802.1X

The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.

nv set interface <interface> dot1x auth-fail-vlan

Enables or disables auth-fail VLAN on the specified interface. You can specify enabled or disabled. When you enable auth-fail VLAN, if a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant attaches. Cumulus Linux assigns the auth-fail VLAN by manipulating the PVID of the interface.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 dot1x auth-fail-vlan enabled

nv set interface <interface> dot1x eap

Enables or disables 802.1X on the specified interfaces. You can specify enabled or disabled.

The IEEE 802.1X protocol provides a way to authenticate a client (called a supplicant) over wired media. It also provides access for individual MAC addresses on a switch (called the authenticator) after an authentication server authenticates the MAC addresses. The authentication server is typically a RADIUS server.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled

nv set interface <interface> dot1x host-mode

Configures the 802.1X host mode. You can specify:

  • Multi host authenticated mode (multi-host-authenticated), where RADIUS must authorize each supplicant to send traffic through the 802.1X interface. This is the default mode.
  • Multi host mode ()multi-host), where the interface remains closed for all traffic until RADIUS authorizes the first supplicant. After authorization, any host can send and receive traffic through the 802.1X interface as long as the supplicant remains authorized.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.8.0

Example

cumulus@switch:~$ nv set interface swp1 dot1x host-mode multi-host

nv set interface <interface> dot1x mba

Enables or disables MBA for 802.1 X on the specified interface. You can specify enabled or disabled.

MBA enables bridged interfaces to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support EAP, such as printers or phones.

You must configure MBA on both the RADIUS server and the RADIUS client (the Cumulus Linux switch).

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 dot1x mba enabled 

nv set system dot1x auth-fail-vlan

Configures auth-fail VLAN. You can specify a value between 1 and 4094.

If a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant attaches. Cumulus Linux assigns the auth-fail VLAN by manipulating the PVID of the interface.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x auth-fail-vlan 777 

nv set system dot1x dynamic-vlan

Configures dynamic VLAN assignment globally, where VLAN attributes from the RADIUS server apply to the bridge. You can specify required, disabled, or optional.

If you specify required, when VLAN attributes do not exist in the access response packet from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user goes in the auth-fail VLAN (if you enable auth-fail VLAN).

A common requirement for campus networks is to assign dynamic VLANs to specific users in combination with IEEE 802.1x. After authenticating a supplicant, the user is assigned a VLAN based on the RADIUS configuration. Cumulus Linux assigns the dynamic VLAN by manipulating the PVID of the interface.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x dynamic-vlan required

nv set system dot1x max-stations

Configures the maximum number of authenticated MAC addresses allowed on an interface. You can specify any number between 0 and 255. The default value is 6.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x max-stations 10

nv set system dot1x radius client-src-ip

Configures the fixed IP address for the RADIUS client to receive requests.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius client-src-ip 10.10.10.6

nv set system dot1x radius server <server-id>

Configures the IP address of the 802.1X RADIUS server.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1

nv set system dot1x radius server <server-id> accounting-port

Configures the 802.1X RADIUS accounting port. You can specify a value between 1 and 65535. The default value is 1813.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 accounting-port 2812

nv set system dot1x radius server <server-id> authentication-port

Configures the 802.1X RADIUS authentication port. You can specify a value between 1 and 65535. The default value is 1812.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 authentication-port 2813

nv set system dot1x radius server <server-id> priority

Configures the 802.1X RADIUS server priority. You can specify a value between 1 and 3. The default setting is 1.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 priority 2

nv set system dot1x radius server <server-id> shared-secret

Configures the 802.1X RADIUS shared secret for authentication.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mysecret

nv set system dot1x radius server <server-id> vrf

Configures the VRF for outgoing RADIUS accounting and authorization packets.

Command Syntax

SyntaxDescription
<server-id>The IP address of the 802.1X RADIUS server.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 vrf BLUE

nv set system dot1x reauthentication-interval

Configures the reauthentication interval for EAP. You can set a value between 0 and 86640. The default value is 0 (disabled).

This setting only applies to EAP-based authentication; it does not apply to MBA.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set system dot1x reauthentication-interval 40