802.1X authentication or MAC authentication with dynamic ACL assignment

This use case shows the configuration required on a Ruckus ICX device to authenticate an 802.1X-capable client or MAC-authenticated client, to assign the client to a VLAN dynamically, and to apply the ACLs provided by RADIUS. In the following example, after authentication, the PC will be placed in VLAN 200.

Figure 20  802.1X authentication or MAC authentication with dynamic ACL assignment

RADIUS configuration

Create a device profile for the PC's MAC address on the RADIUS server, and configure the attributes in the following table.
Table 41 RADIUS attributes for a PC user
Attribute Value
Tunnel-Medium-Type 802
Tunnel-Pvt-Group-ID 200
Tunnel-Type VLAN
Filter-Id ip.110.in;ip.111.out;ip6.v61.in;ip6.v62.out

Ruckus ICX switch configuration

  1. Specify RADIUS as an authentication server. The following command configures the switch to use the configured RADIUS server to authenticate 802.1X authentication or MAC authentication clients.
    device(config)# aaa authentication dot1x default radius
  2. Configure a RADIUS server. In the following example, the RADIUS server IP address is and the shared key is "secret". The shared key must match the key given during client configuration on the RADIUS server. UDP port 1812 is used for RADIUS authentication messages, and UDP port 1813 is used for RADIUS accounting messages.
    device(config)# radius-server host auth-port 1812 acct-port 1813 default key secret dot1x mac-auth web-auth
  3. Create a VLAN to use as the auth-default VLAN. This VLAN must be configured to enable authentication. When any port is enabled for 802.1X authentication or MAC authentication, the port is moved into this VLAN by default as a MAC VLAN member. Sometimes the RADIUS server may authenticate the client but not return VLAN information on where the client should be placed. The auth-default VLAN is used in this scenario.
    device(config)# vlan 2 name auth-default-vlan
    device(config-vlan-2)# exit
  4. Create the VLANs that will be assigned to clients by RADIUS. RADIUS will return VLAN 200 for the PC. This VLAN must be active in the Ruckus ICX device. A VLAN is active when it has at least one untagged or tagged member port. In this example, VLAN 200 is made active by adding the unused port 2/1/12 as an untagged member.
    device(config)# vlan 200
    device(config-vlan-200)# untagged ethernet 2/1/12
    device(config-vlan-200)# exit
  5. Specify the VLAN to use as the auth-default VLAN under authentication mode. Refer to step 3 for the use of the auth-default VLAN.
    device(config)# authentication
    device(config-authen)# auth-default-vlan 2
  6. Enable 802.1X authentication or MAC authentication by performing one of the following steps:
    1. Enable 802.1X on the switch under authentication mode, and enable 802.1X on port 1/1/11. Configure the port control mode as auto for the interface in general configuration mode. This mode enables 802.1X authentication on the interface.
      device(config-authen)# dot1x enable
      device(config-authen)# dot1x enable ethernet 1/1/11
      device(config-authen)# exit
      device(config)# dot1x port-control auto ethernet 1/1/11
    2. Enable MAC authentication on the switch under authentication mode, and enable MAC authentication for port 1/1/11.
      device(config)# authentication
      device(config-authen)# mac-auth enable
      device(config-authen)# mac-auth enable ethernet 1/1/11
      device(config-authen)# exit
  7. To verify the authentication-related configuration on the switch, use the show run authentication command. Authentication-related configurations are stored under the keyword "authentication".
    device# show run authentication
     critical-vlan 601
     auth-default-vlan 2
     restricted-vlan 401
     auth-fail-action restricted-vlan
     dot1x enable
     dot1x enable ethe 1/1/11  
     dot1x guest-vlan 501
     mac-authentication enable
     mac-authentication enable ethe 1/1/11