Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1X on Arista Campus Switches

This thread has been viewed 15 times

  • 1.  802.1X on Arista Campus Switches

    Posted Feb 06, 2020 03:36 PM

    Hello,

     

    I'm working with a customer who's deploying some Arista campus switches but I'm struggling to get 802.1X VLAN based enforcements working on them.

     

    Model is: DCS-7050SX-64-F

    Firmware is: 4.22.1F

     

    I've configured a standard wired dot1x service in ClearPass and I can see that the request hits successfully. Other configuration on the Arista is pretty standard to Cisco:

     

    radius-server host 172.16.10.41 key 7 xxxxxxxxxxxxxxxxxx
!
aaa group server radius CLEARPASS-GROUP
   server 172.16.10.xx
!
aaa authentication dot1x default group CLEARPASS-GROUP
aaa accounting system default start-stop group CLEARPASS-GROUP
!
    dot1x system-auth-control
    !

    Here's the interface config:

     

    interface Ethernet2
   dot1x pae authenticator
   dot1x reauthentication
   dot1x port-control auto
   dot1x mac based authentication
   dot1x timeout tx-period 10
   dot1x reauthorization request limit 1
!

    In ClearPass I'm doing simple VLAN enforcement (sending VLAN 101) using the standard VLAN template:

     

    arista_vlan_Capture.PNG

    I've confirmed VLAN 101 is in place on the switch;

     

    vlan 101
   name Corp
!
interface Vlan101
   ip address 172.16.101.1/24
   ip helper-address 172.16.10.xx
   ip helper-address 172.16.11.xx
!

    The 802.1X process appears to proceed successfully but I'm getting errors on the switch when passing VLAN 101:

     

    Console output:

     

    Feb  6 20:28:28 Arista-Lab-SW1 Dot1x: %DOT1X-3-SUPPLICANT_FAILED_AUTHORIZATION: Supplicant with identity VMLAB\\Ryan, MAC f0:de:f1:7b:46:52 and dynamic VLAN None successfully authenticated but failed authorization on port Ethernet2.

    Show dot1x hosts:

     

    Arista-Lab-SW1(config-if-Et2)#show dot1x hosts
Interface: Ethernet2
Supplicant MAC          Auth Method         State                   VLAN Id
--------------          -----------         -----                   -------
f0:de:f1:7b:46:52       EAPOL               FAILED-DYN-VLAN

    Show vlan dynamic:

     

    Arista-Lab-SW1#show vlan dynamic
Dynamic VLAN source       VLANS
dot1x                     NONE
mlag                      NONE

    Clearly the Arista switch is not happy with the values I'm sending. I guess my questions are:

     

    1) Is any config missing?

    2) Does anything additional need to be done on the Arista to allow it to accept dynamic vlans?

    3) Does anyone have tips on getting CoA working?

     

    Thanks in advance!

    -Ryan



  • 2.  RE: 802.1X on Arista Campus Switches
    Best Answer

    Posted Feb 06, 2020 09:28 PM

    The problem as they say is in between the keyboard and the chair. Apparently 802.1X is unsupported on this model switch. Oops.

     

    I'll update this post again once I have one of the 720XP's in my possession.



  • 3.  RE: 802.1X on Arista Campus Switches

    EMPLOYEE
    Posted Sep 23, 2021 10:34 PM
    Do you have an update for this?

    ------------------------------
    Ryan Hadley
    ------------------------------

    Original Message


  • 4.  RE: 802.1X on Arista Campus Switches

    EMPLOYEE
    Posted Sep 23, 2021 10:34 PM
    Any updates on this?

    ------------------------------
    Ryan Hadley
    ------------------------------

    Original Message