cancel
Showing results for 
Search instead for 
Did you mean: 

Configure RADIUS authentication with WiFi and ICX 7150

david_levine
New Contributor III

Hi,

Does anyone have a good reference on configuring 802.1x for both WiFi and port security (on ICX 7150)? Using Ruckus Cloud, it looks pretty simple to add the RADIUS server and get authentication going for a SSID, but I am pretty sure there is more to it than just that :). And reading through the FastIron Security Config Guide, it looks like physical port security can get pretty complicated...

We are looking to use Windows server with the NPS role as a RADIUS server.

Looking to keep it simple to start - but any references / resources or tips would be greatly appreciated!

Cheers,

~D

1 ACCEPTED SOLUTION

netwizz
Contributor III

David:

We run many hundreds of these switches in production with 802.1x, data VLANS, Voice VLANS, Wireless VLANS, etc.

Here is a typical config.  I am still actually tweaking it to do TACACS, fall back to RADIUS, then Local, but it is more or less our working Layer-2 ICX config, and it has full 802.1x support, which is working flawlessly in production with ISE.  I have not tested this with ClearPass, but if the polices are correct, I am certain it would work.

ver 08.0.90kT211
!
stack unit 1
  module 1 icx7150-c12-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-2-sfp-plus-port-20g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
 no untagged ethe 1/1/1 to 1/1/12
!
vlan 250 name PCI-Compliance by port
 tagged ethe 1/2/1
!
vlan 123 name Data by port
 untagged ethe 1/2/1 to 1/2/2
!
vlan 301 name Voice by port
 tagged ethe 1/1/1 to 1/1/12 ethe 1/2/1 to 1/2/2
!
vlan 400 name Aruba-Mgmt by port
 tagged ethe 1/2/1
!
vlan 401 name AnSSID by port
 tagged ethe 1/2/1
!
!
!
!
!
!
!
!
!
!
authentication
  auth-default-vlan 123
  re-authentication
  dot1x enable
  dot1x enable ethe 1/1/1 to 1/1/12
  dot1x port-control auto ethe 1/1/1 to 1/1/12
  mac-authentication enable
  mac-authentication enable ethe 1/1/1 to 1/1/12
!
!
aaa authentication web-server default tacacs+ local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default tacacs+ local
aaa authentication login privilege-mode
aaa authorization coa enable
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
console timeout 30
enable aaa console
enable acl-per-port-per-vlan
hostname TEST
ip address 10.1.126.11 255.255.248.0
ip dns domain-list XXXX.xx.gov
ip dns server-address 10.1.123.50 10.1.123.51
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.124.1
!
logging host 10.1.132.250
logging console
logging persistence
no telnet server
username XXXXwan password .....
!
!
radius-server host 172.31.112.52 auth-port 1812 acct-port 1813 default key 2 $YT1nb2LEK5VVlp8OA== dot1x mac-auth
tacacs-server host 172.31.112.52
tacacs-server key 2 $YT1nb25VVKRClp8OA==
cdp run
fdp run
snmp-server contact Network Security Operations
snmp-server host 10.1.123.250 version v3 priv XXXXwan
snmp-server group XXXXv3 v3 priv access 99 read all write all
snmp-server user XXXXwan XXXXv3 v3 access 99 encrypted auth sha badb61e7ebc559c61e2ab1c6a8403cecb3ded8da priv encrypted aes badb61e7ebc559c61e2a61c6a8403cec
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.123.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^
------------------------------------------------------------------------
^
ICX Test Switch
^
This system is solely for the use of authorized XXXX personnel.
The information contained herein is the property of XXXX and subject to
non-disclosure, security, and confidentiality requirements.
XXXX will monitor system usage for unauthorized activities.
Any user accessing this system expressly consents to such monitoring.
^
Asset NO-TAG
^
------------------------------------------------------------------------
^
!
ssh access-group 99
!
!
sz registrar
!
!
interface ethernet 1/1/1
 trust dscp
!
interface ethernet 1/1/2
 trust dscp
!
interface ethernet 1/1/3
 trust dscp
!
interface ethernet 1/1/4
 trust dscp
!
interface ethernet 1/1/5
 trust dscp
!
interface ethernet 1/1/6
 trust dscp
!
interface ethernet 1/1/7
 trust dscp
!
interface ethernet 1/1/8
 trust dscp
!
interface ethernet 1/1/9
 trust dscp
!
interface ethernet 1/1/10
 trust dscp
!
interface ethernet 1/1/11
 trust dscp
!
interface ethernet 1/1/12
 trust dscp
!
interface ethernet 1/2/1
 trust dscp
!
interface ethernet 1/2/2
 trust dscp
!
interface ethernet 1/3/1
 speed-duplex 1000-full
!
interface ethernet 1/3/2
 speed-duplex 1000-full
!
!
!
ip access-list standard 99
 sequence 10 permit host 10.1.10.190
 sequence 20 permit host 10.1.10.191
 sequence 30 permit host 10.1.120.250
 sequence 40 permit host 10.1.123.2
 sequence 50 permit host 10.1.123.3
 sequence 60 permit host 10.1.123.4
 sequence 70 permit host 10.1.123.5
 sequence 80 permit host 10.1.123.6
 sequence 90 permit 10.1.15.0 0.0.0.255
 sequence 100 permit 192.168.56.0 0.0.7.255
!
!
!
lldp med network-policy application voice tagged vlan 301 priority 5 dscp 46 ports ethe 1/1/1 to 1/1/12
!
!
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!
!
!
!
!
end

