Exstreme Gen2 RADIUS Authentication

The example configuration below shows how to configure RADIUS for both Management and Port authentication. The server, client-ip and secrets will be unique to your environment. This example also configures and enables RADIUS accounting.

configure radius mgmt-access primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$BAlozLg2AgB4+Mj2p7/CduXt1k+zLA=="
configure radius netlogin primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$DZrZ1cXlNut7x4NyiOZBQ9YsmzHsVg=="
configure radius-accounting netlogin primary server 10.21.0.10 1813 client-ip 10.128.0.65 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$kH9eGGJX164H6H4jeIpO5wtd6dfrfg=="
configure radius dynamic-authorization 1 server 10.21.0.10 client-ip 10.128.0.65 vr VR-Default shared-secret encrypted "#$n9pZ5gRfh8dafMk7hbWYnXPXbNCRFQ=="
enable radius mgmt-access
enable radius netlogin
enable radius-accounting netlogin
enable radius dynamic-authorization

The example configuration below will enable both dot1x user and MAC authentication on a port by port basis. Note that you must create a dedicated netlogin pre-authentication vlan, in this case it's called net-login.

create vlan "Net-Login"
configure vlan Net-Login tag 4000

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-21 dot1x
enable netlogin ports 1-21 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

In my testing I needed to configure a authentication delay to give Clearpass enough time to created the guest user in the database. The example command below shows how to configure a delay on a per port basis.

configure netlogin mac ports 1 timers delay 5