Ethernet

Ethernet is a data-link control layer protocol used to interconnect computers. Ethernet interfaces can connect network devices easily, since no complex configuration is required.

Operational command interfaces ethernet <value> show can be used to display miscellaneous information about Ethernet interfaces. In particular, command interfaces ethernet <value> show physical lists the hardware details of an interface, including supported link modes, speed, duplex, etc.

Example:

admin@osdx$ interfaces ethernet eth1 show physical
Settings for eth1:
        Supported ports: [ TP    MII     FIBRE ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
                                1000baseX/Full
        Supported pause frame use: Symmetric Receive-only
        Supports auto-negotiation: Yes
        Supported FEC modes: Not reported
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
                                1000baseX/Full
        Advertised pause frame use: Symmetric Receive-only
        Advertised auto-negotiation: Yes
        Advertised FEC modes: Not reported
        Link partner advertised link modes:  10baseT/Half 10baseT/Full
                                            100baseT/Half 100baseT/Full
                                            1000baseT/Full
        Link partner advertised pause frame use: No
        Link partner advertised auto-negotiation: Yes
        Link partner advertised FEC modes: Not reported
        Speed: 1000Mb/s
        Duplex: Full
        Auto-negotiation: on
        master-slave cfg: preferred slave
        master-slave status: slave
        Port: Twisted Pair
        PHYAD: 5
        Transceiver: external
        MDI-X: Unknown
        Supports Wake-on: d
        Wake-on: d
        Current message level: 0x00007fff (32767)
                              drv probe link timer ifdown ifup rx_err tx_err tx_queued intr tx_done rx_status pktdata hw wol
        Link detected: yes
driver: fsl_dpa
version: 6.1.55
firmware-version: 0
expansion-rom-version:
bus-info: soc:fsl,dpaa
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no

Operational command interfaces ethernet <value> show statistics outputs advanced statistics at driver level.

Example:

admin@osdx$ interfaces ethernet eth1 show statistics | grep frames
  rx valid pause frames: 0
  rx unicast frames: 0
  rx multicast frames: 57726
  rx broadcast frames: 0
  rx total frames: 57726
  tx valid pause frames: 0
  tx unicast frames: 0
  tx multicast frames: 7
  tx broadcast frames: 0
  tx total frames: 7
  bmi rx frames: 18
  bmi rx bad frames: 0
  bmi rx large frames: 0
  bmi rx filter frames: 0
  bmi rx frames list dma errors: 0
  bmi tx frames: 7

Port-Based Network Authentication 

OSDx supports two port-based network authentication mechanisms for Ethernet interfaces:

IEEE 802.1X: An IEEE Standard for port-based network access control (PNAC) that belongs to the IEEE 802.1 group of networking protocols. It provides an authentication mechanism using EAP (Extensible Authentication Protocol) for devices that wish to connect to a LAN or WLAN.
MAB (MAC Authentication Bypass): An authentication mechanism that uses a device’s MAC address as its identity. MAB is typically used for devices that do not support 802.1X authentication, such as printers, IP cameras, or legacy equipment.

Both authentication mechanisms involve three parties: a supplicant (client device), an authenticator (network device that controls access), and an authentication server (typically a RADIUS server). In OSDx, both the supplicant and the authenticator end-points can be configured for Ethernet interfaces.

The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is meant to be allowed.

Warning

802.1X/MAB authentication modes can only be used in point-to-point (P2P) connections, where the supplicant is directly connected to the authenticator without an intermediate switch.

Supplicant 

The supplicant is a client device that wishes to connect to the LAN. While the supplicant is the device requesting network access, the authenticator controls whether access is granted or denied.

In OSDx, an Ethernet supplicant end-point can be configured for 802.1X authentication by entering the following commands:

set interfaces ethernet <ethX> supplicant username <name>
set interfaces ethernet <ethX> supplicant password <password>

Here, you can find more examples.

Authenticator 

The authenticator is a network device that provides a data link between the client and the network, allowing or blocking network traffic between the two. OSDx supports both 802.1X and MAB authentication mechanisms, which can be used independently or in combination.

Here, you can find comprehensive examples.

