Posted on March 26, 2021 3:21 am
 |  Asked by Robert Bryan
Print Friendly, PDF & Email

Use case: Mixed network environment. Some campuses use Cisco, some Arista switches. Some devices attached to mini-switches, attached to either an Arista or Cisco access port.

We want to see the result of a RADIUS authentication attempt, but we do not want to block based on that result. In a cisco environment, devices connected to a mini switch can be authorized on a per device basis, and using the ‘authentication open’ command means we can see the result of the authentication attempt, even though we allow all devices on.

In an Arista environment, we do not have the same behavior, because there is no equivalent for ‘authentication open’. We can allow all devices, and we can block devices that do not authenticate, even when connected to a mini switch. But what we cannot do is allow all devices with an open auth command, allowing us to see the results of an authentication attempt for each device.

Posted by Lalitha Prasuna
Answered on March 26, 2021 3:24 am

Hi Robert,

You can achieve this use-case by implementing MAC-based authentication for supplicants and configure Auth Fail policy on the Radius server to Continue rather than Reject when authentication fails. 

This way, you will have Authentication attempt requests for each client/workstation on the Radius server and allow all the devices irrespective of the result of authentication. 


Interface level commands:

dot1x pae authenticator

  dot1x port-control auto

  dot1x mac based authentication

  dot1x reauthentication


Global commands:

dot1x system-auth-control

radius-server host <radius server IP> key <key>


More of MBA:


Hope this helps! Feel free to reach out to us at support@arista if there are more queries. 


Warm Regards

Lalitha Prasuna


Post your Answer

You must be logged in to post an answer.