Security

Reply
Frequent Contributor I

802.1X on Arista Campus Switches

Hello,

 

I'm working with a customer who's deploying some Arista campus switches but I'm struggling to get 802.1X VLAN based enforcements working on them.

 

Model is: DCS-7050SX-64-F

Firmware is: 4.22.1F

 

I've configured a standard wired dot1x service in ClearPass and I can see that the request hits successfully. Other configuration on the Arista is pretty standard to Cisco:

 

radius-server host 172.16.10.41 key 7 xxxxxxxxxxxxxxxxxx
!
aaa group server radius CLEARPASS-GROUP
   server 172.16.10.xx
!
aaa authentication dot1x default group CLEARPASS-GROUP
aaa accounting system default start-stop group CLEARPASS-GROUP
!
dot1x system-auth-control
!

Here's the interface config:

 

interface Ethernet2
   dot1x pae authenticator
   dot1x reauthentication
   dot1x port-control auto
   dot1x mac based authentication
   dot1x timeout tx-period 10
   dot1x reauthorization request limit 1
!

In ClearPass I'm doing simple VLAN enforcement (sending VLAN 101) using the standard VLAN template:

 

arista_vlan_Capture.PNG

I've confirmed VLAN 101 is in place on the switch;

 

vlan 101
   name Corp
!
interface Vlan101
   ip address 172.16.101.1/24
   ip helper-address 172.16.10.xx
   ip helper-address 172.16.11.xx
!

The 802.1X process appears to proceed successfully but I'm getting errors on the switch when passing VLAN 101:

 

Console output:

 

Feb  6 20:28:28 Arista-Lab-SW1 Dot1x: %DOT1X-3-SUPPLICANT_FAILED_AUTHORIZATION: Supplicant with identity VMLAB\\Ryan, MAC f0:de:f1:7b:46:52 and dynamic VLAN None successfully authenticated but failed authorization on port Ethernet2.

Show dot1x hosts:

 

Arista-Lab-SW1(config-if-Et2)#show dot1x hosts
Interface: Ethernet2
Supplicant MAC          Auth Method         State                   VLAN Id
--------------          -----------         -----                   -------
f0:de:f1:7b:46:52       EAPOL               FAILED-DYN-VLAN

Show vlan dynamic:

 

Arista-Lab-SW1#show vlan dynamic
Dynamic VLAN source       VLANS
dot1x                     NONE
mlag                      NONE

Clearly the Arista switch is not happy with the values I'm sending. I guess my questions are:

 

1) Is any config missing?

2) Does anything additional need to be done on the Arista to allow it to accept dynamic vlans?

3) Does anyone have tips on getting CoA working?

 

Thanks in advance!

-Ryan


Accepted Solutions
Highlighted
Frequent Contributor I

Re: 802.1X on Arista Campus Switches

The problem as they say is in between the keyboard and the chair. Apparently 802.1X is unsupported on this model switch. Oops.

 

I'll update this post again once I have one of the 720XP's in my possession.

View solution in original post


All Replies
Highlighted
Frequent Contributor I

Re: 802.1X on Arista Campus Switches

The problem as they say is in between the keyboard and the chair. Apparently 802.1X is unsupported on this model switch. Oops.

 

I'll update this post again once I have one of the 720XP's in my possession.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: