- NACVIEW IP server address: NACVIEW_SERV
- IP switch address: SW_IP
- Switch name: SW_NAME
- RADIUS communication key: RADIUS_KEY
- RADIUS communication key: RADIUS_PROFILE
- CoA password: COA_SECRET
- Redirection address after authentication: REDIRECT_URL
- SNMP v2c password: SNMP_SECRET
- SNMP v3 passwords: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- The interface group names: AUTHORIZED_DOT1X, AUTHORIZED_MAC, AUTHORIZED_CP
- The full names of the interfaces (start and end) group: START_RANGE, END_RANGE
- The interface member's full name of the interface group: MEMBER_INTERFACE
- VLAN for VoIP: VOICE_VLAN
- VLAN for data: DATA_VLAN
- Guest VLAN (no authorization): GUEST_VLAN
- VLAN for failed authorizations: REJECT_VLAN
- Configuration file name (.txt or .cfg.): CONF_FILE
cli
configure
edit access
set radius-server NACVIEW_SERV port 1812 secret RADIUS_KEY
set radius-server NACVIEW_SERV source-address SW_IP
edit profile RADIUS_PROFILE
set authentication-order radius
set radius authenticaion-server NACVIEW_SERV
set radius accounting-server NACVIEW_SERV
set accounting order radius accounting-stop-on-access-deny accounting-stop-on-failure send-acct-status-on-config-change
set accounting update-interval 480
exit
exit
set protocols dot1x authenticator authentication-profile-name RADIUS_PROFILE
commit
exit
cli
configure
edit acces
set radius-server NACVIEW_SERV dynamic-request-port 3799
set profile RADIUS_PROFILE accounting coa-immediate-update
exit
edit system
set accounting destination radius server NACVIEW_SERV dynamic-request-port 3799
set accounting destination radius server NACVIEW_SERV secret COA_SECRET
set accounting destination radius server NACVIEW_SERV source-address SW_IP
cli
configure
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
edit protocols dot1x
set authenticator interface ge-0/0/1 supplicant multiple reauthentication 300 server-fail use-cache
exit
commit
exit
edit protocols dot1x
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set authenticator interface ge-0/0/1 mac-radius restrict flap-on-disconnect
set authenticator interface ge-0/0/1 server-fail use-cache
exit
commit
exit
To use PAP protocol for MAC address authentication, add the following command:
set authenticator interface ge-0/0/1 mac-radius authentication-protocol pap
cli
configure
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
edit protocols dot1x
set authenticator interface ge-0/0/1 supplicant multiple reauthentication 300 server-fail use-cache
set authenticator interface ge-0/0/1 mac-radius flap-on-disconnect
exit
commit
exit
To use PAP protocol for MAC address authentication, add the following command:
set authenticator interface ge-0/0/1 mac-radius authentication-protocol pap
Set lldp and lldp-med protocols (should be on as a default):
set protocols lldp interface all
set protocols lldp-med interface all
Configure voice VLAN:
set switch-options voip interface access-ports vlan VOICE_VLAN
set switch-options voip interface access-ports forwarding-class assured-forwarding
Port configuration for VoIP + computer:
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members DATA_VLAN
set protocols dot1x authenticator interface ge-0/0/0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/0 mac-radius flap-on-disconnect - resetuje cały port, niezalecane przy multiauth
set protocols dot1x authenticator interface ge-0/0/0 reauthentication 3600
The following WEB Auth configuration below applies to NACVIEW local accounts only.
cli
configure
set system services web-management http
set system services web-management https system-generated-certificate
edit services captive portal
set secure-authentication https
set interface ge-0/0/3 supplicant multiple
set authentication-profile-name RADIUS_PROFILE
set custom-options post-authentication-url REDIRECT_URL
exit
commit
exit
Each of the above authorization modes can also be assigned to a group of ports. To do this, create a port group with the command:
set interfaces interface-range AUTHORIZATED_DOT1X member-range START_RANGE to END_RANGE
and also with the following:
set interfaces interface-range AUTHORIZATED_DOT1X member MEMBER_INTERFACE
Further you need to configure basic port settings in the group:
set interfaces interface-range AUTHORIZATED_DOT1X unit 0 family ethernet-switching port-mode access
Then proceed as for a single interface configuration, replacing the interface name with the name of the interface group:
set protocols dot1x authenticator AUTHORIZATED_DOT1X supplicant multiple reauthentication 300 server-fail use-cache
In the same way you can configure the rest of all groups:
set interfaces interface-range AUTHORIZATED_DOT1X_MAC member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_DOT1X_MAC unit 0 family ethernet-switching port-mode access
set authenticator AUTHORIZATED_DOT1X_MAC authentication-order [dot1x mac-radius] supplicant multiple reauthentication 300 server-fail use-cache
set authenticator AUTHORIZATED_DOT1X_MAC mac-radius flap-on-disconnect
set interfaces interface-range AUTHORIZATED_MAC member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_MAC unit 0 family ethernet-switching port-mode access
set authenticator AUTHORIZATED_MAC mac-radius restrict flap-on-disconnect
set authenticator AUTHORIZATED_MAC server-fail use-cache
set interfaces interface-range AUTHORIZATED_CP member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_CP unit 0 family ethernet-switching port-mode access
set system services web-management http
set system services web-management https system-generated-certificate
edit services captive portal
set secure-authentication https
set interface AUTHORIZATED_CP supplicant multiple
set authentication-profile-name RADIUS_PROFILE
set custom-options post-authentication-url REDIRECT_URL
Connection to GUEST_VLAN for end devices that cannot be authorized via the 802.1x protocol, and no other authorization methods have been set on the given device:
guest-vlan GUEST_VLAN
Connection to REJECT_VLAN for devices that failed to authenticate:
server-reject-vlan REJECT_VLAN
GUEST_VLAN and REJECT_VLAN should be secured with appropriate access control lists and/or firewall against access to sensitive resources in the corporate network.
cli
configure
set snmp name SW_NAME
set snmp engine-id use-mac-address
set snmp view SNMP_VIEW oid .1 include
edit snmp v3
set usm local-engine user SNMP_USER authentication-sha authentication-password SNMP_AUTH
set usm local-engine user SNMP_USER privacy-aes128 privacy-password SNMP_PRIV
set vacm security-to-group security-model usm security-name SNMP_USER group SNMP_GROUP
set vacm access group SNMP_GROUP default-context-prefix security-model usm security-level privacy notify-view SNMP_VIEW read-view SNMP_VIEW write-view SNMP_VIEW
exit
commit
exit
cli
configure
edit snmp
set name SW_NAME
set community public authorization read-only
set trap-group nacview version v2 targets NACVIEW_SERV
exit
commit
exit
cli
configure
set system syslog host NACVIEW_SERV source-address SW_IP
set system syslog host NACVIEW_SERV any any
commit
exit
cli
configure
set tacplus-server NACVIEW_SERV secret TACACS_KEY source-address SW_IP
set system authentication-order tacplus password
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login user remote class super-user
Saving configuration to your file:
cli
configure
save CONF_FILE
exit
Downloading configuration from your file (override the configuration with a new one):
cli
configure
load override CONF_FILE
Downloading configuration from the file (configuration merge):
cli
configure
load merge CONF_FILE
Copying configuration to the TFTP server:
start shell
tftp NACVIEW_SERV
put CONF_FILE
quit
Copying from the TFTP server:
start shell
tftp NACVIEW_SERV
get CONF_FILE
quit