Radius mac authentication

coleman147 · January 30, 2024, 12:11pm

in our environment we use freeradius with mac(mab) authentication. The switches to be implemented are 6360 Does anyone have an example of configuration for dot1x with mac authentication on alcatel 6360 switch

thank you all

pmart · January 30, 2024, 2:44pm

Hello,

You can look for the "UPAM Architecture Guide" here on spacewalkers. It provides examples for wired/wireless using OmniVista.

If you don't use OmniVista, here's a CLI example that you will need to tailor to your needs. It is doing 802.1x authentication with fallback to MAC authentication in case of no supplicant. It maps to a UNP and it also dynamically enables the VLAN through MVRP. There's different UNPs which map to different VLANs depending on the returned filter-id attribute. The Restricted UNP is a least-privilege UNP in case authentication fails or the returned filter-ID is not defined on the switch. And you can add microsegmentation policies to the UNP if you so wish.

! DA-UNP:
unp dynamic-vlan-configuration
unp profile "L2_Service"
unp profile "L3_Service"
unp profile "Restricted"
unp profile "L2_Service" map vlan 300
unp profile "L3_Service" map vlan 101
unp profile "Restricted" map vlan 1000
unp port-template my_template aaa-profile "UPAM" default-profile "Restricted" ap-mode admin-state enable
unp port-template my_template 802.1x-authentication
unp port-template my_template 802.1x-authentication pass-alternate "Restricted"
unp port-template my_template mac-authentication
unp port-template my_template mac-authentication pass-alternate "Restricted"
unp port 1/1/1 port-type bridge
unp port 1/1/1 port-template my_template

! AAA:
aaa radius-server "UPAMRadiusServer" host X hash-key "" hash-salt "" retransmit 2 timeout 5 auth-port 1812 acct-port 1813 vrf-name default

aaa mac inactivity-logout enable interval 0
aaa profile "UPAM"
aaa profile "UPAM" device-authentication mac "UPAMRadiusServer"
aaa profile "UPAM" accounting mac "UPAMRadiusServer"
aaa profile "UPAM" mac inactivity-logout enable interval 0
aaa profile "UPAM" mac interim-interval 600 trust-radius enable
aaa profile "UPAM" device-authentication 802.1x "UPAMRadiusServer"
aaa profile "UPAM" accounting 802.1x "UPAMRadiusServer"
aaa profile "UPAM" 802.1x interim-interval 600 trust-radius enable

! MVRP:
mvrp linkagg 32 enable
mvrp linkagg 32 restrict-vlan-advertisement vlan 10
mvrp enable