Hello Everyone,
Objective of this post is to educate community members about the security enhancement feature "Per Port Radius Server Group" introduced as part of AOS-CX 10.12 Release.
- Prior to 10.12 release, Radius-Server group assignment for 802.1x/Mac Authentication could be done only globally. It applies to all the ports in the switch.
switch(config)# aaa authentication port-access mac-auth
switch(config-macauth)#radius server-group <GROUP-NAME>
switch(config-macauth)# exit
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)#radius server-group <GROUP-NAME>
switch(config-if-dot1x-auth)# exit
- With this enhancement, we have the capability to configure the radius-server group interface level
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access mac-auth
switch(config-if-macauth)#radius server-group <GROUP-NAME>
switch(config-if-macauth)# exit
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)#radius server-group <GROUP-NAME>
switch(config-if-dot1x-auth)# exit
- When per port RADIUS group is configured for authentication, the authentication requests for all the clients on that port are sent to the configured per-port RADIUS server group.
- 802.1x/MAC-auth will fallback to the RADIUS server group configuration at the system level when a RADIUS server group assignment is removed on the port
- When the RADIUS server group for dot1x/MAC-Auth is updated on a port, any existing clients on the port authenticated using the previous group will only pick the new group during the next re-authentication cycle
- For details about the use case this feature will help to solve can be referred in the YouTube Video - https://www.youtube.com/watch?v=BfyEzEeVPuc
- Supported platforms: 4100i, 6000, 6100, 6200, 6300, 6400, 8325, 8360, 8100, 10000
Additional Resource :
------------------------------
Shobana
Aruba
------------------------------