Exstreme Gen2 RADIUS Authentication

The example configuration below shows how to configure RADIUS for both Management and Port authentication. The server, client-ip and secrets will be unique to your environment. This example also configures and enables RADIUS accounting and dynamic authorization. Note that dynamic authorizaton (CoA) will not work unless One Policy is enabled.

configure radius mgmt-access primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$BAlozLg2AgB4+Mj2p7/CduXt1k+zLA=="
configure radius netlogin primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$DZrZ1cXlNut7x4NyiOZBQ9YsmzHsVg=="
configure radius-accounting netlogin primary server 10.21.0.10 1813 client-ip 10.128.0.65 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$kH9eGGJX164H6H4jeIpO5wtd6dfrfg=="
configure radius dynamic-authorization 1 server 10.21.0.10 client-ip 10.128.0.65 vr VR-Default shared-secret encrypted "#$n9pZ5gRfh8dafMk7hbWYnXPXbNCRFQ=="
enable radius mgmt-access
enable radius netlogin
enable radius-accounting netlogin
enable radius dynamic-authorization

The example configuration below will enable both dot1x user and MAC authentication on a port by port basis. Note that you must create a dedicated netlogin pre-authentication vlan, in this case it's called net-login.

create vlan "Net-Login"
configure vlan Net-Login tag 4000

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-21 dot1x
enable netlogin ports 1-21 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

In my testing I needed to configure an authentication delay to give Clearpass enough time to create the guest user in the database. The example command below shows how to configure a delay on a per port basis.

configure netlogin mac ports 1 timers delay 5