B-03 | Guest Wireless with AGNI

Overview

AGNI Login

If you're not already logged into AGNI, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and clieck Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into AGNI (Beta) tile to begin this lab.

AGNI Guest Captive Portal

Let's configure a Guest Captive Portal using AGNI for wireless clients. To configure the guest portal, you must configure both AGNI and CV-CUE.

🔥 CRITICAL PREREQUISITE 🔥

⚠️ MANDATORY: Your access points need to be onboarded in AGNI with RadSec before proceeding.

📖 Follow the steps here - This step cannot be skipped!

RadSec | Installing the AP Certificate

What is RadSec?

RadSec is a protocol that supports RADIUS over TCP and TLS. For mutual authentication it is required to install a client certificate with corresponding private key as well as your AGNI CA certificate.

With the proliferation of IoT devices, mobile users, and remote access, networks have become more complex and diverse, making traditional RADIUS susceptible to eavesdropping and man-in-the-middle attacks. RadSec's integration of secure Transport Layer Security (TLS) encryption addresses these vulnerabilities, providing a robust defense against unauthorized access, data interception, and tampering.

Arista Switches can form a RadSec tunnel using SSL encryption with AGNI:

• AGNI integrates with network infrastructure devices (wired switches and wireless access points) through a RadSec tunnel over Port 2083
• The highly secure and encrypted tunnel offers complete protection to the communications that happen in a distributed network environment. This mechanism offers much greater security to AAA workflows when compared with traditional unencrypted RADIUS workflows.

More information on RadSec

• Configuring a RadSec profile in EOS
• RADIUS Dynamic Authorization over TLS

Open AGNI and CV-CUE

When applying the Certificate to the AP it is recommended to have both the CV-CUE and AGNI windows opened side by side. - Login to CV-CUE - Login to AGNI

Configure RadSec

It's important to identify if the wired or wireless device you are configuring is manufactured with a Trusted Platform Module (TPM) chip. This chip contains the required certificate used for RadSec. However, if the TPM chip does not exist, CV-CUE supports Custom Certificate Management for Access Points.

More information on TPM

• Wireless TPM vs Non-TPM
• TPM chip APs - RadSec Tunnel Configuration
• Non-TPM chip APs - RadSec Tunnel with Custom Certificate

Summary

1. Launchpad Add AP and assign the Service
2. CV-CUE Create a Folder and move the AP
3. CV-CUE Generate CSR TAG and then Download CSR .zip.
4. AGNI Add the device as a new AP under Access Devices
5. AGNI Click on your AP and then select Get Client Certificate
6. AGNI Upload the CSR and Generate Certificate
7. CV-CUE Click on your AP and Upload Device Certificate and select TAG and AP.pem file
8. AGNI Under Administration click on RadSec settings and download Cert and copy hostname
9. CV-CUE In your Folder, Create a RADIUS RadSec server and apply the RadSec Cert from AGNI and Select your CSR TAG -> FQDN: radsec.beta.agni.arista.io
10. CV-CUE Create an SSID and point to the RADIUS client you created using WPA2 802.1X RadSec.
11. AGNI Create a User Account
12. AGNI Add Client
13. AGNI Under Networks, recommend starting with just a MAC auth example to make sure everything is running like you expected and point it to your SSID

Detailed Steps

1. CV-CUE

   1. First we Generate a CSR. Click on Monitor > WiFi Access Points
   2. On right hand side on top and click on Certificate Actions
   3. Next, right click on the AP and select Generate CSR and select your Add New Certificate Tag. Type in a name for your Certificate Tag. Click on Generate.
   4. Next, right click on the AP and select Download CSR and select your Certificate Tag.

2. AGNI

   1. Click on Access Devices and click on + Add or Import. Specify the following in the table below. Click on Add Device when done.

      Field	Value	Notes
      Choose Action	Add Device	Select radio button
      Name	Your AP Name	Enter descriptive name for the AP
      MAC Address	xx:xx:xx:xx:xx:xx	Optional - Enter AP MAC address
      Vendor	Arista WiFi	Select from dropdown
      Serial Number	Your AP Serial	Required for RadSec - Enter AP serial number
      IP Address	Your AP IP	Optional - Enter AP IP address
      Access Device Group	Select Group	Optional - Choose appropriate group
      Location	Your Location	Optional - Example: Global/America/California/Site-1

   2. Access Devices → Devices → Select AP → Get Client Certificate

   3. Next, select Generate Certificate: Use CSR (Single Device), and select Action: Upload CSR File, and browse to and select the CSR zip file.
   4. Select Generate Certificate and the AP Client Certificate will be created and downloaded to your device.
   5. Under System -> RadSec Settings copy the Radsec Server Hostname and Download Certificate at the bottom.

