• Tag : 802.1x


802.1X with device certificates

We have several types of switches (7050, 7010, 7020) with and have the requirement for 802.1X authentication with device certificates, not MAC based. Is it possible? I have found only information about mac bases auth or radius for login Our not working config until now: interface Ethernet47 switchport access vlan 10 dot1x pae authenticator dot1x authentication failure action traffic allow vlan 11 dot1x reauthentication dot1x port-control auto dot1x reauthorization request limit 3 in the log files always: %DOT1X-3-SUPPLICANT_FAILED_AUTHENTICATION_AFVLAN: Supplicant with identity host/FQDN MAC xxxx.xxxx.xxxx and dynamic VLAN 10 failed authentication on port Ethernet47. The supplicant will be put in...
Continue reading →

Troubleshooting RADIUS Authentication/Authorization Issues

Introduction Arista Access Points offer several authentication methods for client connectivity, including the use of external authentication servers to support WPA2-Enterprise. This article outlines Dashboard configuration to use a RADIUS server for WPA2-Enterprise authentication, RADIUS server requirements and basic troubleshooting of RADIUS authentication. Prerequisites All Arista APs must be added as RADIUS clients on the RADIUS server. It is recommended that a static IP assignment or a DHCP fixed IP assignment should be used on the APs. Corresponding user authentication policies must be in place on the RADIUS server. Feature Description WPA2-Enterprise with 802.1x authentication can be used to authenticate...
Continue reading →

MAC based authentication vlan assignment

Hi, I’m setting up a network where we want to use MAC auth on the edge ports (i.e. only specific MACs will be allowed access to the network) and I want to be able to assign the MAC address to a specific vlan. In another vendor I’ve done the same sort of thing using a mac-based vlan with a RADIUS back end – the RADIUS server returns the vlan that the mac should be associated with. Is this possible in Arista’s implementation of .1x? I can’t find any documentation on doing this. Any help appreciated.

7010T 802.1x Authentication Requests using Management Interface in Separate VRF

I would like to source all dot1x authentication requests for ports in the default/root vrf in a 7010T-48 Arista switch using the Management interface which is part of a separate VRF named Mgmt. If I source a ping using the command “ping vrf Mgmt ” it is reachable 100% of the time, but authentication requests never make it to the radius server. If I move the Management interface back to the default/root VRF (basically remove the command “vrf forwarding Mgmt” from the management interface”, then dot1x requests make it to the Radius server. Does anyone know if this is a...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: