Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1X on Arista Campus Switches

Jump to Best Answer
This thread has been viewed 11 times
  • 1.  802.1X on Arista Campus Switches

    Posted Feb 06, 2020 03:36 PM

    Hello,

     

    I'm working with a customer who's deploying some Arista campus switches but I'm struggling to get 802.1X VLAN based enforcements working on them.

     

    Model is: DCS-7050SX-64-F

    Firmware is: 4.22.1F

     

    I've configured a standard wired dot1x service in ClearPass and I can see that the request hits successfully. Other configuration on the Arista is pretty standard to Cisco:

     

    radius-server host 172.16.10.41 key 7 xxxxxxxxxxxxxxxxxx
    !
    aaa group server radius CLEARPASS-GROUP
       server 172.16.10.xx
    !
    aaa authentication dot1x default group CLEARPASS-GROUP
    aaa accounting system default start-stop group CLEARPASS-GROUP
    !
    dot1x system-auth-control
    !

    Here's the interface config:

     

    interface Ethernet2
       dot1x pae authenticator
       dot1x reauthentication
       dot1x port-control auto
       dot1x mac based authentication
       dot1x timeout tx-period 10
       dot1x reauthorization request limit 1
    !

    In ClearPass I'm doing simple VLAN enforcement (sending VLAN 101) using the standard VLAN template:

     

    arista_vlan_Capture.PNG

    I've confirmed VLAN 101 is in place on the switch;

     

    vlan 101
       name Corp
    !
    interface Vlan101
       ip address 172.16.101.1/24
       ip helper-address 172.16.10.xx
       ip helper-address 172.16.11.xx
    !

    The 802.1X process appears to proceed successfully but I'm getting errors on the switch when passing VLAN 101:

     

    Console output:

     

    Feb  6 20:28:28 Arista-Lab-SW1 Dot1x: %DOT1X-3-SUPPLICANT_FAILED_AUTHORIZATION: Supplicant with identity VMLAB\\Ryan, MAC f0:de:f1:7b:46:52 and dynamic VLAN None successfully authenticated but failed authorization on port Ethernet2.

    Show dot1x hosts:

     

    Arista-Lab-SW1(config-if-Et2)#show dot1x hosts
    Interface: Ethernet2
    Supplicant MAC          Auth Method         State                   VLAN Id
    --------------          -----------         -----                   -------
    f0:de:f1:7b:46:52       EAPOL               FAILED-DYN-VLAN

    Show vlan dynamic:

     

    Arista-Lab-SW1#show vlan dynamic
    Dynamic VLAN source       VLANS
    dot1x                     NONE
    mlag                      NONE

    Clearly the Arista switch is not happy with the values I'm sending. I guess my questions are:

     

    1) Is any config missing?

    2) Does anything additional need to be done on the Arista to allow it to accept dynamic vlans?

    3) Does anyone have tips on getting CoA working?

     

    Thanks in advance!

    -Ryan



  • 2.  RE: 802.1X on Arista Campus Switches
    Best Answer

    Posted Feb 06, 2020 09:28 PM

    The problem as they say is in between the keyboard and the chair. Apparently 802.1X is unsupported on this model switch. Oops.

     

    I'll update this post again once I have one of the 720XP's in my possession.



  • 3.  RE: 802.1X on Arista Campus Switches

    Posted Sep 23, 2021 10:34 PM
    Do you have an update for this?

    ------------------------------
    Ryan Hadley
    ------------------------------



  • 4.  RE: 802.1X on Arista Campus Switches

    Posted Sep 23, 2021 10:34 PM
    Any updates on this?

    ------------------------------
    Ryan Hadley
    ------------------------------