• Introduction
• Verify the RadSec connection status between switch and AGNI
• Configure AGNI as RadSec server on the switch for 802.1X
• Enable 802.1X globally
• Configure interface to use MAC-Based Authentication 
• Configure a Wired Network in AGNI
• Register clients in AGNI
• Verify MBA works
• Troubleshooting

Introduction

This article will guide readers on configuring MAC-Based Authentication [MBA] for wired client devices using Arista Switches and AGNI.

Before we configure MBA, RadSec tunnel must be UP between Switch and AGNI. Please check the article for configuration: Configuring RadSec profile in EOS.  

After the configuration is complete, these are the major steps:

1. Verify the RadSec connection status between switch and AGNI.
2. Configure AGNI as RadSec server on the switch for 802.1x
3. Enable 802.1x globally.
4. Configure interface to use MAC-Based Authentication. 
5. Configure a Wired Network in AGNI.
6. Register clients in AGNI. 
7. Verify MBA works

Verify the RadSec connection status between switch and AGNI

For verification, navigate to AGNI’s UI: CONFIGURATION > ACCESS DEVICES > DEVICES. 

Below, it can be confirmed that the RadSec tunnel is UP for the switch. Here the Green Circle icon means that RadSec is up and running. 

Configure AGNI as RadSec server on the switch for 802.1X

Set the newly created RADIUS group - AGNI for 802.1x authentication and accounting. Note that the AGNI - server group has been previously configured. Sample below:

radius-server host radsec.beta.agni.arista.io tls ssl-profile agni-server

!

aaa group server radius AGNI

   server radsec.beta.agni.arista.io tls

!

aaa authentication dot1x default group AGNI

aaa accounting dot1x default start-stop group AGNI

Verify the RADIUS configuration as shown below:

Arista(config)#show dot1x radius

RADIUS Server        Status              Time

-------------------  ------------ -----------

Radsec.beta.agni.ari active               n/a

The following steps are used for dynamic-authorization which is optional for now. Dynamic Authorization packets such as CoA use UDP 3799. This port needs to configured in EOS. But, It is also the default port: 

Arista(config)#radius-server dynamic-authorization port 3799

Configure the switch to use the same SSL-Profile for dynamic authorization:

Arista(config)#radius-server dynamic-authorization tls ssl-profile agni-server

Enable 802.1X globally

Now that the AAA and RADIUS has been configured on the switch, use the following command to enable 802.1X.

Arista(config)#dot1x system-auth-control

Arista(config)#dot1x protocol lldp bypass

Arista(config)#dot1x dynamic-authorization

Configure interface to use MAC-Based Authentication 

After enabling 802.1x globally, use the following configuration to enable MBA authentication. Jump into the interface, for example Et17:

Arista(config)#interface Ethernet17

Set 802.1X interface Port Access Entity type as Authenticator:

Arista(config-if-Et17)#dot1x pae authenticator

Set port control state to automatic:

Arista(config-if-Et17)#dot1x port-control auto

Set the Host mode for authentication on this interface. Below, Multi-Host is being configured instead of Single-Host. However, each host has to authenticate individually. Please check the TOIs on Arista's public website for more information on different setups.

Arista(config-if-Et17)#dot1x host-mode multi-host authenticated

Finally, configure MAC authentication method for this interface.

Arista(config-if-Et17)#dot1x mac based authentication

Verify the 802.1x configuration on the interface as shown below:

Arista(config)#show dot1x interface ethernet 17

Dot1X Information for Ethernet17

--------------------------------------------

Port control: auto

Forced phone authorization: disabled

EAPOL: enabled

Host mode: multi-host authenticated

MAC-based authentication: enabled

MAC-based authentication host mode: Unconfigured

MAC-based authentication always: disabled

Quiet period: 60 seconds

TX period: 5 seconds

Maximum reauth requests: 2

Ignore reauth timeout: No

Auth failure VLAN: Unconfigured

Unauthorized access VLAN egress: No

Unauthorized native VLAN egress: No

EAPOL authentication failure fallback: Unconfigured

Configure a Wired Network in AGNI

Now that the switch is ready and configured, a network needs to be configured in AGNI which will be used by the switch for authentication requests. 

Verify that the RadSec status is UP in AGNI.Navigate to AGNI: Configuration > Devices:

Create a Device Groups, this will be useful later when creating network.  Navigate to AGNI: Configuration > Device Groups. Click Add Access Device Group as shown below:

Provide a Name and Description for the Network. Select the Switch from the Second Table by clicking the Add button. 

User can double-check, by navigation to the Assigned Devices tab. The devices will be listed. 

After the device group has been created, navigate to  AGNI: Access Control > Networks.

In the screenshot below, Name has been provided. Wired has been selected as connection type. Previously created group 720p has been selected as Access Device Group. The network has been enabled.

The authentication method has been configured to MAC Authentication. Further, it has been configured to allow Registered Clients only. Click Add Network. 

The newly created network will be listed. Please note the Page, Tab and the  filter which affects items on the list.

Register clients in AGNI

Assuming that the client device that is being authenticated, will not be able to self-register, admins have option to add the devices manually. Printers, scanners,IP cameras, VOIP phones, etc can be such examples. Please note that this one of many ways that it can be done. 

Navigate to the AGNI: Clients > Clients Group and click on Add Client or Import Clients as show below:

Once the Client Groups has been created, it will be listed as seen below:

Add a client to the newly created group as shown below:

Once clients have been added to the group the are listed as seen below:

Verify MBA works

At last, users can go ahead an plug the client to Et17. Following command can be used to check the authentication status. 

Arista(config)#show dot1x hosts

Port      Supplicant MAC Auth  State                   Fallback               VLAN

--------- -------------- ----- ----------------------- ---------------------- ----

Et17      6416.7f11.df46 MBA   SUCCESS                 NONE

Et17      000c.293a.22e3 MBA   SUCCESS                 NONE

Troubleshooting

AGNI provides admins with all session logs that can be useful for troubleshooting. This can be accessed by navigating to Sessions page in AGNI: Monitoring > Sessions. The list can be filtered based on type of authentication. 

Click on the Eye icon at the far right to see more details about the clients. Once you are in the Session Details page, click on Show Logs button. 

The logs seen below can also be downloaded.