Fabric Engine Locally Managed Sample Configuration

Generate and Download the Certificate Files

Click to expand in new window
uz_generate_certificate_bundle

Directory of C:\Users\Radsec\Downloads\certificate-file-extreme​

05/15/2024 10:06 AM <DIR> .​

05/15/2024 10:06 AM <DIR> ..​

05/13/2024 02:04 PM 2,427 ca.pem

05/13/2024 02:04 PM 1,244 certificate.pem

05/13/2024 02:04 PM 1,678 key.pem

3 File(s) 5,349 bytes​

2 Dir(s) 43,057,008,640 bytes free​

Upload Certificate Files to the Switch Using FTP

C:\Users\Radsec\Downloads\certificate-file-extreme>ftp 10.68.16.150

Connected to 10.68.16.150.​

220 FTP server ready​

530 USER and PASS required​

User (10.68.16.150:(none)): rwa​

331 Password required​

Password:​

230 User logged in​

ftp> binary​

200 Type set to I, binary mode​

ftp> put ca.pem

200 Port set okay​

150 Opening BINARY mode data connection​

226 Transfer complete​

ftp: 2427 bytes sent in 0.00Seconds 2427000.00Kbytes/sec.​

ftp> put certificate.pem

200 Port set okay​

150 Opening BINARY mode data connection​

226 Transfer complete​

ftp: 1244 bytes sent in 0.00Seconds 1244000.00Kbytes/sec.​

ftp> put key.pem

200 Port set okay​

150 Opening BINARY mode data connection​

226 Transfer complete​

ftp: 1678 bytes sent in 0.00Seconds 1678000.00Kbytes/sec.​

ftp> quit​

221 Bye...see you later​

Note

Note

files are uploaded in the default location /intflash

When running Enhanced Secure Mode (ESM) default location will be ​

/intflash/shared directory​

Apply the Certificate Files to the Switch Using Default Radius Secure-Profile

#radius secure-profile default ca-cert-file ca.pem​

#radius secure-profile default cert-file certificate.pem​

#radius secure-profile default key-file key.pem​

#radius secure-profile default key-pwd radsec​

Apply the Radius/Radius-Secure Configuration to the Switch​

#radius server host 3.72.170.112 key radsec used-by eapol​

#radius server host 3.72.170.112 used-by eapol secure-enable​

#radius secure-flag​

#radius enable​

Optional Configuration

#radius secure-profile TestProfile -to use create custom Radius secure-profile​

#radius server host 3.72.170.112 used-by eapol secure-profile TestProfile -to link the custom profile to a specific Radius
          server​
#radius server host 3.72.170.112 used-by eapol acct-enable -to enable accounting for a specific Radius
          server​

#radius accounting enable -to enable the accounting globally​

#radius server host 3.72.170.112 used-by eapol secure-log-level -to change log level for the TCP/TLS
          session​

#radius server host 3.72.170.112 used-by eapol secure-mode -to switch between TLS and DTLS​

802.1x NEAP Basic System and Port Configuration​

#eapol enable​

#interface gigabitEthernet 1/1​

#(config-if)#eapol multihost radius-non-eap-enable​

#(config-if)#eapol status auto​

Optional Configuration​

#interface gigabitEthernet 1/1​

#(config-if)#eapol multihost non-eap-mac-max 10 -to change the max number of NEAP clients allowed on that
          port​
#(config-if)#eapol multihost mac-max 10 -to change the max Mac clients allowed on 802.1x enabled
            ports​
#(config-if)#eapol re-authentication enable -to enable
          re-authentication​

802.1x NEAP on Ports Enabled for Auto-sense

Auto-sense is a port-based functionality to support zero touch capabilities on the VOSS
        switches. When you enable Auto-sense on a port, the system dynamically configures the port based on the Link Layer Discovery Protocol (LLDP)
        events .​

#interface gigabitEthernet 1/1​

#(config-if)#auto-sense

Optional Configuration for Auto-sense Eapol

#auto-sense eapol multihost non-eap-mac-max 10 -to change the max number of NEAP clients allowed on that
          port​
#auto-sense eapol multihost mac-max 10 -to change maximum MAC clients supported on
              an Eapol enabled port​
9038015-00 Rev AA