Merge branch '513' into stage

cumulusAnia · cumulusAnia · commit ae3e02b74af1 · 2025-03-06T16:03:54.000-08:00
diff --git a/content/cumulus-linux-513/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-513/Layer-1-and-Switch-Ports/802.1X-Interfaces.md
@@ -51,9 +51,14 @@ After you install and configure FreeRADIUS, the FreeRADIUS server can serve Cumu
 - You must configure 802.1X on a bridged interface. To configure a bridge, refer to {{<link url="Ethernet-Bridging-VLANs" text="Ethernet Bridging - VLANs">}}.
 - NVUE enables BPDU guard when you enable 802.1X on an interface; the interface goes into a protodown state if it receives BPDU packets.
 
+{{%notice note%}}
+In Cumulus Linux 5.13 and later, you must provide the <span class="a-tooltip">[NAS](## "Network Access Server")</span> IP address and, or NAS identifier when configuring 802.1x interfaces.
+{{%/notice%}}
+
 To configure an 802.1X interface:
 - **Required**: Provide the 802.1X RADIUS server IPv4 or IPv6 address. If you want to specify more than one server, provide the priority for each server (a value between 1 and 3). If you specify just one server, Cumulus Linux sets the priority to 1. You can also specify a VRF for outgoing RADIUS accounting and authorization packets. A VRF is optional. 
 - **Required**: Provide the 802.1X RADIUS shared secret.
+- **Required**: Provide either the NAS IP address or the NAS identifier, or both. The NAS IP address is an IPv4 address used only in Access-Request packets from the RADIUS client (the Cumulus switch) to the RADIUS server (not in subsequent packet types, such as Access-Accept, Access-Reject, or Access-Challenge). The NAS identifier is a string such as a fully qualified domain name that identifies the NAS to the RADIUS server. The RADIUS server uses the NAS IP address and the NAS identifier for accounting purposes. On the RADIUS server, the NAS IP address and the NAS identifier identify the source NAS. If two or more NAS devices have the same NAS IP address, you can use a different NAS identifier for each of them to uniquely identify them at the RADIUS server.
 - **Required**: Enable 802.1X on an interface.
 - Optional: Change the default 802.1X RADIUS accounting port. You can specify a value between 1000 and 65535. The default value is 1813.
 - Optional: Change the default 802.1X RADIUS authentication port. You can specify a value between 1000 and 65535. The default value is 1812.
@@ -70,10 +75,13 @@ Changing the 802.1X interface settings does *not* reset existing authorized user
 The following example:
 
 - Sets the 802.1X RADIUS server IP address to 10.10.10.1 and the shared secret to `mysecret`.
+- Sets the NAS IP address to 10.10.10.3 and the NAS identifier to AP-123.
 - Enables 802.1X on swp1 through swp3.
 
 ```
 cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mysecret
+cumulus@switch:~$ nv set system dot1x radius nas-ip-address 10.10.10.3
+cumulus@switch:~$ nv set system dot1x radius nas-identifier AP-123
 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled 
 cumulus@switch:~$ nv config apply
 ```
@@ -85,6 +93,7 @@ The following example:
 - Sets the 802.1X RADIUS authentication port to 2813.
 - Sets the 802.1X RADIUS accounting port to 2812.
 - Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6.
+- Sets the NAS IP address to 10.10.10.3.
 - Sets the EAP reauthentication interval to 40.
 - Enables 802.1X on swp1, swp2, and swp3.
 
@@ -94,18 +103,12 @@ cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mys
 cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 authentication-port 2813 
 cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 accounting-port 2812 
 cumulus@switch:~$ nv set system dot1x radius client-src-ip 10.10.10.6
+cumulus@switch:~$ nv set system dot1x radius nas-ip-address 10.10.10.3
 cumulus@switch:~$ nv set system dot1x reauthentication-interval 40
 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled 
 cumulus@switch:~$ nv config apply
 ```
-<!--feature in 5.8
-To assign a tagged VLAN for voice devices and assign different VLANs to the devices based on authorization:
 
-```
-cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x voice-vlan 20 enabled 
-cumulus@switch:~$ nv config apply
-```
--->
 {{%notice note%}}
 When you enable or disable 802.1X on an interface, `hostapd` reloads; however, existing authorized sessions do not reset.
 {{%/notice%}}
@@ -118,6 +121,7 @@ Edit the `/etc/hostapd.conf` file to configure 802.1X settings, then restart the
 The following example:
 - Sets the 802.1X RADIUS server IP address to 10.10.10.1.
 - Sets the 802.1X RADIUS shared secret to mysecret.
+- Sets the NAS IP address (`own_ip_addr`) to 10.10.10.3 and the NAS identifier (`nas_identifier`) to AP-123.
 - Enables 802.1X on swp1 through swp3.
 
 ```
@@ -128,6 +132,8 @@ interfaces=swp1,swp2,swp3
 auth_server_addr=10.10.10.1
 auth_server_port=1812
 auth_server_shared_secret=mysecret
+own_ip_addr=10.10.10.3 
+nas_identifier="AP-123"
 ...
 ```
 
@@ -138,6 +144,7 @@ The following example:
 - Sets the 802.1X RADIUS authentication port to 2813.
 - Sets the 802.1X RADIUS accounting port to 2812.
 - Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6.
+- Sets the NAS IP address (`own_ip_addr`) to 10.10.10.3.
 - Sets the EAP reauthentication interval to 40.
 - Enables 802.1X on swp1 through swp3.
 
@@ -155,6 +162,7 @@ acct_server_addr=10.10.10.1%BLUE
 acct_server_port=2812
 acct_server_shared_secret=mysecret
 radius_client_addr=10.10.10.6
+own_ip_addr=10.10.10.3
 ...
 ```
 
diff --git a/content/cumulus-linux-513/Whats-New/_index.md b/content/cumulus-linux-513/Whats-New/_index.md
@@ -46,15 +46,15 @@ Cumulus Linux 5.13.0 supports new platforms, provides bug fixes, and contains se
 - NVUE
   - {{<link url="NVUE-CLI/#list-directory-contents" text="Command to list directory contents">}}
   - {{<link url="NVUE-CLI/#get-the-hash-for-a-file" text="Command to get the hash for a file">}}
+  - {{<link url="802.1X-Interfaces/#configure-8021x-interfaces" text="Commands to set the NAS IP address and NAS identifier for 802.1X">}}
   - Enable CRL support
   - SSH certificate-based authorization
-  - .1x support for NAS-IP-Address and NAS-Identifier
   - Additional FRR filters
   - {{< expand "Changed NVUE Commands" >}}
 | Cumulus Linux 5.13 | Cumulus Linux 12 and Earlier |
 | --------------- |---------------------------------------|
-| `nv unset maintenance unit all-protocols state maintenance`| `nv action enable|disable system maintenance mode` |
-| | `nv action enable|disable system maintenance ports` |
+| `nv set maintenance unit all-protocols state maintenance`| `nv action enable system maintenance mode`<br>`nv action disable system maintenance mode` |
+| | `nv action enable system maintenance ports`<br>`nv action disable system maintenance ports` |
 {{< /expand >}}
   - {{< expand "Removed NVUE Commands" >}}
 ```
@@ -79,6 +79,8 @@ For descriptions and examples of all NVUE commands, refer to the [NVUE Command R
 
 ```
 nv set service dhcp-server <vrf> static <host>> vendor-class
+nv set system dot1x radius nas-identifier AP-123
+nv set system dot1x radius nas-ip-address
 nv set system dot1x reauth-timeout-ignore
 ```
 