View solution in original post

4 REPLIES 4

Orlando_Elias
RUCKUS Team Member

Hello David, 

Having Dotx security in the access ports of your ICX7150, can be done by following these steps:

1. state the RADIUS server IP address, ports, and authentication type (dot1x, macauth, webauth)

https://docs.commscope.com/bundle/fastiron-08070-securityguide/page/GUID-F3B15898-A375-48A7-876E-334...

2. enter the authentication configuration mode and

2.1. enable dot1x for specific ports

2.2. set basic authentication parameters like authentication default VLAN, restricted VLAN (if used), re-authentication timers, etc.

https://docs.commscope.com/bundle/fastiron-08070-securityguide/page/GUID-261DD83D-AA94-443F-AA68-82B...

3. enable aaa authentication for dot1x through RADIUS

! aaa authentication dot1x default radius

Those should be the most simple steps to have it up and running.
We can always go deeper if we wanted 🙂
Please let me know if it leaves you with some concerns.

--

Orlando Elias
Ruckus TAC

With regards,
--
Orlando Elias
Technical Support

hashim_bharooc1
RUCKUS Team Member

Hi David,
Hope you are doing great.

We do not have any other official guides.  If you look through the authentication section you will see examples as well.

Hope this helps.

Thanks

Hashim

netwizz
Contributor III

David:

We run many hundreds of these switches in production with 802.1x, data VLANS, Voice VLANS, Wireless VLANS, etc.

Here is a typical config.  I am still actually tweaking it to do TACACS, fall back to RADIUS, then Local, but it is more or less our working Layer-2 ICX config, and it has full 802.1x support, which is working flawlessly in production with ISE.  I have not tested this with ClearPass, but if the polices are correct, I am certain it would work.