🚨 CRITICAL STEP - DO NOT SKIP!

⚠️ MANDATORY: You MUST download the RadSec certificate from AGNI before proceeding to CV-CUE configuration.

📥 Download Certificate - This certificate is required for the RadSec tunnel to work properly.

🔗 Copy Hostname - The RadSec Server Hostname is needed for CV-CUE RADIUS server configuration.

1. 1. Upload the Device Certificate
   2. Go to Monitor → WiFi → Access Points → Select AP → Certificate → Upload Device Certificate, and upload the Client/Device Certificate that was downloaded to your device. Use the same Certificate Tag as when you Downloaded the CSR above.
   3. Configuring AGNI RadSec Server.
   4. Go to Configure → Network Profiles → RADIUS and create a new RADIUS Server.

   5. Select Add RADIUS Server. Specify the following in the table below.

      Field	Value
      Server Name	AGNI-01
      Server Address	radsec.beta.agni.arista.io
      Radsec	ON
      Radsec Port	2083
      Add CA Certificate	Downloaded from AGNI
      Certificate Tag	Select your tag created in Step 1

   CV-CUE

   1. Select Save to commit the changes.

2. AGNI

   1. Click on Access Devices and then Devices look at the RadSec Status.
   2. 🟢 Green dot means connected and an active SSID is using AGNI.

1. Navigate to Guest > Portals under the section Identity.

   

2. Click + Add Guest Portal and configure the following

   Network Settings

   Field	Student 1	Student 2
   Portal Name	ATD-##-GUEST	ATD-##-GUEST
   Authentication Types	Clickthrough	Clickthrough
   Re-Authuthenticate Guest	Always	Always
   CAPTCHA	Disabled	Disabled

   

3. Click the Customization tab to customize the portal settings, and notice the elements. When done, click Add Guest Portal. The portal gets listed in the portal listing.

   • Page
   • Login Toggle
   • Terms of Use and Privacy Policy
   • Logo
   • Guest Login Submit Button
   • Etc

   

4. Click Back

5. Navigate to the Networks under the section Access Control. Click on + Add Network

   

6. Add a new network with following settings

   Network Settings

   Field	Student 1	Student 2
   Name	ATD-##-GUEST	ATD-##-GUEST
   Connection Type	Wireless	Wireless
   SSID	ATD-##-GUEST	ATD-##-GUEST
   Authentication Type	Captive Portal	Captive Portal
   Captive Portal Type	Internal	Internal
   Select Internal Portal	ATD-##-GUEST	ATD-##-GUEST
   Internal Role for Portal Authentication	Portal ## Role	Portal ## Role

   

7. Click Add Network.

8. Copy the portal URL at the bottom of the page.

   AGNI URL

   Make sure to copy the AGNI Guest Portal URL, we are going to use this in CV-CUE for Guest Portal Redirection.

CV-CUE Login

If you're not already logged into CV-CUE, navigate to the Arista Launchpad for your lab.

Open Launchpad

Login Step 1Login Step 2

Provide your assigned lab/pod email address and password and click Sign In

You will see the various tools tied to your tenant, this includes CVP, AGNI (NAC), and CV-CUE for wireless. Click into CV-CUE (CloudVision WiFi) tile to begin this lab.

Role Profile (CV-CUE)

Let's configure two role profiles and the SSID settings. This will ensure our guest SSID we will create is enabled with redirection to AGNI captive portal. These roles are

• Portal (A/B) Role: This role will be assigned initially to ensure captive portal redirection
• Guest (A/B) Role: This role will be assigned by AGNI to drop our client into a "Guest Role" where we can further define policy

Portal Role Profile

1. Log in to CV-CUE and navigate to Configure > Network Profiles > Role Profile.

   

2. Add a Role Profile using the setting below

   Network Settings

   Field	Student 1	Student 2
   Role Name	Portal ## Role	Portal ## Role
   Profile Name	Portal ## Role	Portal ## Role
   Redirection	Enabled	Enabled
   Redirection Type	Static Redirection	Static Redirection
   Redirect URL	<Copied from AGNI>	<Copied from AGNI>
   HTTPS Redirection	Enabled	Enabled
   Common Name	www.arista.com	www.arista.com
   Organization	Arista Networks	Arista Networks
   Organization Unit	Arista Networks	Arista Networks

   

3. Click Save at the bottom of the page.

Guest Role Profile

Next, we’ll configure a Guest Role in CV-CUE to assign to Guest Users post authentication.

1. In CV-CUE, navigate back to Configure > Network Profiles > Role Profile.

2. Click Add Role Profile.

3. Add the Role Name as follows, this role is simple, but see the additional information below to explore some of the options you have with roles.

