This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is best resource for steps to implement 802.1x on ICX7450 and SmartZone WLAN

jeff_tillison
New Contributor II

‎10-15-2019 05:38 AM

Goal --> implement 802.1x configuration on  ICX Switches/WLAN to support 802.1x Authentication for SmartZone WLAN users.

Currently, users are directed to WebAuth Page where login credentials are Authenticated by RADIUS.

Need to ensure proper configurations are applied and VLANs are available on ICXs/WLAN for initial login and Authenticated user connections
9 REPLIES 9

scott_farrand_f
New Contributor III

‎10-15-2019 10:41 AM


Have you already configured 802.1x with vlan assignment on your WLAN?  Or are you trying to figure out how to set this up across your entire environment?


0 Kudos

jeff_tillison
New Contributor II
In response to scott_farrand_f

‎10-15-2019 12:59 PM

1 - I have not  yet applied 802.1x vlans - everything is still in default vlan...

2 - Yes.  Hoping to find info on necessary ICX configuration for 802.1x and VLANs AND the applicable configuration for SmartZone WLAN config

netwizz
Contributor III

‎10-15-2019 10:46 AM

Never got 802.1x to work though it is probably the Microsoft NPS that is the problem.

I have actual RADIUS login working like a champ.

Here was more or less my test configuration, so you can start where I left off about around a year ago if it is of any help.  If you get it to work, please let us know.


ver 08.0.80caT211
!
stack unit 1
  module 1 icx7150-c12-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-2-sfp-plus-port-20g-module
!
!
no global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
 no untagged ethe 1/1/2 to 1/1/12
 no spanning-tree
!
vlan 123 name Data by port
 tagged ethe 1/2/2 ethe 1/3/1 to 1/3/2
 untagged ethe 1/1/1 ethe 1/2/1
 no spanning-tree
!
vlan 401 name voice by port
 tagged ethe 1/1/1 to 1/1/2 ethe 1/1/4 to 1/1/12 ethe 1/2/1 to 1/2/2 ethe 1/3/1 to 1/3/2
 no spanning-tree
!
!
vlan 666 name Restricted-Data by port
 no spanning-tree
!
!
!
!
!
!
!
!
!
!
authentication
  auth-default-vlan 123
  restricted-vlan 666
  dot1x enable
  dot1x enable ethe 1/1/2 to 1/1/12
  dot1x port-control auto ethe 1/1/2 to 1/1/12
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default local
aaa authentication login privilege-mode
console timeout 30
enable aaa console
hostname TESTSW02
ip address 10.1.13.15 255.255.255.0
ip dns domain-list test.testdomain.state.us
ip dns server-address 10.1.5.40 10.1.5.41
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.13.1
!
logging host 10.1.2.3
logging console
logging persistence
mirror-port ethernet 1/1/1
!
no telnet server
username testwan password .....
radius-server host 10.1.120.221 auth-port 1812 acct-port 1813 default key 2 $b24zbw== dot1x
cdp run
fdp run
snmp-server contact Network Operations Center
snmp-server host 10.1.2.3 version v3 priv testwan
snmp-server group testv3 v3 priv access 99 read all write all
snmp-server user testwan testv3 v3 access 99 encrypted auth sha 6974065afb9f99927806e01c6ae2175104870138 priv encrypted aes 6974065bfb9f99927806e01c6ae21751
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.220.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^C
------------------------------------------------------------------------^C
^C
Temporary Infrastructure Test Switch^C
^C
This system is solely for the use of authorized test personnel.^C
The information contained herein is the property of test and subject to^C
non-disclosure, security, and confidentiality requirements.^C
test will monitor system usage for unauthorized activities.^C
Any user accessing this system expressly consents to such monitoring.^C
^C
Asset xxxxxxxx^C
^C
------------------------------------------------------------------------^C
^C
!
ssh access-group 99
!
!
!
interface ethernet 1/1/1
 trust dscp
!
interface ethernet 1/1/2
 trust dscp
!
interface ethernet 1/1/3
 trust dscp
!
interface ethernet 1/1/4
 trust dscp
!
interface ethernet 1/1/5
 trust dscp
!
interface ethernet 1/1/6
 trust dscp
!
interface ethernet 1/1/7
 trust dscp
!
interface ethernet 1/1/8
 trust dscp
!
interface ethernet 1/1/9
 trust dscp
!
interface ethernet 1/1/10
 trust dscp
!
interface ethernet 1/1/11
 trust dscp
!
interface ethernet 1/1/12
 trust dscp
!
interface ethernet 1/2/1
 mon ethernet 1/1/1 both
 trust dscp
!
interface ethernet 1/2/2
 trust dscp
!
interface ethernet 1/3/1
 speed-duplex 1000-full
 trust dscp
!
interface ethernet 1/3/2
 speed-duplex 1000-full
 trust dscp
!
!
!
ip access-list standard 99
 sequence 10 permit host 10.1.4.5
 sequence 20 permit host 10.6.7.8
 sequence 30 permit host 10.9.10.11
!
sflow destination 10.1.2.3 2055
!
lldp run
!
!
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!
!
!
end



jeff_tillison
New Contributor II
In response to netwizz

‎10-15-2019 12:55 PM

Thanks for input and providing your example.  If progress is made, I will reciprocate.
0 Kudos
Copyright © 2024 Khoros, LLC