Reset Search
 

 

Article

How to configure 802.1x based Netlogin with Radius on EXOS

« Go Back

Information

 
TitleHow to configure 802.1x based Netlogin with Radius on EXOS
Objective
To configure 802.1x based Netlogin with a Windows Radius server
Environment
  • EXOS
  • Summit
  • BlackDiamond
  • Windows Server 2013
Procedure
In this example users will be authenticated and allowed to talk in the default VLAN.  Type the following commands in EXOS with default configuration that has IP connectivity to the radius server. Note: If you plan to use Policy and NAC for 802.1x or MAC authenication use the below article:
Netlogin Configuration:
  • create vlan nt_login
  • configure netlogin vlan nt_login
  • enable netlogin dot1x
  • enable netlogin ports <ports> dot1x
Switch Radius configuration:
  • configure radius netlogin primary server <radius server IP> client-ip <source IP for radius request from switch>
  • configure radius netlogin primary shared-secret <secret>
  • enable radius netlogin
Windows server 2013 NPS configuration:
  1. The radius client In the NPS server is used to allow devices to send radius authentication request to the server.  Make sure you use the same shared secret configured on the switch.  The Radius client IP needs to encompass the switch client IP configured earlier.
User-added image
  1. In the NPS settings window click on policies.  Create a Network policy to allow Dot1x authentication connections that uses MS-CHAP v2 and MS-CHAP, also allow for PEAP, EAP-MSCHAPv2 EAP methods.  Make sure to edit your PEAP setting to select the certificate to use.
              Note: A Certificate Authority will need to be created to encrypt your logins.
User-added image
  1. Add the group that your Dot1x users are in to the NPS policy.
Additional notes
If you would like to move the authenticated port to another VLAN  you will need to send the Extreme VSA to in the RADIUS access accept.

Move port to VLAN "auth" untagged:
This will authenticate a user address through PEAP MSChap V2 and send VSA’s to move the user to vlan “auth” as untagged.

Note: the VSA Attribute is Uauth U=untagged auth=vlan.
User-added image
Note the VSA Attribute is Uauth U=untagged auth=vlan.

Move port to VLAN "auth" tagged:
This will authenticate a user address through PEAP MSChap V2 and send VSA’s to move the user to vlan “auth” as tagged.

Note: the VSA Attribute is Tauth T=tagged auth=vlan. 
User-added image

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255