• Tag : Radius


RADIUS dynamic-authorization over TLS

Description RADIUS protocol specifies the existence of Dynamic-Authorization messages which provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. These messages are of two types – Change of Authorization (CoA) messages and Disconnect (DM) messages. These can be sent by the RADIUS server to the switch for various purposes like disconnecting a session, changing roles and permissions of a session etc. These messages are initiated by the RADIUS server to be sent to the switch and the switch replies with a response in contrast to normal authentication and accounting messages...
Continue reading →


RADIUS over TLS provides secure and reliable transport for RADIUS clients. RADIUS over TLS allows RADIUS authentication and accounting data to be passed safely reliably across insecure networks such as the internet. Description RADIUS is mainly used to authenticate remote users utilizing a central database. It functions as a client server protocol, where the radius server maintains a database for users and passwords which is used to authenticate remote users. Conventional RADIUS access requests over UDP are mostly plaintext and eavesdroppers can easily gain access to valuable information travelling over the internet. RADIUS over TLS uses the TCP/IP protocol to...
Continue reading →

Arista equivalent of “authentication open”?

Use case: Mixed network environment. Some campuses use Cisco, some Arista switches. Some devices attached to mini-switches, attached to either an Arista or Cisco access port. We want to see the result of a RADIUS authentication attempt, but we do not want to block based on that result. In a cisco environment, devices connected to a mini switch can be authorized on a per device basis, and using the ‘authentication open’ command means we can see the result of the authentication attempt, even though we allow all devices on. In an Arista environment, we do not have the same behavior,...
Continue reading →

Troubleshooting RADIUS Authentication/Authorization Issues

Introduction Arista Access Points offer several authentication methods for client connectivity, including the use of external authentication servers to support WPA2-Enterprise. This article outlines Dashboard configuration to use a RADIUS server for WPA2-Enterprise authentication, RADIUS server requirements and basic troubleshooting of RADIUS authentication. Prerequisites All Arista APs must be added as RADIUS clients on the RADIUS server. It is recommended that a static IP assignment or a DHCP fixed IP assignment should be used on the APs. Corresponding user authentication policies must be in place on the RADIUS server. Feature Description WPA2-Enterprise with 802.1x authentication can be used to authenticate...
Continue reading →

Dynamic VLAN Support Using RADIUS and Google Integration

Introduction Dynamic VLAN assignment helps you to quickly on-board a new device by allowing it to connect to a single SSID irrespective of the VLAN it has access to. Users can get access to their respective VLANs by connecting to a single corporate SSID. With dynamic VLAN assignment RADIUS server maps these users to their respective VLANs at the back end. The APs need to be connected to a trunk port that carries all the VLANs. There are two methods to assign Dynamic VLANs: RADIUS Google OU Solution RADIUS Based Assignment To achieve this, the following tasks must be performed:...
Continue reading →

Role-Based Access Control for RADIUS MAC Authentication

Description With the 8.8.1 release, RADIUS MAC Authentication can be configured to assign roles to clients both before and after authentication. This allows for better integration of Arista Wi-Fi with third-party RADIUS servers, especially for scenarios that use central web authentication via an external captive portal with RADIUS (e.g., for the onboarding of guest users or employee-owned devices). An example workflow using roles is shown in the figure below. When the client first connects to the SSID, the Wi-Fi access point (AP) sends an Access Request containing the client’s MAC address to the RADIUS server. The RADIUS server responds with...
Continue reading →

MAC based authentication vlan assignment

Hi, I’m setting up a network where we want to use MAC auth on the edge ports (i.e. only specific MACs will be allowed access to the network) and I want to be able to assign the MAC address to a specific vlan. In another vendor I’ve done the same sort of thing using a mac-based vlan with a RADIUS back end – the RADIUS server returns the vlan that the mac should be associated with. Is this possible in Arista’s implementation of .1x? I can’t find any documentation on doing this. Any help appreciated.

