802.1X
The nv unset
commands remove the configuration you set with the equivalent nv set
commands. This guide only describes an nv unset
command if it differs from the nv set
command.
nv set interface <interface> dot1x auth-fail-vlan
Enables or disables auth-fail VLAN on the specified interface. You can specify enabled
or disabled
.
When you enable auth-fail VLAN, if a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant attaches. Cumulus Linux assigns the auth-fail VLAN by manipulating the PVID of the interface.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 dot1x auth-fail-vlan enabled
nv set interface <interface> dot1x eap
Enables or disables 802.1X on the specified interfaces. You can specify enabled
or disabled
.
The IEEE 802.1X protocol provides a way to authenticate a client (called a supplicant) over wired media. It also provides access for individual MAC addresses on a switch (called the authenticator) after an authentication server authenticates the MAC addresses. The authentication server is typically a RADIUS server.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled
nv set interface <interface> dot1x host-mode
Configures the 802.1X host mode. You can specify:
- Multi host authenticated mode (
multi-host-authenticated
), where RADIUS must authorize each supplicant to send traffic through the 802.1X interface. This is the default mode. - Multi host mode ()
multi-host
), where the interface remains closed for all traffic until RADIUS authorizes the first supplicant. After authorization, any host can send and receive traffic through the 802.1X interface as long as the supplicant remains authorized.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.8.0
Example
cumulus@switch:~$ nv set interface swp1 dot1x host-mode multi-host
nv set interface <interface> dot1x mba
Enables or disables MBA for 802.1 X on the specified interface. You can specify enabled
or disabled
.
MBA enables bridged interfaces to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support EAP, such as printers or phones.
You must configure MBA on both the RADIUS server and the RADIUS client (the Cumulus Linux switch).
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 dot1x mba enabled
nv set system dot1x auth-fail-vlan
Configures auth-fail VLAN. You can specify a value between 1 and 4094.
If a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant attaches. Cumulus Linux assigns the auth-fail VLAN by manipulating the PVID of the interface.
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x auth-fail-vlan 777
nv set system dot1x dynamic-vlan
Configures dynamic VLAN assignment globally, where VLAN attributes from the RADIUS server apply to the bridge. You can specify required
, disabled
, or optional
.
If you specify required
, when VLAN attributes do not exist in the access response packet from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user goes in the auth-fail VLAN (if you enable auth-fail VLAN).
A common requirement for campus networks is to assign dynamic VLANs to specific users in combination with IEEE 802.1x. After authenticating a supplicant, the user is assigned a VLAN based on the RADIUS configuration. Cumulus Linux assigns the dynamic VLAN by manipulating the PVID of the interface.
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x dynamic-vlan required
nv set system dot1x max-stations
Configures the maximum number of authenticated MAC addresses allowed on an interface. You can specify any number between 0 and 255. The default value is 6.
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x max-stations 10
nv set system dot1x radius client-src-ip
Configures the fixed IP address for the RADIUS client to receive requests.
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius client-src-ip 10.10.10.6
nv set system dot1x radius server <server-id>
Configures the IP address of the 802.1X RADIUS server.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1
nv set system dot1x radius server <server-id> accounting-port
Configures the 802.1X RADIUS accounting port. You can specify a value between 1 and 65535. The default value is 1813.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 accounting-port 2812
nv set system dot1x radius server <server-id> authentication-port
Configures the 802.1X RADIUS authentication port. You can specify a value between 1 and 65535. The default value is 1812.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 authentication-port 2813
nv set system dot1x radius server <server-id> priority
Configures the 802.1X RADIUS server priority. You can specify a value between 1 and 3. The default setting is 1.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 priority 2
nv set system dot1x radius server <server-id> shared-secret
Configures the 802.1X RADIUS shared secret for authentication.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mysecret
nv set system dot1x radius server <server-id> vrf
Configures the VRF for outgoing RADIUS accounting and authorization packets.
Command Syntax
Syntax | Description |
---|---|
<server-id> | The IP address of the 802.1X RADIUS server. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 vrf BLUE
nv set system dot1x reauthentication-interval
Configures the reauthentication interval for EAP. You can set a value between 0 and 86640. The default value is 0 (disabled).
This setting only applies to EAP-based authentication; it does not apply to MBA.
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set system dot1x reauthentication-interval 40