Flexible authentication configuration prerequisites

Before you configure Flexible authentication, you must establish communication between the devices and the authentication server. The following items cover the configuration steps that are required before you configure Flexible authentication:

  • Configure the ICX device interaction with the authentication server by configuring an authentication method list for 802.1X and specifying RADIUS as an authentication method. The method list takes care of 802.1X and MAC authentication. For more information, refer to AAA operations for RADIUS.
    device(config)# aaa authentication dot1x default radius
  • Configure the RADIUS server to authenticate access to the RUCKUS ICX device. For more information, refer to AAA operations for RADIUS.
    device(config)# radius-server host auth-port 1812 acct-port 1813 default key secretkey dot1x mac-auth
  • After successful authentication, the client is moved to the RADIUS-assigned VLAN. Configure a VLAN as the auth-default VLAN to enable authentication. When any port is enabled for 802.1X or MAC authentication, the port is moved into this VLAN by default. Specific VLANs (for example, guest VLAN, restricted VLAN, and critical VLAN) can be configured to place the clients in various VLANs based on authentication failure and timeout scenarios.
    device(config)# vlan 20 name auth-default-vlan
  • After a successful authentication, user access can be limited by ACLs. ACLs must be preconfigured on the ICX device, and the RADIUS server can return the ACL ID or name. If the ACL matches the ACL configured on the device, it is applied to the port.
    device(config)# access-list 100 permit ip any any

    The source IP must be either be the user's IP address or “any” because the RUCKUS ICX device dynamically learns the IP addresses of the clients (source). The destination network is user configurable.

    For more information on ACL configuration, refer to IPv4 ACLs. For more information about dynamic ACL assignment, refer to Dynamic ACLs in authentication.

  • If any of the clients need to be statically authenticated or denied access, the MAC addresses of such clients can be configured through MAC filters and applied on authentication-enabled ports as authentication filters.
    device(config)# mac filter 1 permit/deny xxxx.xxxx.xxxx FFFF.FFFF.FFFF any