Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

AAA Servers (Datacenter Blueprint)

AAA Servers Overview

AAA servers are used with interface policies. AAA servers include the following details:

Parameter Description
Label To identify the AAA server
Server Type
  • RADIUS 802.1x - If an 802.1x policy is bound to at least one interface on a switch, all defined AAA RADIUS 802.1x servers will be added to that switch. The server is not rendered unless it is needed.
  • RADIUS COA (Change of Authorization) - Used by switches to enable Dynamic Authorization Server (DAS) requests from RADIUS servers. This enables the switch to 'trust' the given RADIUS server to do dynamic VLAN assignment after authentication instead of during auth. All RADIUS COA implementations are hard-coded to auth port 3799.
Hostname  
Auth Ports  
Accounting Port optional

From the blueprint, navigate to Staged > Catalog > AAA Servers to go to the AAA servers catalog. You can create, clone, edit, and delete AAA servers.

Create AAA Server

  1. From the blueprint, navigate to Staged > Catalog > AAA Servers and click Create AAA Server.
  2. Enter a label, select the server type (RADIUS 802.1x, RADIUS COA), enter a hostname, key, auth port, and (optional) accounting port.
  3. Click Create to stage the server and return to the table view.

Edit AAA Server

  1. From the blueprint, navigate to Staged > Catalog > AAA Servers and click the Edit button for the AAA server to edit.
  2. Make your changes, then click Update to stage the update and return to the table view.

Delete AAA Server

  1. From the blueprint, navigate to Staged > Catalog > AAA Servers and click the Delete button for the AAA server to delete.
  2. Click Delete to stage the deletion and return to the table view.

AAA RADIUS Server Configuration Tasks

AAA RADIUS server configuration tasks are external to Apstra software. The example below shows the files to configure for FreeRADIUS.

/etc/freeradius/clients.conf -- has credentials for each switch

/etc/freeradius/users -- has users and MAC addresses to authenticate. Tunnel-Private-Group-Id shows a dynamic VLAN ID, which is optional.

Although this example shows a simple credential, actual implementations may use any EAP method that both the client and RADIUS server support.

Client Supplicant Configuration Tasks

Client supplicant configuration tasks are external to Apstra software. The following is an example for wpa_supplicant.

/etc/wpa_supplicant/aos_wpa_supplicant.conf