This section covers configuring user authentication with a RADIUS server using the 802.1x protocol on an Edge's switched interface through the use of a VLAN associated with that switched interface.
Beginning with SD-WAN Release 5.1.0, a user can configure RADIUS authentication to use an Edge's switched interface as they already had been able to do for a routed interface.
The SD-WAN Edge supports both username/password (EAP-MD5) and certificate (EAP-TLS) based 802.1x Authentication methods.
Prerequisites
- A RADIUS server must be configured and added to the Edge. See Configure Authentication Services.
- RADIUS may be configured on any switched interface.
Configuring RADIUS Authentication on a Switched Interface
Adding RADIUS authentication on a switched interface is a two part process where first a VLAN is associated with the targeted switched interface, and then the VLAN is configured to use RADIUS authentication.
Note: These steps can be followed at either the Profile or Edge level. If done at the Profile level every Edge associated with that Profile would be configured for RADIUS authentication on the specified switched interface.
- In the SD-WAN service of the Enterprise portal, click .
- Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
- In the Connectivity category, click and expand Interfaces.
- The Interfaces section displays the different types of Interfaces available for the selected Edge.
- Click the link to the switched interface (for example GE2 as shown in the following screenshot) that you want to configure RADIUS authentication.
- The Interface settings dialog appears. Add the VLAN where RADIUS authentication will be used to the switched interfaces list of VLANs and click Save.
- In the Device page, under the Connectivity category click the VLAN section and click on the VLAN you want to use for RADIUS authentication.
- On the Edit VLAN screen, select the RADIUS Authentication check box.
- Configure the allowed list of devices that are pre-authenticated and should not be forwarded to RADIUS for re-authentication. You can add devices by using individual MAC addresses (e.g. 8c:ae:4c:fd:67:d5) or by using OUI (Organizationally Unique Identifier [e.g. 8c:ae:4c:00:00:00]).
- Select Done.
- Finally, click on Save Changes in the bottom right corner to apply your configurations.
Note: The switched interface will use the server that has already been assigned to the Edge. In an Edge, two interfaces cannot use two different RADIUS servers.