Shared knowledge makes for a stronger ecosystem and with this in mind, I’m going to show you how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series.

We’ll cover it all: Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE, Wired MAC Authentication using Cisco ISE, and Multi-Domain Authentication using Cisco ISE. 

The first guide I’ll be sharing is how to enable wired 802.1X authentication in Cumulus Linux 3.7.5+ using Aruba ClearPass 6.7.x. 

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Aruba ClearPass.

Aruba ClearPass Configuration:

1. Add the Cumulus Switch to ClearPass

First, we are going to add this specific Cumulus Network switch to ClearPass. Go to the following:

Configuration > Network > Devices. Click “+Add” in the top right-hand corner

Fill in the appropriate IP Address, Description, and Shared Secrets. For simplicity sake, set the “Vendor Name” to “Cisco.”

2. Adding the Cumulus Switch to a Device Group

Configuration > Network  > Device Groups. Click “+Add” in the top right-hand corner

We are going to move the “Cumulus OOB SW” from the left-hand, “Available Devices” column, over to the “Selected Devices” column.

Click the “Save” button.

All future Cumulus switches can be added to this Device Group and will inherit all of the upcoming configuration elements.

3. Add a Dynamic VLAN Enforcement Profiles 

Configuration > Enforcement  > Profiles. Click “+Add” in the top right-hand corner

On the “Profile” tab, select “VLAN Enforcement” from the “Template” drop-down.

On the “Attributes” tab, click the “Enter VLAN” text and enter the numeric value for a VLAN on the switch

Here, I added the value “17” as the “Tunnel-Private-Group-Id:”

4. Add an Enforcement Policy

Configuration > Enforcement  > Policies. Click “+Add” in the top right-hand corner

Select “RADIUS” as the “Enforcement Type.”

Select “[Deny Access Profile]” as the “Default Profile” from the drop-down menu. 

On the “Rules” tab, we are going to create a generic allow all role with the Dynamic VLAN.

Set the following:

  • – Type = “Tips”
  • – Name = “Role”
  • – Operator = “EQUALS”
  • – Value = “[User Authenticated]”

Under the “Profile Names”, select the “PoC – Cumulus Dynamic VLAN 17” that was created in the previous step.

Click the “Save” button in the bottom right-hand corner.

The Enforcement Policy should look like the above. Click the “Save” button in the bottom right-hand corner to continue.

5. Adding a wired 802.1x Service

Configuration > Service. Click “+Add” in the top right-hand corner

Set the following:

  • Type Dropdown = “802.1X Wired”
  • Name = “PoC – Cumulus Wired 802.1x”

Under the “Service Rules”, add the following:

  • Type = “Connection” 
  • Name = “NAD-IP-Address”
  • Operator = “BELONGS_TO_GROUP”
  • Value = “Cumulus-Switches”

The “Value” is the name of the Device Group that was added in Step #2 above. 

On the “Authentication” tab, add the appropriate “Authentication Methods” and “Authentication Sources.” In the above example, I am using Active Directory as an Authentication Source and EAP-PEAP/MSCHAPv2 and EAP-TLS as available methods.

On the “Enforcement” tab, select the “PoC – Cumulus 802.1X Wired Enforcement Policy” that was created in step #4.

Click the “Save” button in the bottom right-hand corner.

Cumulus Linux wired 802.1x setup:

1. Testing an interface

I am going to be using “swp11” to test wired 802.1x:

net add interface swp11
net commit

2. Enabling dot1x on swp11

Here are the following NCLU commands that I entered to configure dot1x:

net add dot1x radius server-ip vrf mgmt
net add dot1x radius client-source-ip
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add bridge bridge ports swp11
net add interface swp11 dot1x
net commit

3. Modify the hostapd.conf file

The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”


Restart the hostapd.service after making the above changes with the following command:

sudo systemctl restart hostapd.service

Verification and Troubleshooting

Plug in an 802.1x enabled laptop into port swp11. 

On my laptop, I see that the wired interface is successfully authenticated in the subnet which corresponds to VLAN 17.

On the Cumulus switch, the following commands will show the status of the swp11 interface:

net show dot1x interface swp11

This lines up with the laptop output as the machine is authenticating using EAP-TLS and is on VLAN 17

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp11 details

Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the ClearPass server

Aruba ClearPass also provides a view of the 802.1x connection through the Access Tracker:

Monitoring > Live Monitoring > Access Tracker

In the above example, I am filtering on “Cumulus”

Clicking on the top entry within Access Tracker will open up the “Request Details” window.

  1. Service – The request is hitting the “PoC – Cumulus 802.1x Wired” service that we created in ClearPass Step #5
  2. Authentication Method – ClearPass is reporting EAP-TLS, which is exactly what the laptop is offering and the Cumulus Switch is reporting
  3. Enforcement Profiles – This service request is sending the “PoC – Cumulus Dynamic VLAN 17” down to the Cumulus Switch

Let’s examine the Enforcement Profile by clicking on the “Output” tab in the “Request Details”

  1. Enforcement Profile – We are sending the Dynamic VLAN 17 profile that we created in ClearPass Step #4
  2. Radius:IETF: Tunnel-Private-Group-Id – We are sending VLAN value “17” down to the Cumulus Switch as a Dynamic VLAN.

For further 802.1x troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.

In the next blog, I’ll cover Wired MAC Authentication using Aruba ClearPass. In the meantime, take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Our how-to videos are a great place to start.