======== Ethernet ======== .. sidebar:: Contents .. contents:: :depth: 3 :local: Ethernet is a data-link control layer protocol used to interconnect computers. Ethernet interfaces can connect network devices easily, since no complex configuration is required. Operational command :osdx:op:`interfaces ethernet * show` can be used to display miscellaneous information about Ethernet interfaces. In particular, command :osdx:op:`interfaces ethernet * show physical` lists the hardware details of an interface, including supported link modes, speed, duplex, etc. *Example:* .. code-block:: none admin@osdx$ interfaces ethernet eth1 show physical Settings for eth1: Supported ports: [ TP MII FIBRE ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full 1000baseX/Full Supported pause frame use: Symmetric Receive-only Supports auto-negotiation: Yes Supported FEC modes: Not reported Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full 1000baseX/Full Advertised pause frame use: Symmetric Receive-only Advertised auto-negotiation: Yes Advertised FEC modes: Not reported Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Link partner advertised pause frame use: No Link partner advertised auto-negotiation: Yes Link partner advertised FEC modes: Not reported Speed: 1000Mb/s Duplex: Full Auto-negotiation: on master-slave cfg: preferred slave master-slave status: slave Port: Twisted Pair PHYAD: 5 Transceiver: external MDI-X: Unknown Supports Wake-on: d Wake-on: d Current message level: 0x00007fff (32767) drv probe link timer ifdown ifup rx_err tx_err tx_queued intr tx_done rx_status pktdata hw wol Link detected: yes driver: fsl_dpa version: 6.1.55 firmware-version: 0 expansion-rom-version: bus-info: soc:fsl,dpaa supports-statistics: yes supports-test: no supports-eeprom-access: no supports-register-dump: no supports-priv-flags: no Operational command :osdx:op:`interfaces ethernet * show statistics` outputs advanced statistics at driver level. *Example:* .. code-block:: none admin@osdx$ interfaces ethernet eth1 show statistics | grep frames rx valid pause frames: 0 rx unicast frames: 0 rx multicast frames: 57726 rx broadcast frames: 0 rx total frames: 57726 tx valid pause frames: 0 tx unicast frames: 0 tx multicast frames: 7 tx broadcast frames: 0 tx total frames: 7 bmi rx frames: 18 bmi rx bad frames: 0 bmi rx large frames: 0 bmi rx filter frames: 0 bmi rx frames list dma errors: 0 bmi tx frames: 7 Port-Based Network Authentication ================================== OSDx supports two port-based network authentication mechanisms for Ethernet interfaces: * **IEEE 802.1X**: An IEEE Standard for port-based network access control (PNAC) that belongs to the IEEE 802.1 group of networking protocols. It provides an authentication mechanism using EAP (Extensible Authentication Protocol) for devices that wish to connect to a LAN or WLAN. * **MAB (MAC Authentication Bypass)**: An authentication mechanism that uses a device's MAC address as its identity. MAB is typically used for devices that do not support 802.1X authentication, such as printers, IP cameras, or legacy equipment. Both authentication mechanisms involve three parties: a supplicant (client device), an authenticator (network device that controls access), and an authentication server (typically a RADIUS server). In OSDx, both the supplicant and the authenticator end-points can be configured for Ethernet interfaces. The authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is meant to be allowed. .. warning:: 802.1X/MAB authentication modes can only be used in point-to-point (P2P) connections, where the supplicant is directly connected to the authenticator without an intermediate switch. Supplicant ---------- The supplicant is a client device that wishes to connect to the LAN. While the supplicant is the device requesting network access, the authenticator controls whether access is granted or denied. In OSDx, an Ethernet supplicant end-point can be configured for 802.1X authentication by entering the following commands: .. code-block:: none set interfaces ethernet supplicant username set interfaces ethernet supplicant password :doc:`Here `, you can find more examples. Authenticator ------------- The authenticator is a network device that provides a data link between the client and the network, allowing or blocking network traffic between the two. OSDx supports both 802.1X and MAB authentication mechanisms, which can be used independently or in combination. :doc:`Here `, you can find comprehensive examples. 