Need help with wilson?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

145 Stars 10 Forks Mozilla Public License 2.0 14 Commits 0 Opened issues


A Go (golang) dot1x server that runs locally on network switches as a secondary authentication server

Services available


Need anything else?

Contributors list

# 500,277
11 commits


wilsonA Go (golang) dot1x server that runs locally on network switches as a secondary authentication server. When a switch becomes stranded from its primary dot1x server, wilson will authenticate endpoints by OUI using a flexible policy. Wilson was developed to provide supplemental

policy-map type control
support for an Arista EOS campus healthcare environment with colorless ports and a high up-time requirement.


This is effectively a prototype. While it servers the intended purpose, it needs tests and perhaps some refactoring. The goal of wilson is to be easily readable and maintainable.

Installation & Compilation

go get -u

Wilson will run once compiled without modification on most platforms. Simply clone this repository and compile wilson.go in the apps folder. For Arista EOS switches, use the 386 architecture.

# GOARCH=386 go build app/wilson.go


When executed for the first time, wilson expects to load its configuration from URL. Subsequent executions will use a defined configuration file (.wilson by default) automatically created in the directory containing the directory if the the server is unreachable or if the URL flag is omitted.

./wilson -url

For implementations on Arista EOS, consider using an event-handler or even perhaps rc.eos.

Wilson expects the configuration to conform to a known JSON schema. Below is an example of a configuration file.

    "configFile": ".wilson",
    "configRefresh": 5,
    "configURL": "",
    "serverBinding": "",
    "serverSecret": "127001",
    "policies": [{
            "comment": "Issue an access-accept for trusted Roche analyzers",
            "clientOui": "B8:78:79",
            "clientVlan": 5,
            "radiusCode": 2
            "comment": "Issue an access-reject for unauthorized TP-Link endpoints",
            "clientOui": "d8-07-b6",
            "clientVlan": 0,
            "radiusCode": 2
            "comment": "Ignore all other requestst; the default policy is the last policy",
            "clientOui": "0000.00",
            "clientVlanvlan": 0,
            "radiusCode": 0

| Parameter | Description | | ------------- | ------------------------------------------------------------ | | configFile | This is the path to the configuration that will be saved locally if the the server hosting the URL config is unavailable. | | configRefresh | The interval in seconds to poll the server for configuration updates. | | configURL | The URL to the initial configuration file. | | serverBinding | The server binding used for requests. Typically this will be localhost for obvious reasons. | | serverSecret | The RADIUS secret to authenticate the NAS client. | | comment | Ignored by wilson. This is for humans. | | clientOui | A 24-bit hexadecimal string representing the OUI of a MAC address. Delimiters (":", "-", ".") are ignored. | | clientVlan | The VLAN to be assigned to the client on access-accept. | | radiusCode | Standard RADIUS codes supported by the underlying radius library. A typical deployment would leverage 2 (Accept), 3 (Reject) and 0 (Ignore or discard the request). |


MPL 2.0


Alan Haynes ([email protected]).

Huge thanks to Tim Cooper for the superb radius implementation.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.