7010T 802.1x Authentication Requests using Management Interface in Separate VRF

I would like to source all dot1x authentication requests for ports in the default/root vrf in a 7010T-48 Arista switch using the Management interface which is part of a separate VRF named Mgmt. If I source a ping using the command “ping vrf Mgmt ” it is reachable 100% of the time, but authentication requests never make it to the radius server. If I move the Management interface back to the default/root VRF (basically remove the command “vrf forwarding Mgmt” from the management interface”, then dot1x requests make it to the Radius server. Does anyone know if this is a...
Continue reading →

Use FreeRadius for authentication

Has anyone used FreeRadius for authentication into your Arista devices? I am trying to find out how to configure freeradius for arista so that I can configure my switches to use it.

RADIUS Dictionary for Arista Networks

Introduction Each dictionary file contains a list of RADIUS attributes and values, which the server uses to map between descriptive names and on-the-wire data. The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients. Arista APs support standard IETF attributes and also the ones mentioned below as vendor specific attributes (VSAs). Solution Vendor ID: 16901 Vendor Name: Arista The following format has been used below: AttributeName (AttributeNumber,AttributeType) The following vendor specific attributes are supported by Arista APs: Mojo-download (5,integer) Mojo-upload (6,integer) Mojo-User-Role (7,string) The following vendor specific attributes are supported by...
Continue reading →

RADIUS Disconnect and COA Support on Arista Access Points

Introduction This document lists the requirements for the Arista AP to support RADIUS DISCONNECT or Change of Authorization (COA). A CoA message is used to change attributes and the data filters associated with a user session. The APs support CoA messages from the Authentication, Authorization, and Accounting (AAA) server to change data filters associated with a subscriber session. The RADIUS DISCONNECT message is used to disconnect user sessions. The DISCONNECT request message contains the attributes necessary to identify the user session. Use Case The document is useful in scenarios where dynamic authorization is implemented with RADIUS. Example: MAC Based Authentication...
Continue reading →

Why Can’t I Always See Wireless Client Usernames?

Introduction This article explains why Arista APs may not be able to identify a wireless client username in certain scenarios. Solution When you add a VLAN to be monitored by an Arista AP/Sensor and connect the device to a trunk port, it will become a part of the broadcast domain for all the VLANs that it is monitoring. It will act like a device connected to each VLAN. With Wired 802.1x exchange, the only part where the communication is in plain text: EAPOL START (Client to switch) – Optional EAPOL Identity Request (Switch to Client) EAPOL Identity Response (Client to...
Continue reading →

How to Configure and Assign User Access Roles via RADIUS / NPS

Introduction This article describes how to authenticate users and assign different access roles via RADIUS server (NPS) integration with on-premises Wireless Manager. Prerequisites Administrative access to on-premises Wireless Manager. RADIUS server with Administrator privileges Configured correct shared secret and RADIUS client on the RADIUS server Solution Configure ‘Superuser’ Access Role Log in to NPS with Administrator credentials. Under NPS expand Policies and click Network Policies folder. On the Overview tab, enter the appropriate information. Go to Conditions tab, add Windows Domain Admin group. Go to Constraints tab and enable Authentication Method (PAP) as Wireless Manager communicates with the RADIUS server...
Continue reading →

Introduction to Managing EOS Devices – Setting up Management

Note: This article is part of the Introduction to Managing EOS Devices series: https://eos.arista.com/introduction-to-managing-eos-devices/      1) Setting Up Management The following management tools are available on Arista EOS for all platforms: VRF-aware management Telnet and SSH Syslog and Console Logging SNMP Versions 1 and 3 NTP DNS Local and remote user control (AAA) TACACS+, RADIUS sFlow XMPP eAPI   Note: in the following configuration examples, the commands in square brackets are optional: [optional]   1.1) VRF Aware Management As of release 4.10.1, EOS supports the ability to constrain management functions to a VRF. This enables the user to separate management based functions...
Continue reading →


Get every new post on this blog delivered to your Inbox.

Join other followers: