For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- IP switch address: SW_IP
- Switch name: SW_NAME
- RADIUS communication key: RADIUS_KEY
- RADIUS communication key: RADIUS_PROFILE
- CoA password: COA_SECRET
- Redirection address after authentication: REDIRECT_URL
- SNMP v2c password: SNMP_SECRET
- SNMP v3 passwords: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- The interface group names: AUTHORIZED_DOT1X, AUTHORIZED_MAC, AUTHORIZED_CP
- The full names of the interfaces (start and end) group: START_RANGE, END_RANGE
- The interface member's full name of the interface group: MEMBER_INTERFACE
- Guest VLAN (no authorization): GUEST_VLAN
- VLAN for failed authorizations: REJECT_VLAN
- Configuration file name (.txt or .cfg.): CONF_FILE
cli
configure
edit access
set radius-server NACVIEW_SERV port 1812 secret RADIUS_KEY
set radius-server NACVIEW_SERV source-address SW_IP
edit profile RADIUS_PROFILE
set authentication-order radius
set radius authentication-server NACVIEW_SERV
set radius accounting-server NACVIEW_SERV
set accounting order radius accounting-stop-on-access-deny accounting-stop-on-failure send-acct-status-on-config-change
set accounting update-interval 480
exit
exit
set protocols dot1x authenticator authentication-profile-name RADIUS_PROFILE
commit
cli
configure
edit access
set radius-server NACVIEW_SERV dynamic-request-port 3799
set profile RADIUS_PROFILE accounting coa-immediate-update
exit
edit system
set accounting destination radius server NACVIEW_SERV dynamic-request-port 3799
set accounting destination radius server NACVIEW_SERV secret COA_SECRET
set accounting destination radius server NACVIEW_SERV source-address SW_IP
cli
configure
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
edit protocols dot1x
set authenticator interface ge-0/0/1 supplicant multiple reauthentication 300 server-fail use-cache
exit
commit
exit
edit protocols dot1x
set authenticator interface ge-0/0/1 mac-radius restrict flap-on-disconnect
set authenticator interface ge-0/0/1 server-fail use-cache
exit
commit
exit
To use PAP protocol for MAC address authentication, add the following command: set authenticator interface ge-0/0/1 mac-radius authentication-protocol pap
cli
configure
edit protocols dot1x
set authenticator interface ge-0/0/1 authentication-order [dot1x mac-radius] supplicant multiple reauthentication 300 server-fail use-cache
set authenticator interface ge-0/0/1 mac-radius flap-on-disconnect
exit
commit
exit
To use PAP protocol for MAC address authentication, add the following command: set authenticator interface ge-0/0/1 mac-radius authentication-protocol pap
The following WEB Auth configuration below applies to NACVIEW local accounts only.
cli
configure
set system services web-management http
set system services web-management https system-generated-certificate
edit services captive portal
set secure-authentication https
set interface ge-0/0/3 supplicant multiple
set authentication-profile-name RADIUS_PROFILE
set custom-options post-authentication-url REDIRECT_URL
exit
commit
exit
Each of the above authorization modes can also be assigned to a group of ports. To do this, create a port group with the command:
set interfaces interface-range AUTHORIZATED_DOT1X member-range START_RANGE to END_ RANGE
and also with the following:
set interfaces interface-range AUTHORIZATED_DOT1X member MEMBER_INTERFACE
Further you need to configure basic port settings in the group:
set interfaces interface-range AUTHORIZATED_DOT1X unit 0 family ethernet-switching port-mode access
Then proceed as for a single interface configuration, replacing the interface name with the name of the interface group:
set protocols dot1x authenticator AUTHORIZATED_DOT1X supplicant multiple reauthentication 300 server-fail use-cache
In the same way you can configure the rest of all groups:
set interfaces interface-range AUTHORIZATED_DOT1X_MAC member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_DOT1X_MAC unit 0 family ethernet-switching port-mode access
set authenticator AUTHORIZATED_DOT1X_MAC authentication-order [dot1x mac-radius] supplicant multiple reauthentication 300 server-fail use-cache
set authenticator AUTHORIZATED_DOT1X_MAC mac-radius flap-on-disconnect
set interfaces interface-range AUTHORIZATED_MAC member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_MAC unit 0 family ethernet-switching port-mode access
set authenticator AUTHORIZATED_MAC mac-radius restrict flap-on-disconnect
set authenticator AUTHORIZATED_MAC server-fail use-cache
set interfaces interface-range AUTHORIZATED_CP member-range START_RANGE to END_RANGE
set interfaces interface-range AUTHORIZATED_CP unit 0 family ethernet-switching port-mode access
set system services web-management http
set system services web-management https system-generated-certificate
edit services captive portal
set secure-authentication https
set interface AUTHORIZATED_CP supplicant multiple
set authentication-profile-name RADIUS_PROFILE
set custom-options post-authentication-url REDIRECT_URL
Connection to GUEST_VLAN for end devices that cannot be authorized via the 802.1x protocol, and no other authorization methods have been set on the given device: guest-vlan GUEST_VLAN
Connection to REJECT_VLAN for devices that failed to authenticate: server-reject-vlan REJECT_VLAN
Bypassing authentication by end devices using LLDP-MED: lldp-med-bypass
GUEST_VLAN and REJECT_VLAN should be secured with appropriate access control lists and/or firewall against access to sensitive resources in the corporate network.
cli
configure
set snmp name SW_NAME
set snmp engine-id use-mac-address
set snmp view SNMP_VIEW oid .1 include
edit snmp v3
set usm local-engine user SNMP_USER authentication-sha authentication-password SNMP_AUTH
set usm local-engine user SNMP_USER privacy-des privacy-password SNMP_PRIV
set vacm security-to-group security-model usm security-name SNMP_USER group SNMP_GROUP
set vacm access group SNMP_GROUP default-context-prefix security-model usm security-level privacy notify-view SNMP_VIEW read-view SNMP_VIEW write-view SNMP_VIEW
exit
commit
exit
cli
configure
edit snmp
set name SW_NAME
set community SNMP_SECRET authorization read-only
set trap-group nacview version v2 targets NACVIEW_SERV
exit
commit
exit
cli
configure
set system syslog host NACVIEW_SERV any any
commit
exit
Saving configuration to your file:
cli
configure
save CONF_FILE
exit
Downloading configuration from your file (override the configuration with a new one):
cli
configure
load override CONF_FILE
Downloading configuration from the file (configuration merge):
cli
configure
load merge CONF_FILE
Copying configuration to the TFTP server:
start shell
tftp NACVIEW_SERV
put CONF_FILE
quit
Copying from the TFTP server:
start shell
tftp NACVIEW_SERV
get CONF_FILE
quit