Configure Ethernet devices to work with Portnox Cloud

In this collection of documents, you will find specific instructions for configuring Ethernet-based NAS devices to access the Portnox™ Cloud RADIUS servers and provide AAA services.

Important: The instructions for setting up third-party devices may change when the manufacturers update their firmware or release new models. To get the most accurate and current configuration guidance, please refer to the documentation provided by the manufacturer.

If your manufacturer or device is not listed in the left-hand side menu, here are general instructions how to configure most Ethernet switches for 802.1X with Portnox Cloud RADIUS servers. Most switches are configured using commands, not a graphical user interface.

  1. Configure the Portnox Cloud RADIUS servers.

    You can configure one or two Cloud RADIUS servers, as well as a local RADIUS proxy.

    For information on how to configure Cloud RADIUS servers, see the following topic: Create cloud RADIUS servers.

    For information on how to configure a local RADIUS proxy, see the following topics: Set up a local RADIUS server using a virtual machine and Run the local RADIUS server in a container.

    Note down the following information for the RADIUS server(s) that you configured: IP address, authentication port, authorization port, and shared secret.

  2. Create or edit a group so that it supports wired access.

    This step is necessary so that Portnox Cloud can manage network access. If you skip this step, you will not be able to authenticate, even if you configure your switch properly.

    For information on how to configure Cloud groups, see the following topic: Create a group.

  3. Add Portnox Cloud RADIUS servers to the switch configuration.

    To complete this step, you will need your specific IP addresses, port numbers, and secret keys that you obtained in the previous step. You can add just one server (for example, the US server only) or both of them (US and EU), but this may be limited by the choice you made when you created your Portnox tenant.

    In this step, you can also add the local RADIUS proxy, which will be used to authenticate current clients in case of an Internet outage. You should add it using your local IP address and the port numbers and secret key that you obtained in the previous step.

    Commands used by different switches to add RADIUS servers could look like this (we’re providing this so it’s easier for you to search in your vendor’s documentation):

    • radius-server name address ipv4 ip_address auth-port auth port
      acct-port acct port key secret key
    • radius-server host ip_address auth-port auth port
      acct-port acct port key secret key
    • radius-server host ip_address auth-port auth port
      acct-port acct port key 0 secret key
    • radius-server host ip_address auth-port auth port
      acct-port acct port default key secret key
    • set radius-server ip_address port auth port
      secret secret key
  4. Configure RADIUS authentication on the switch and optionally MAC address bypass (MAB) authentication.

    The process to configure RADIUS authentication for your switch is very specific, but it usually includes commands to globally enable 802.1X authentication, 802.1X accounting, and optionally MAC address bypass authentication as well as the definition of VLANs that devices will be assigned to if they successfully authenticate or fail authentication.

    MAC address bypass authentication is needed only if you must authenticate some of your devices, for example, IoT devices, using only their MAC addresses.

    Commands used by different switches to enable 802.1X authentication and accounting could look like this:

    • dot1x enable
    • aaa authentication port-access eap-radius
    • aaa authentication dot1x default group group_name
    • aaa accounting dot1x default start-stop radius
    • set protocols dot1x authenticator auth_group servers_group
  5. Configure the switch ports/interfaces for RADIUS authentication and optionally MAC address authentication.

    In this step, you decide which ports or interfaces on your switch should be used for client devices. You can set these ports/interfaces to authenticate devices using RADIUS and/or using MAC addresses. Usually, you are able to provide a range of ports to configure at the same time or configure ports one by one as needed.

    Commands used by different switches to configure interfaces/ports could look like this:

    • interface interface_name
      authentication port-control auto
      mab
    • interface interface_name
      aaa authentication port-access auth-precedence dot1x mac-auth
      aaa authentication port-access dot1x authenticator
      enable
      aaa authentication port-access mac-auth
      enable
    • interface range interface_range
      dot1x authentication
      dot1x port-control auto
      dot1x mac-auth-bypass
    • aaa port-access authenticator port_range
      aaa port-access mac-based port_range
  6. Configure the critical authentication process on the switch.

    Many modern switch models offer functionality that is called critical auth VLAN, critical authentication, fallback VLAN, authserver timeout vlan, auth service-unavailable VLAN, 802.1X authentication escape or similar. All these functions mean one thing: if for any reason your switch cannot reach the Portnox Cloud servers, you can decide that any current or new devices are automatically assigned to a specific VLAN, for example, to allow them access to the Internet but to keep your sensitive networks secure.

    Note: While this is not a necessary step, we strongly encourage you to see if your switch supports such functionality. This will prevent your clients from being completely denied access to the network in case of an external outage.

    Commands used by different switches to enable a critical VLAN could look like this:

    • interface interface_name
      authentication event server dead action authorize vlan vlan_number
    • aaa port-access interface_name critical-auth-data-vlan vlan_number
    • interface range interface_range dot1x critical-vlan vlan_number
    • set interface interface_name server-fail vlan_number