   Network Profiles

   Field	Student 1	Student 2
   Role Name	Guest ## Role	Guest ## Role

   

4. Click Save at the bottom of the page

5. You should now have two roles, we will refer back to these roles in both the AGNI and CUE SSID configuration.

   

Additional Information

• VLAN

  ---

  In this lab the VLAN is set to 0. In production networks you would define the Guest VLAN ID or Name that you want to assign to the Guest Users.

• Firewall

  ---

  Layer 3-4 and Application Firewall Rules can be assigned to the Guest User Role.

• User Bandwidth Control

  ---

  Upload and Download Bandwidth Limits can be assigned to the Guest User Role.

Portal Segment (AGNI)

Next, we’ll configure a Segment in AGNI to assign the Guest Role Profile post authentication.

1. Go back to AGNI and navigate to the Access Control > Segments.

2. Add a new Segment by clicking on + Add Segment

   Conditions for segments must MATCH ALL conditions line by line.

   Network Settings

   Field	Student 1	Student 2
   Name	ATD-##-GUEST	ATD-##-GUEST
   Condition	Network:Name is ATD-##-GUEST	Network:Name is ATD-##-GUEST
   Action	Arista-WiFi:Assign Role Profile	Arista-WiFi:Assign Role Profile
   Action Role Profile	Guest ## Role	Guest ## Role

   

3. Click Add Segment at the bottom of the page.

4. Let's now add the Guest SSID

Guest Portal SSID (CV-CUE)

Lastly, we’ll configure and enable the Guest Captive Portal SSID and assign the pre and post authentication roles.

1. Let's navigate back to CV-CUE

2. Select Correct location ACorp

   CV-CUE Locations

   Reminder, make sure you have selected your appropriate corporation before creating the SSID!

3. Navigate to Configure > WiFi and click on Add SSID

   

4. Configure the SSID Basic settings using the settings below

   SSID Basic Settings

   Setting	Student 1	Student 2
   SSID Name	ATD-##-GUEST	ATD-##-GUEST
   SSID Type	Private	Private

   

5. Click the 3 dots and select Access Control tab and configure using the settings below

   SSID Access Control Settings

   Setting	Value	Notes
   Client Authentication
   Authentication Type	Radius MAC Authentication
   RadSec
   Authentication Server	AGNI-01	AGNI Radsec Server was configured already
   Accounting Server	AGNI-01
   Role Based Control
   Rule Type	802.1X Default VSA
   Operand	Match
   Assign Role	Select All	Created in previous section
   Send DHCP Options and HTTP User Agent

   

   

6. Once all settings have been set, Click the Save & Turn SSID On button at the bottom of the page.

7. You will be prompted to customize before enabling, select the 5 GHz option on the next screen (un-check the 2.4 GHz box if it’s checked), then click Turn SSID On.

   

8. Join the new WiFi and verify connectivity in CUE and AGNI

   Join the guest WiFi!

   Give it a moment for the new SSID to come up, but once it's up try and join the WiFi! You should be prompted with a captive portal, click on the a

   CV-CUEAGNI

   Navigate to Monitor > Clients in CV-CUE

   

   Navigate to Sessions in AGNI

   

Tunneling Guest Traffic

To highlight Arista's Controller-less Architecture we will use the labs spine MLAG switches to terminate the AP tunnel with VXLAN configured and tunnel guest traffic.

Create Tunnel Profile (CV-CUE)

1. Under the Configure section, click on Network Profiles > Tunnels
2. Select the correct location in your hierarchy

3. Select Add Tunnel Interface

   Network Profiles

   Setting	Value
   Tunnel Interface Name	tunnel-##
   Tunnel Type	VXLAN
   Remote Endpoint	1.1.1.1
   Local Endpoint VLAN	0
   VXLAN VNI Offset	10200

4. Click Save

   

Assign SSID to Tunnel Profile

1. Under the Configure section, click on WiFi
2. Select the correct location in your hierarchy
3. Select the pencil to edit Guest SSID
4. Select Network
5. Change Network Mode to L2 Tunnel
6. Select the tunnel-##

7. Click Save

   

Monitor Tunnels

1. Under the Monitor section, click on WiFi
2. Verify your location in the hierarchy

3. Click on Tunnels or the tunnel icon on the top row

   Notice the client IP Address is now using network 10.1.200.##

   

4. Verify if the Tunnels are green

   

Review VXLAN on spine1 or spine2 in CVaas

Screenshot shows VLAN200 mapped to VNI10200 and VXLAN clients with VLAN200 IPs

🎉 CONGRATS! You have completed this lab! 🎉

LET'S GO TO THE NEXT LAB!