x system-auth-control
+!
 ! VLANs
 vlan 34
    name vrf-gold-subnet
@@ -45,15 +54,21 @@ interface Port-Channel10
 interface Ethernet3
    description host2
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Ethernet4
    description host2
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Port-Channel1
    description host2
-   switchport mode trunk
+   switchport mode access
-   switchport trunk allowed vlan 34
+   switchport access vlan 34
    port-channel lacp fallback timeout 5
    port-channel lacp fallback individual
    spanning-tree portfast

configs/access3.cfg

@@ -14,6 +14,15 @@ management api gnmi
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 !
+! RADIUS server
+radius-server host 172.16.0.200 key arista123
+!
+! AAA for dot1x
+aaa authentication dot1x default group radius
+!
+! Enable 802.1X globally
+dot1x system-auth-control
+!
 ! VLANs
 vlan 40
    name test-l2-vxlan
@@ -45,15 +54,21 @@ interface Port-Channel10
 interface Ethernet3
    description host3
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Ethernet4
    description host3
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Port-Channel1
    description host3
-   switchport mode trunk
+   switchport mode access
-   switchport trunk allowed vlan 40
+   switchport access vlan 40
    port-channel lacp fallback timeout 5
    port-channel lacp fallback individual
    spanning-tree portfast

configs/access4.cfg

@@ -14,6 +14,15 @@ management api gnmi
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 !
+! RADIUS server
+radius-server host 172.16.0.200 key arista123
+!
+! AAA for dot1x
+aaa authentication dot1x default group radius
+!
+! Enable 802.1X globally
+dot1x system-auth-control
+!
 ! VLANs
 vlan 78
    name vrf-gold-subnet
@@ -45,15 +54,21 @@ interface Port-Channel10
 interface Ethernet3
    description host4
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Ethernet4
    description host4
    channel-group 1 mode active
+   dot1x pae authenticator
+   dot1x port-control auto
+   dot1x host-mode single-host
 !
 interface Port-Channel1
    description host4
-   switchport mode trunk
+   switchport mode access
-   switchport trunk allowed vlan 78
+   switchport access vlan 78
    port-channel lacp fallback timeout 5
    port-channel lacp fallback individual
    spanning-tree portfast

evpn-lab.clab.yml

@@ -94,6 +94,8 @@ topology:
             image: ghcr.io/hellt/network-multitool
             cap-add:
                 - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host1.conf:/etc/wpa_supplicant/wpa_supplicant.conf
             exec:
                 - ip link add bond0 type bond mode 802.3ad
                 - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -105,9 +107,10 @@ topology:
                 - ip link set dev eth2 up
                 - ip link set dev bond0 type bond lacp_rate fast
                 - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.40 type vlan id 40
+                - ip addr add 10.40.40.101/24 dev bond0
-                - ip link set bond0.40 up
+                - apk add --no-cache wpa_supplicant
-                - ip addr add 10.40.40.101/24 dev bond0.40
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
 
         host2:
             kind: linux
@@ -115,6 +118,8 @@ topology:
             image: ghcr.io/hellt/network-multitool
             cap-add:
                 - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host2.conf:/etc/wpa_supplicant/wpa_supplicant.conf
             exec:
                 - ip link add bond0 type bond mode 802.3ad
                 - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -126,10 +131,11 @@ topology:
                 - ip link set dev eth2 up
                 - ip link set dev bond0 type bond lacp_rate fast
                 - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.34 type vlan id 34
+                - ip addr add 10.34.34.102/24 dev bond0
-                - ip link set bond0.34 up
-                - ip addr add 10.34.34.102/24 dev bond0.34
                 - ip route add 10.78.78.0/24 via 10.34.34.1
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
 
         host3:
             kind: linux
@@ -137,6 +143,8 @@ topology:
             image: ghcr.io/hellt/network-multitool
             cap-add:
                 - NET_ADMIN
+            binds:
+                - hosts/freeradius/wpa_supplicant_host3.conf:/etc/wpa_supplicant/wpa_supplicant.conf
             exec:
                 - ip link add bond0 type bond mode 802.3ad
                 - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -148,9 +156,10 @@ topology:
                 - ip link set dev eth2 up
                 - ip link set dev bond0 type bond lacp_rate fast
                 - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.40 type vlan id 40
+                - ip addr add 10.40.40.103/24 dev bond0
-                - ip link set bond0.40 up
+                - apk add --no-cache wpa_supplicant
-                - ip addr add 10.40.40.103/24 dev bond0.40
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
 
         host4:
             kind: linux
@@ -160,6 +169,7 @@ topology:
                 - NET_ADMIN
             binds:
                 - hosts/host4_interfaces:/etc/network/interfaces
+                - hosts/freeradius/wpa_supplicant_host4.conf:/etc/wpa_supplicant/wpa_supplicant.conf
             exec:
                 - ip link add bond0 type bond mode 802.3ad
                 - ip link set dev bond0 type bond xmit_hash_policy layer3+4
@@ -171,10 +181,11 @@ topology:
                 - ip link set dev eth2 up
                 - ip link set dev bond0 type bond lacp_rate fast
                 - ip link set dev bond0 up
-                - ip link add link bond0 name bond0.78 type vlan id 78
+                - ip addr add 10.78.78.104/24 dev bond0
-                - ip link set bond0.78 up
-                - ip addr add 10.78.78.104/24 dev bond0.78
                 - ip route add 10.34.34.0/24 via 10.78.78.1
+                - apk add --no-cache wpa_supplicant
+                - wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
+                - wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
 
         # FreeRADIUS server for dynamic VLAN assignment
         freeradius:

hosts/freeradius/wpa_supplicant_host1.conf

@@ -0,0 +1,10 @@
+ctrl_interface=/var/run/wpa_supplicant
+eapol_version=2
+ap_scan=0
+
+network={
+    key_mgmt=IEEE8021X
+    eap=MD5
+    identity="host1_user"
+    password="host1pass"
+}

hosts/freeradius/wpa_supplicant_host2.conf

@@ -0,0 +1,10 @@
+ctrl_interface=/var/run/wpa_supplicant
+eapol_version=2
+ap_scan=0
+
+network={
+    key_mgmt=IEEE8021X
+    eap=MD5
+    identity="host2_user"
+    password="host2pass"
+}

hosts/freeradius/wpa_supplicant_host3.conf

@@ -0,0 +1,10 @@
+ctrl_interface=/var/run/wpa_supplicant
+eapol_version=2
+ap_scan=0
+
+network={
+    key_mgmt=IEEE8021X
+    eap=MD5
+    identity="host3_user"
+    password="host3pass"
+}

hosts/freeradius/wpa_supplicant_host4.conf

@@ -0,0 +1,10 @@
+ctrl_interface=/var/run/wpa_supplicant
+eapol_version=2
+ap_scan=0
+
+network={
+    key_mgmt=IEEE8021X
+    eap=MD5
+    identity="host4_user"
+    password="host4pass"
+}