Hello,
I'm working with a customer who's deploying some Arista campus switches but I'm struggling to get 802.1X VLAN based enforcements working on them.
Model is: DCS-7050SX-64-F
Firmware is: 4.22.1F
I've configured a standard wired dot1x service in ClearPass and I can see that the request hits successfully. Other configuration on the Arista is pretty standard to Cisco:
radius-server host 172.16.10.41 key 7 xxxxxxxxxxxxxxxxxx
!
aaa group server radius CLEARPASS-GROUP
server 172.16.10.xx
!
aaa authentication dot1x default group CLEARPASS-GROUP
aaa accounting system default start-stop group CLEARPASS-GROUP
!
dot1x system-auth-control
!
Here's the interface config:
interface Ethernet2
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x mac based authentication
dot1x timeout tx-period 10
dot1x reauthorization request limit 1
!
In ClearPass I'm doing simple VLAN enforcement (sending VLAN 101) using the standard VLAN template:
I've confirmed VLAN 101 is in place on the switch;
vlan 101
name Corp
!
interface Vlan101
ip address 172.16.101.1/24
ip helper-address 172.16.10.xx
ip helper-address 172.16.11.xx
!
The 802.1X process appears to proceed successfully but I'm getting errors on the switch when passing VLAN 101:
Console output:
Feb 6 20:28:28 Arista-Lab-SW1 Dot1x: %DOT1X-3-SUPPLICANT_FAILED_AUTHORIZATION: Supplicant with identity VMLAB\\Ryan, MAC f0:de:f1:7b:46:52 and dynamic VLAN None successfully authenticated but failed authorization on port Ethernet2.
Show dot1x hosts:
Arista-Lab-SW1(config-if-Et2)#show dot1x hosts
Interface: Ethernet2
Supplicant MAC Auth Method State VLAN Id
-------------- ----------- ----- -------
f0:de:f1:7b:46:52 EAPOL FAILED-DYN-VLAN
Show vlan dynamic:
Arista-Lab-SW1#show vlan dynamic
Dynamic VLAN source VLANS
dot1x NONE
mlag NONE
Clearly the Arista switch is not happy with the values I'm sending. I guess my questions are:
1) Is any config missing?
2) Does anything additional need to be done on the Arista to allow it to accept dynamic vlans?
3) Does anyone have tips on getting CoA working?
Thanks in advance!
-Ryan