How to enable Flex-Auth on the ICX switches via the SZ
Summary
The article describes the procedure to configure and enable Flex-auth [ 802.1x and mac-auth ] on the ICX switches that are on-boarded on the SZ for monitoring and management.Question
How to enable Flex-Auth on the ICX switches via the SZCustomer Environment
ICX Switches connected to SmartZone for management and monitoring, with switches facing end users with a need for authenticationTroubleshooting Steps
Note (1):The details shared here were validated across the following setups:
- 7150 stack on code 9010e
- 7150 standalone unit on code 8095
- 8200 series stack on code 10010e_cd1
The feature to enable Flex-Auth on ICX 7xxx series is not supported on the 8095xx release and requires 09010 or later.
Resolution
On the SZ, once the switch and / or switch stack is on-boarded and placed in a appropriate group.Step 1:
For Flex-Auth, the AAA servers and authentication services must be defined in the configuration.
This configuration needs to be applied at the Group Level.
To configure this:
- Navigate to:
Network ? Wired - Select the Group where the switches are placed
- Go to Configuration ? Common Config
- Click on Configure
From here, you can define the required AAA servers and services under the Flex-Auth settings.
Step 2:
Define the RADIUS Servers and AAA Services (Optional)
These settings are Group Specific and will be applied uniformly to all switches within the selected group.
Followed by [OK] and then [Close], this will have the config applied to the switch(s) that are part of the group.
Note (2):
The RADIUS server settings are applied under the default profile, which means that all AAA functions, including Flex-Auth (802.1X and MAC authentication), will utilize this configured service.
Note (3):
If the switch has already been onboarded with RADIUS server definitions and Authentication service definitions—i.e., features such as dot1x, mac-auth, auth-default, guest, restricted, and critical VLANs are enabled—then skip Step 1 and Step 2.
Begin directly from Step 3, and use the Feature Configuration section [ Step 3 (1) and (2) ] to verify synchronization between the switch and the SmartZone (SZ) configuration.
While following this workflow, the following may be observed when enabling services via the SZ UI:
This refers to an informational pop-up that appears, indicating:
If RADIUS server definitions and Authentication service settings (dot1x, mac-auth, auth-default, guest, restricted, and critical VLANs) have not been configured, ensure these are properly set up for the applied settings to function as expected.
Step 3:
To enable Flex Auth on the switch(es), configuration can be applied per port as needed or by selecting a set of ports.
The settings described here are switch-specific and apply only to the switch where the configuration is done.
1. Select the Switch:
Network >> Wired >> Select the Group >> Select the switch
2. Navigate to Flex Auth Configuration:
Configure >> AAA Feature >> Feature Configuration >> Flex_auth config
Here, define the following:
- Auth_Default_VLAN
- Guest_VLAN
Port-Specific Configuration
Per-Port Settings:
Define the following per port, based on the end-user device type connected:
- Restricted_VLAN
- Critical_VLAN
Multiple Port Configuration
When configuring multiple ports, ensure to select the 'Override' option.
This is essential:
- If any of the selected ports have existing configurations.
- Even if ports are in default/factory state, override is needed when enabling the service across multiple ports.
Note (4):
During the setup process, the option to define the auth_default_vlan appears in multiple locations. Ensure that the same VLAN ID is consistently configured across all instances to avoid misconfiguration or unexpected behavior.
Article Number:
000014952
Updated:
July 27, 2025 11:55 PM (9 months ago)
Tags:
Configuration, Installation, ICX 7550, SZ144, SZ300, ICX 7650, ICX 7150, ICX 7250, ICX 7450, SZ100D, virtual SmartCell Gateway, SZ100, ICX 8200
Votes:
0
This article is:
helpful
not helpful