802.1X Authentication 

802.1X authentication can be configured via AAA lists, which allow integration with RADIUS servers for centralized authentication:

set interfaces ethernet <ethX> authenticator aaa authentication <AAA list>
set interfaces ethernet <ethX> authenticator aaa accounting <AAA list>
set system aaa list <AAA list> method <priority> group radius <GROUP name>
set system aaa group radius <GROUP name> server <RAD server>
set system aaa server radius <RAD server> address <ip>
set system aaa server radius <RAD server> key <key>

Here you can find more information about AAA configuration.

The device itself may also act as a local EAP server. This can be configured by entering the following commands:

set interfaces ethernet <ethX> authenticator 802.1x eap-server username <name> password <password>
set interfaces ethernet <ethX> authenticator 802.1x eap-server x509 ca-cert <file>
set interfaces ethernet <ethX> authenticator 802.1x eap-server x509 dh-param <file>
set interfaces ethernet <ethX> authenticator 802.1x eap-server x509 server-cert <file>
set interfaces ethernet <ethX> authenticator 802.1x eap-server x509 server-key <file>
set system aaa list <AAA list> method <priority> local

Note

Local EAP server only supports PEAP-MSCHAPv2 authentication protocol.

Setting up a local method with lower priority than the remote server can be a good idea in scenarios where the authentication server might not be accessible. This would allow supplicants to authenticate against the authenticator using its local database (failover mechanism). Once the remote server becomes available, authentication would be performed using RADIUS again.

Here, you can find some EAP-Server 802.1X examples.

The maximum number of EAP retransmissions can be configured to control how many times the authenticator will retry sending EAP requests before timing out:

set interfaces ethernet <ethX> authenticator 802.1x max-retransmissions <1-10>

MAB Authentication 

MAB (MAC Authentication Bypass) provides an alternative authentication mechanism for devices that do not support 802.1X. When MAB is enabled, the authenticator uses the supplicant’s MAC address as its identity to authenticate against the AAA server.

MAB authentication is particularly useful for:

Legacy devices that do not support 802.1X (printers, IP cameras, etc.)
IoT devices with limited authentication capabilities
Situations where you want to quickly onboard devices based on their MAC addresses

To configure MAB with RADIUS authentication, use the same AAA configuration as for 802.1X:

set interfaces ethernet <ethX> authenticator aaa authentication <AAA list>
set interfaces ethernet <ethX> authenticator aaa accounting <AAA list>

When using MAB, the device’s MAC address is sent as the username to the RADIUS server. You can configure a timeout value that determines how long the authenticator will wait before triggering MAB authentication:

set interfaces ethernet <ethX> authenticator mab timeout <1-300>

The timeout value is specified in seconds. A shorter timeout results in faster MAB authentication, while a longer timeout provides more time for 802.1X authentication to complete (useful when MAB is configured as a fallback mechanism).

Local MAC Address Database

For scenarios where RADIUS is not available or desired, you can configure a local MAC address database. This allows the authenticator to authenticate devices based on a pre-configured list of MAC addresses:

set interfaces ethernet <ethX> authenticator mab local-mac <macaddr> identity <id>
set system aaa list <AAA list> method <priority> local

The optional identity parameter can be used to associate a descriptive name with the MAC address for logging and accounting purposes.

Similar to 802.1X, you can configure local authentication as a failover mechanism by assigning it a lower priority than RADIUS in the AAA list.

Here, you can find specific examples about MAB.

Authentication Modes 

OSDx supports four authentication modes that control how 802.1X and MAB are used:

only-802.1x: Only 802.1X authentication is performed. If 802.1X authentication fails, the supplicant is not authenticated.
only-MAB: Only MAB authentication is performed using the supplicant’s MAC address. 802.1X is not attempted.
802.1x-MAB: 802.1X authentication is attempted first. If 802.1X fails or times out, MAB is used as a fallback mechanism.
MAB-802.1x: MAB authentication is attempted first. If MAB fails, 802.1X authentication is used as a fallback mechanism.

The authentication mode is configured using:

set interfaces ethernet <ethX> authenticator mode <only-802.1x / only-MAB / 802.1x-MAB / MAB-802.1x>

If no mode is explicitly configured, only-802.1x is used by default.

