Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added link to campus design feature setup (6-part blog series) in Related Information

...

  • 802.1X is supported on Broadcom-based switches (except the Hurricane2 switch). The Tomahawk, Tomahawk2, and Trident3 switch must be running in nonatomic mode.
  • The protocol is supported on physical interfaces only (bridged/access only and routed interfaces) — such as swp1 or swp2s0; these interfaces cannot be part of a bond. However, 802.1X is not supported on eth0. 
  • Cumulus Linux 3.7.2 and later includes VRF support
  • You can configure 802.1X interfaces for bridges in both VLAN-aware mode and traditional mode using the following features:
    • Parking VLAN
    • Dynamic VLAN
    • MAB (MAC-based authentication bypass)
  • MAB, parking VLAN and dynamic VLAN all require a bridge access port.
  • In traditional bridge mode, parking VLANs and dynamic VLANs both require the destination bridge to have a parking VLAN ID or dynamic VLAN ID tagged subinterface, respectively.
  • Enabling or disabling the 802.1X capability on ports results in hostapd reloading. However, existing authorized sessions do not get reset.
  • Changing any of the following RADIUS parameters restarts hostapd, which forces existing, authorized users to re-authenticate:
    • The RADIUS server IP address, shared secret, authentication port or accounting port
    • Parking VLAN ID
    • MAB activation delay
    • EAP reauthentication period
    • Removing all 802.1X interfaces

      Note

      Changing the interface dot1x, dot1x mab, or dot1x parking-vlan settings do not reset existing authorized user ports.

  • You can configure up to three RADIUS servers for failover purposes. 

  • Cumulus Networks performed tests with only a few wpa_supplicant (Debian), Windows 10 and Windows 7 supplicants.
  • RADIUS authentication is supported with FreeRADIUS and Cisco ACS. 
  • Supports simple login/password, PEAP/MSCHAPv2 (Win7) and EAP-TLS (Debian).
  • There is no support for Mako template-based configurations.
  • Cumulus Linux 3.7.4 and later includes support for Multi Domain Authentication (MDA), where 802.1X is extended to allow authorization of multiple devices (a data and a voice device) on a single port and assign different VLANs to the devices based on authorization:
    • MDA is enabled by default; however, you need to assign a tagged VLAN for voice devices (see Configure 802.1X Interfaces for a VLAN-aware Bridge).

    • A maximum of four authorized devices (MAB + EAPOL) per port are supported.

    • The 802.1X enabled port must be a trunk port to allow tagged voice traffic from a phone; you cannot enable 802.1X on an access port.
    • Only one untagged VLAN and one tagged VLAN is supported on the 802.1X enabled ports
    • Multiple MAB (non voice) devices on a port are supported for VLAN-aware bridges only. Authorization of multiple MAB devices for different VLANs is not supported.

    • The MAB timer is not required (see Configure MAC Authentication Bypass).

...

  1. Create a simple interface bridge configuration on the switch and add the switch ports that are members of the bridge. You can use glob syntax to add a range of interfaces. The MAB and parking VLAN configurations require interfaces to be bridge access ports. The VLAN-aware bridge must be named bridge and there can be only one VLAN-aware bridge on a switch.

    Code Block
    languagetext
    cumulus@switch:~$ net add bridge bridge ports swp1-4
  2. Configure the settings for the 802.1X RADIUS server, including its IP address and shared secret: 

    Code Block
    languagetext
    cumulus@switch:~$ net add dot1x radius server-ip 127.0.0.1
    cumulus@switch:~$ net add dot1x radius shared-secret testing123

    In Cumulus Linux 3.7.2 and later, you can specify a VRF for outgoing RADIUS accounting and authorization packets. The following example specifies a VRF called blue:

    Code Block
    languagetext
    cumulus@switch:~$ net add dot1x radius server-ip 127.0.0.1 vrf blue
    cumulus@switch:~$ net add dot1x radius shared-secret mysecret
  3. Enable 802.1X on interfaces.

    Code Block
    languagetext
    cumulus@switch:~$ net add interface swp1-4 dot1x 
    cumulus@switch:~$ net pending 
    cumulus@switch:~$ net commit

    In Cumulus Linux 3.7.4 and later, to assign a tagged VLAN for voice devices and assign different VLANs to the devices based on authorization, run these commands:

    Code Block
    languagetext
    cumulus@switch:~$ net add interface swp1-4 dot1x voice-enable 
    cumulus@switch:~$ net add interface swp1-4 dot1x voice-enable vlan 200 
    cumulus@switch:~$ net pending 
    cumulus@switch:~$ net commit

...

Note
  • In Cumulus Linux 3.7.3 and earlier, MAB supports one authenticated MAC address per port only. After a source MAC address is authenticated, the port exits MAB mode. Cumulus Linux 3.7.4 , and later provides support for Multi Domain Authentication (MDA), where 802.1X is extended to allow authorization of multiple devices on a single port and assign different VLANs to the devices based on authorization.
  • You must configure MAB on both the RADIUS server and the RADIUS client.
  • When using a VLAN-aware bridge, the switch port must be part of bridge named bridge.

...

To configure MAB In Cumulus Linux 3.7.4 and later, enable a bridge port for MAB. The MAB activation delay is not used. For example:

...

Configure MAC Addresses per Port

In Cumulus Linux 3.7.4 and later, you can specify the maximum number of authenticated MAC addresses allowed on a port with the net add dot1x max-number-stations <value> command. You can specify any number between 0 and 255. The default value is 4. 

...

Code Block
languagetext
cumulus@switch:~$ net add dot1x radius das-port default
cumulus@switch:~$ net add dot1x radius das-client-ip 10.0.2.228 vrf blue das-client-secret mysecret123
cumulus@switch:~$ net commit

In Cumulus Linux 3.7.4 and later, you can configure up to four DAS clients to be authorized to send CoA commands. For example:

...

Code Block
languagetext
cumulus@switch:~$ sudo tc -s filter show dev swpXX parent 1:
cumulus@switch:~$ sudo tc -s filter show dev swpXX parent ffff:

Related Information

Campus design feature set-up (6-part blog series)