ver 08.0.90kT211
!
stack unit 1
  module 1 icx7150-c12-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-2-sfp-plus-port-20g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
 no untagged ethe 1/1/1 to 1/1/12
!
vlan 250 name PCI-Compliance by port
 tagged ethe 1/2/1
!
vlan 123 name Data by port
 untagged ethe 1/2/1 to 1/2/2
!
vlan 301 name Voice by port
 tagged ethe 1/1/1 to 1/1/12 ethe 1/2/1 to 1/2/2
!
vlan 400 name Aruba-Mgmt by port
 tagged ethe 1/2/1
!
vlan 401 name AnSSID by port
 tagged ethe 1/2/1
!
!
!
!
!
!
!
!
!
!
authentication
  auth-default-vlan 123
  re-authentication
  dot1x enable
  dot1x enable ethe 1/1/1 to 1/1/12
  dot1x port-control auto ethe 1/1/1 to 1/1/12
  mac-authentication enable
  mac-authentication enable ethe 1/1/1 to 1/1/12
!
!
aaa authentication web-server default tacacs+ local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default tacacs+ local
aaa authentication login privilege-mode
aaa authorization coa enable
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
console timeout 30
enable aaa console
enable acl-per-port-per-vlan
hostname TEST
ip address 10.1.126.11 255.255.248.0
ip dns domain-list XXXX.xx.gov
ip dns server-address 10.1.123.50 10.1.123.51
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.124.1
!
logging host 10.1.132.250
logging console
logging persistence
no telnet server
username XXXXwan password .....
!
!
radius-server host 172.31.112.52 auth-port 1812 acct-port 1813 default key 2 $YT1nb2LEK5VVlp8OA== dot1x mac-auth
tacacs-server host 172.31.112.52
tacacs-server key 2 $YT1nb25VVKRClp8OA==
cdp run
fdp run
snmp-server contact Network Security Operations
snmp-server host 10.1.123.250 version v3 priv XXXXwan
snmp-server group XXXXv3 v3 priv access 99 read all write all
snmp-server user XXXXwan XXXXv3 v3 access 99 encrypted auth sha badb61e7ebc559c61e2ab1c6a8403cecb3ded8da priv encrypted aes badb61e7ebc559c61e2a61c6a8403cec
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.123.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^
------------------------------------------------------------------------
^
ICX Test Switch
^
This system is solely for the use of authorized XXXX personnel.
The information contained herein is the property of XXXX and subject to
non-disclosure, security, and confidentiality requirements.
XXXX will monitor system usage for unauthorized activities.
Any user accessing this system expressly consents to such monitoring.
^
Asset NO-TAG
^
------------------------------------------------------------------------
^
!
ssh access-group 99
!
!
sz registrar
!
!
interface ethernet 1/1/1
 trust dscp
!
interface ethernet 1/1/2
 trust dscp
!
interface ethernet 1/1/3
 trust dscp
!
interface ethernet 1/1/4
 trust dscp
!
interface ethernet 1/1/5
 trust dscp
!
interface ethernet 1/1/6
 trust dscp
!
interface ethernet 1/1/7
 trust dscp
!
interface ethernet 1/1/8
 trust dscp
!
interface ethernet 1/1/9
 trust dscp
!
interface ethernet 1/1/10
 trust dscp
!
interface ethernet 1/1/11
 trust dscp
!
interface ethernet 1/1/12
 trust dscp
!
interface ethernet 1/2/1
 trust dscp
!
interface ethernet 1/2/2
 trust dscp
!
interface ethernet 1/3/1
 speed-duplex 1000-full
!
interface ethernet 1/3/2
 speed-duplex 1000-full
!
!
!
ip access-list standard 99
 sequence 10 permit host 10.1.10.190
 sequence 20 permit host 10.1.10.191
 sequence 30 permit host 10.1.120.250
 sequence 40 permit host 10.1.123.2
 sequence 50 permit host 10.1.123.3
 sequence 60 permit host 10.1.123.4
 sequence 70 permit host 10.1.123.5
 sequence 80 permit host 10.1.123.6
 sequence 90 permit 10.1.15.0 0.0.0.255
 sequence 100 permit 192.168.56.0 0.0.7.255
!
!
!
lldp med network-policy application voice tagged vlan 301 priority 5 dscp 46 ports ethe 1/1/1 to 1/1/12
!
!
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!
!
!
!
!
end

david_levine
New Contributor III

Thanks for sharing. This is helpful to see. 

I am thinking that these configs on the ICX switches are different (so to speak) than when setting up the same for an SSID, and that there is much more to learn on building the policy configs on the RADIUS server 🙂