Configure RADIUS Authentication for a Switched Interface

This section covers configuring user authentication with a RADIUS server using the 802.1x protocol on an Edge's switched interface through the use of a VLAN associated with that switched interface.

Beginning with SD-WAN Release 5.1.0, a user can configure RADIUS authentication to use an Edge's switched interface as they already had been able to do for a routed interface.

The SD-WAN Edge supports both username/password (EAP-MD5) and certificate (EAP-TLS) based 802.1x Authentication methods.

Prerequisites

A RADIUS server must be configured and added to the Edge. See Configure Authentication Services.
RADIUS may be configured on any switched interface.

Configuring RADIUS Authentication on a Switched Interface

Adding RADIUS authentication on a switched interface is a two part process where first a VLAN is associated with the targeted switched interface, and then the VLAN is configured to use RADIUS authentication.

Note: These steps can be followed at either the Profile or Edge level. If done at the Profile level every Edge associated with that Profile would be configured for RADIUS authentication on the specified switched interface.

In the Customer portal, click either Configure > Profile or > Configure > Edges depending on your preferences.
Click the Device icon next to an Edge, or click the link to the Edge, and then click the Device tab.
Scroll down to the Connectivity section and open up the Interfaces section for the Edge.
The Interfaces section displays the existing interfaces available in the Edge.
Click the Edit option for a Switched interface that you want to enable RADIUS authentication.
Add the VLAN where RADIUS authentication will be used to the switched interfaces list of VLAN's.
Click Save and return to the Device Settings page.
Now click on the VLAN section and click on the VLAN you want to use for RADIUS authentication.
On the Edit VLAN screen, click the box for RADIUS Authentication.
Configure the allowed list of devices that are pre-authenticated and should not be forwarded to RADIUS for re-authentication. You can add devices by using individual MAC addresses (e.g. 8c:ae:4c:fd:67:d5) or by using OUI (Organizationally Unique Identifier [e.g. 8c:ae:4c:00:00:00]).
Select Done.
Finally, click on Save Changes in the bottom right corner to apply your configurations.

Note: The switched interface will use the server that has already been assigned to the Edge. In an Edge, two interfaces cannot use two different RADIUS servers.