Exstreme Gen2 RADIUS Authentication

The example configuration below shows how to configure RADIUS for both Management and Port authentication. The server, client-ip and secrets will be unique to your environment. This example also configures and enables RADIUS accounting.

configure radius mgmt-access primary server 10.21.0.10 1812 client-ip ~~172.16.5.20~~10.128.0.65 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$~~sLBECeI3y+vi56D+JsXsSaWmuvynCERCHNm1lyy21cwRTssjdoE="~~
~~configure radius mgmt-access secondary server 10.21.0.12 1812 client-ip 172.16.5.20 vr VR-Default~~
~~configure radius mgmt-access secondary shared-secret encrypted "#$aV4JSbB7qYJIrkN+xyFpkm8C3VhEMCvmeXg+CHuFmWCPuo9/BjA=~~BAlozLg2AgB4+Mj2p7/CduXt1k+zLA=="
configure radius netlogin primary server 10.21.0.10 1812 client-ip ~~172.16.5.20~~10.128.0.65 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$~~E1KQvrolmf3rZESnOuZCzgHvxuOncnJsRCrlsGkg9URvSuQAOQ8="~~
~~configure radius netlogin secondary server 10.21.0.12 1812 client-ip 172.16.5.20 vr VR-Default~~
~~configure radius netlogin secondary shared-secret encrypted "#$25naJ++VqZmHWFE3p940NH+BMkvA4BL2GYj1HB1WaY1AFrIt4rQ=~~DZrZ1cXlNut7x4NyiOZBQ9YsmzHsVg=="
configure radius-accounting netlogin primary server 10.21.0.10 1813 client-ip ~~172.16.5.20~~10.128.0.65 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$~~5f6QnmG9LhNB1pb1WQB3T+F8LIIhnl5n83AzKewrEGHPtlQkLTI=~~kH9eGGJX164H6H4jeIpO5wtd6dfrfg=="
configure ~~radius-accounting~~radius ~~netlogin~~dynamic-authorization ~~secondary~~1 server 10.21.0.~~12 1813~~10 client-ip ~~172.16.5.20~~10.128.0.65 vr VR-Default
~~configure radius-accounting netlogin secondary~~ shared-secret encrypted "#$~~2vpSd5mMYX46JQvXCLYqFjRnfH4AVawx57QYAm+QufLMbiRc/Do=~~n9pZ5gRfh8dafMk7hbWYnXPXbNCRFQ=="
~~enable radius~~
enable radius mgmt-access
enable radius netlogin
enable radius-accounting netlogin
enable radius dynamic-authorization

The example configuration below will enable both dot1x user and MAC authentication on a port by port basis. Note that you must create a dedicated netlogin pre-authentication vlan, in this case it's called net-login.

create vlan "~~net-login"~~Net-Login"
configure vlan ~~net-login~~Net-Login tag ~~2000~~4000

~~configure netlogin vlan net-login~~
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports ~~1:12-46~~1-21 dot1x
enable netlogin ports ~~1:12-46~~1-21 mac
~~configure netlogin ports 1:12 mode mac-based-vlans~~
~~configure netlogin ports 1:12 restart~~
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

In my testing I needed to configure a authentication delay to give Clearpass enough time to created the guest user in the database. The example command below shows how to configure a delay on a per port basis.

configure netlogin mac ports 1 timers delay 5