802.1X Authentication ~~~~~~~~~~~~~~~~~~~~~ 802.1X authentication can be configured via AAA lists, which allow integration with RADIUS servers for centralized authentication: .. code-block:: none set interfaces ethernet authenticator aaa authentication set interfaces ethernet authenticator aaa accounting set system aaa list method group radius set system aaa group radius server set system aaa server radius address set system aaa server radius key :doc:`Here <../../system/aaa/index>` you can find more information about ``AAA configuration``. The device itself may also act as a local EAP server. This can be configured by entering the following commands: .. code-block:: none set interfaces ethernet authenticator 802.1x eap-server username password set interfaces ethernet authenticator 802.1x eap-server x509 ca-cert set interfaces ethernet authenticator 802.1x eap-server x509 dh-param set interfaces ethernet authenticator 802.1x eap-server x509 server-cert set interfaces ethernet authenticator 802.1x eap-server x509 server-key set system aaa list method local .. note:: Local EAP server only supports PEAP-MSCHAPv2 authentication protocol. Setting up a **local method** with lower priority than the remote server can be a good idea in scenarios where the authentication server might not be accessible. This would allow supplicants to authenticate against the authenticator using its local database (failover mechanism). Once the remote server becomes available, authentication would be performed using RADIUS again. :doc:`Here `, you can find some EAP-Server 802.1X examples. The maximum number of EAP retransmissions can be configured to control how many times the authenticator will retry sending EAP requests before timing out: .. code-block:: none set interfaces ethernet authenticator 802.1x max-retransmissions <1-10> MAB Authentication ~~~~~~~~~~~~~~~~~~ MAB (MAC Authentication Bypass) provides an alternative authentication mechanism for devices that do not support 802.1X. When MAB is enabled, the authenticator uses the supplicant's MAC address as its identity to authenticate against the AAA server. MAB authentication is particularly useful for: * Legacy devices that do not support 802.1X (printers, IP cameras, etc.) * IoT devices with limited authentication capabilities * Situations where you want to quickly onboard devices based on their MAC addresses To configure MAB with RADIUS authentication, use the same AAA configuration as for 802.1X: .. code-block:: none set interfaces ethernet authenticator aaa authentication set interfaces ethernet authenticator aaa accounting When using MAB, the device's MAC address is sent as the username to the RADIUS server. You can configure a timeout value that determines how long the authenticator will wait before triggering MAB authentication: .. code-block:: none set interfaces ethernet authenticator mab timeout <1-300> The timeout value is specified in seconds. A shorter timeout results in faster MAB authentication, while a longer timeout provides more time for 802.1X authentication to complete (useful when MAB is configured as a fallback mechanism). **Local MAC Address Database** For scenarios where RADIUS is not available or desired, you can configure a local MAC address database. This allows the authenticator to authenticate devices based on a pre-configured list of MAC addresses: .. code-block:: none set interfaces ethernet authenticator mab local-mac identity set system aaa list method local The optional ``identity`` parameter can be used to associate a descriptive name with the MAC address for logging and accounting purposes. Similar to 802.1X, you can configure local authentication as a failover mechanism by assigning it a lower priority than RADIUS in the AAA list. :doc:`Here `, you can find specific examples about MAB. Authentication Modes ~~~~~~~~~~~~~~~~~~~~ OSDx supports four authentication modes that control how 802.1X and MAB are used: * **only-802.1x**: Only 802.1X authentication is performed. If 802.1X authentication fails, the supplicant is not authenticated. * **only-MAB**: Only MAB authentication is performed using the supplicant's MAC address. 802.1X is not attempted. * **802.1x-MAB**: 802.1X authentication is attempted first. If 802.1X fails or times out, MAB is used as a fallback mechanism. * **MAB-802.1x**: MAB authentication is attempted first. If MAB fails, 802.1X authentication is used as a fallback mechanism. The authentication mode is configured using: .. code-block:: none set interfaces ethernet authenticator mode If no mode is explicitly configured, ``only-802.1x`` is used by default. :doc:`Here `, you can find examples for each authentication mode. Common Configuration ~~~~~~~~~~~~~~~~~~~~ Several configuration options apply to both 802.1X and MAB authentication: **Quiet Period** When authentication fails, the authenticator can be configured to wait for a specified period before attempting to re-authenticate the