Here, you can find examples for each authentication mode.

Common Configuration 

Several configuration options apply to both 802.1X and MAB authentication:

Quiet Period

When authentication fails, the authenticator can be configured to wait for a specified period before attempting to re-authenticate the supplicant. This prevents rapid authentication retry loops:

set interfaces ethernet <ethX> authenticator quiet-period <0-3600>

The value is specified in seconds. A value of 0 disables the quiet period, meaning re-authentication will be attempted immediately after failure.

Here you can find more examples for quiet-period configuration.

Re-authentication Period

Re-authentication is enabled by default and automatically performed every hour. However, it can be customized using the following command:

set interfaces ethernet <ethX> authenticator reauth-period <15-86400>

The value is specified in seconds. Special value 0 can be used to disable re-authentication entirely:

set interfaces ethernet <ethX> authenticator reauth-period 0

Here you can find more examples for reauth-period configuration.

Logging Level

The logging event level for authentication events can be configured to control the verbosity of authentication-related log messages:

set interfaces ethernet <ethX> authenticator log-level <warning / notice / info / debug>

Level notice is configured by default. Use debug for detailed troubleshooting of authentication issues.

AAA Configuration 

Both 802.1X and MAB authentication rely on AAA (Authentication, Authorization, and Accounting) configuration to integrate with RADIUS servers or use local authentication.

Basic AAA configuration for authenticator:

set interfaces ethernet <ethX> authenticator aaa authentication <AAA list>
set interfaces ethernet <ethX> authenticator aaa accounting <AAA list>
set system aaa list <AAA list> method <priority> group radius <GROUP name>
set system aaa group radius <GROUP name> server <RAD server>
set system aaa server radius <RAD server> address <ip>
set system aaa server radius <RAD server> key <key>

The AAA list can include multiple methods with different priorities, allowing for failover scenarios. For example, you can configure RADIUS as the primary method and local authentication as the backup.

Here you can find more information about AAA configuration.

Authorization with ACLs 

Both 802.1X and MAB support authorization configuration using ACLs (Access Control Lists). There are two alternatives for using it:

Define one or more traffic policies and use aliases to reference them through the RADIUS Filter-ID attribute (see RFC2865 Section 5.11).
Send the ACL definition directly using the RADIUS NAS-Filter-Rule attribute (see RFC4829).

The first option requires the following configuration commands:

set interfaces ethernet <ethX> authenticator aaa authorization acl-alias <RADIUS_alias> direction <in / out / both>
set interfaces ethernet <ethX> authenticator aaa authorization acl-alias <RADIUS_alias> priority <very-high / high / low / very-low>
set interfaces ethernet <ethX> authenticator aaa authorization acl-alias <RADIUS_alias> traffic-policy <traffic-policy>

Here you can find more information about traffic policies.

Change of Authorization (CoA)

CoA (Change of Authorization) can be enabled to allow the RADIUS server to dynamically change the authorization state of authenticated sessions. CoA is supported for both 802.1X and MAB authenticated supplicants.

The following parameters can be configured:

set interfaces ethernet <ethX> authenticator coa client <ip>
set interfaces ethernet <ethX> authenticator coa port <port>
set interfaces ethernet <ethX> authenticator coa secret <secret>

CoA messages can be used to:

De-authenticate users remotely
Change the ACLs installed for existing sessions
Update session parameters without requiring re-authentication

Here, you can find more CoA examples.

Operational Commands 

OSDx provides several operational commands to monitor and manage authentication state:

Show Authentication Status

Display the current authentication mode and state for an interface:

interfaces ethernet <ethX> authenticator show status

This command shows whether the interface is using 802.1X or MAB and the current authentication state of connected supplicant.

Show Authentication Statistics

Display detailed information about authenticated supplicant, including their identity, credentials (username or MAC address), and authentication method:

interfaces ethernet <ethX> authenticator show stats

Restart Authentication

Manually restart the authentication state for an interface, forcing connected supplicants to re-authenticate:

interfaces ethernet <ethX> authenticator restart

This command is useful for testing authentication configurations or forcing re-authentication after configuration changes.