Ethernet 802.x1 configuration – Arista

In this topic, you will learn how to configure Arista switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Important: This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces, limits, and VLANs, by replacing the values that are presented as underlined italics.
  1. Specify RADIUS servers for authentication and accounting using the data of the Portnox Cloud US and EU RADIUS servers. 
    radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
    aaa group server radius PORTNOX
      server 20.119.69.248 auth-port 10322 acct-port 10323
      server 52.232.122.157 auth-port 10476 acct-port 10477
    aaa authentication dot1x default group PORTNOX
    aaa accounting dot1x default start-stop group PORTNOX
  2. Optional: Verify the configuration if needed. 
    show dot1x radius
    RADIUS Server        Status       Time
-------------------- ------------ -----------
20.119.69.248:10322  active       n/a
52.232.122.157:10476 active       n/a
  3. Enable dynamic authorization (required for CoA).
    1. Configure the default port. 
      radius-server dynamic-authorization port 3799
    2. Optional: If you use RadSec, configure the switch to use a SSL profile for dynamic authorization.
      Note: First, prepare the PEM files for the server certificate, the server private key, and the trusted CA certificate, and upload them to the switch memory, for example, to the /flash/ directory.
      ssl profile portnox-server
  certificate /flash/server-cert.pem
  key /flash/server-key.pem
  trusted-ca /flash/ca-cert.pem
exit
      radius-server dynamic-authorization portnox-server
  4. Enable 802.1X globally. 
    dot1x system-auth-control
    dot1x protocol lldp bypass
    dot1x dynamic-authorization
  5. Configure the interface to use EAPoL authentication.
    1. Select the interface. 
      interface Ethernet18
    2. Set the 802.1X interface port access entity type as authenticator. 
      dot1x pae authenticator
    3. Set port control state to automatic. 
      dot1x port-control auto
    4. Set the host mode for authentication on this interface. 
      dot1x host-mode multi-host authenticated
      Note: In this example, we configured multi-host instead of single-host. However, each host has to authenticate individually. Please check Arista TOIs for more information on different setups.
  6. Optional: Verify the configuration. 
    show dot1x interface Ethernet18
    Dot1X Information for Ethernet18
--------------------------------------------
Port control: auto
Forced phone authorization: disabled
EAPOL: enabled
(...)

Here is the entire example configuration for your convenience:

radius-server host 20.119.69.248 key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
radius-server host 52.232.122.157 key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
!
aaa group server radius PORTNOX
  server 20.119.69.248 auth-port 10322 acct-port 10323
  server 52.232.122.157 auth-port 10476 acct-port 10477
!
aaa authentication dot1x default group PORTNOX
aaa accounting dot1x default start-stop group PORTNOX
!
radius-server dynamic-authorization port 3799
radius-server dynamic-authorization portnox-server
!
dot1x system-auth-control
dot1x protocol lldp bypass
dot1x dynamic-authorization
!
interface Ethernet18
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host authenticated