supplicant. This prevents rapid authentication retry loops: .. code-block:: none set interfaces ethernet authenticator quiet-period <0-3600> The value is specified in seconds. A value of ``0`` disables the quiet period, meaning re-authentication will be attempted immediately after failure. :doc:`Here ` you can find more examples for ``quiet-period`` configuration. **Re-authentication Period** Re-authentication is enabled by default and automatically performed every hour. However, it can be customized using the following command: .. code-block:: none set interfaces ethernet authenticator reauth-period <15-86400> The value is specified in seconds. Special value ``0`` can be used to disable re-authentication entirely: .. code-block:: none set interfaces ethernet authenticator reauth-period 0 :doc:`Here ` you can find more examples for ``reauth-period`` configuration. **Logging Level** The logging event level for authentication events can be configured to control the verbosity of authentication-related log messages: .. code-block:: none set interfaces ethernet authenticator log-level Level ``notice`` is configured by default. Use ``debug`` for detailed troubleshooting of authentication issues. AAA Configuration ~~~~~~~~~~~~~~~~~ Both 802.1X and MAB authentication rely on AAA (Authentication, Authorization, and Accounting) configuration to integrate with RADIUS servers or use local authentication. Basic AAA configuration for authenticator: .. code-block:: none set interfaces ethernet authenticator aaa authentication set interfaces ethernet authenticator aaa accounting set system aaa list method group radius set system aaa group radius server set system aaa server radius address set system aaa server radius key The AAA list can include multiple methods with different priorities, allowing for failover scenarios. For example, you can configure RADIUS as the primary method and local authentication as the backup. :doc:`Here <../../system/aaa/index>` you can find more information about ``AAA configuration``. Authorization with ACLs ~~~~~~~~~~~~~~~~~~~~~~~ Both 802.1X and MAB support authorization configuration using ACLs (Access Control Lists). There are two alternatives for using it: * Define one or more traffic policies and use aliases to reference them through the RADIUS Filter-ID attribute (see `RFC2865 Section 5.11 `_). * Send the ACL definition directly using the RADIUS NAS-Filter-Rule attribute (see `RFC4829 `_). The first option requires the following configuration commands: .. code-block:: none set interfaces ethernet authenticator aaa authorization acl-alias direction set interfaces ethernet authenticator aaa authorization acl-alias priority set interfaces ethernet authenticator aaa authorization acl-alias traffic-policy :doc:`Here <../../routing/traffic/policy/index>` you can find more information about ``traffic policies``. Change of Authorization (CoA) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CoA (Change of Authorization) can be enabled to allow the RADIUS server to dynamically change the authorization state of authenticated sessions. CoA is supported for both 802.1X and MAB authenticated supplicants. The following parameters can be configured: .. code-block:: none set interfaces ethernet authenticator coa client set interfaces ethernet authenticator coa port set interfaces ethernet authenticator coa secret CoA messages can be used to: * De-authenticate users remotely * Change the ACLs installed for existing sessions * Update session parameters without requiring re-authentication :doc:`Here `, you can find more CoA examples. Operational Commands ~~~~~~~~~~~~~~~~~~~~ OSDx provides several operational commands to monitor and manage authentication state: **Show Authentication Status** Display the current authentication mode and state for an interface: .. code-block:: none interfaces ethernet authenticator show status This command shows whether the interface is using 802.1X or MAB and the current authentication state of connected supplicant. **Show Authentication Statistics** Display detailed information about authenticated supplicant, including their identity, credentials (username or MAC address), and authentication method: .. code-block:: none interfaces ethernet authenticator show stats **Restart Authentication** Manually restart the authentication state for an interface, forcing connected supplicants to re-authenticate: .. code-block:: none interfaces ethernet authenticator restart This command is useful for testing authentication configurations or forcing re-authentication after configuration changes. Command Summary =============== .. osdx:cmdtree:: cfg :maxdepth: 3 interfaces ethernet .. osdx:cmdtree:: op :maxdepth: 3 interfaces ethernet