WeOSPort Access Control
Table of contents
- Introduction
- 802.1X
- MAC Authentication
- 802.1X and MAC Authentication co-existence
- CLI Command Syntax
Related HowTo’s:
Introduction
Port access control is used to stop unauthorised hosts to access the network. Authentication is required to gain access.
Port access provides two authentication mechanisms for hosts that wish to access a network. These two are:
- IEEE 802.1X authentication: Only clients (supplicants) able to prove the identity using 802.1X crypto-graphic handshake are allowed to access the network.
- MAC authentication: Only clients with granted MAC addresses are allowed to access the network.
|
Authentication .--.-.
Server ( ( )__
.------. (_, \ ) ,_)
|RADIUS| '-'--`--'
'--+---' |Internet/
| |Intranet
.--+------+------+------+--.
| 5 6 7 8 | Authenticator
| WeOS | (Switch/Router)
| 1 2 3 4 |
'--+------+------+------+--'
| | X X <== Controlled Ports
| | |
.-+--. .-+--. .-+--.
| H1 | | H2 | | H3 | Hosts/Supplicants
'----' '----' '----'
Authorised Hosts | Blocked Ports
Figure 1: WeOS Switch/Router with ports eth1-eth4 subject to access control.
Switch ports configured for port access control will by default be blocked for incoming traffic. Only when a connected device has successfully authenticated itself, it will be allowed to send data through the port. Packets from unauthorised devices are still dropped, i.e., only packets with a source MAC address of devices authorised via 802.1X or MAC authentication are allowed. Unknown multicast and broadcast will be blocked from egress on a controlled port until there is at least one MAC address authenticated on this port. For unknown multicast to egress a port at all, the ‘Multicast Flood Unknown’ setting must be enabled on this port.
Port access configuration is available from the general configuration context. The example below shows how to define the set of ports subject to access control.
example:/#> config example:/config/#> port-access example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#>
You also need to specify which control mechanism to use (802.1X or MAC-Auth, or both), and which RADIUS server or local MAC list to use for authorisation. This is described in the sections below.
IEEE 802.1X
WeOS units are able to act as IEEE 802.1X authenticators. WeOS uses the RADIUS protocol with extensions for Extensible Authentication Protocol, EAP(RFC 2869), to communicate to a backend authentication server. WeOS neither includes a RADIUS server nor a local authentication server mechanism for 802.1X. Instead the 802.1X authentication server must be provided externally as depicted in Figure 1.
Assuming you have already setup a RADIUS server instance, configuring port access control with 802.1X can done as follows (the 802.1X Basic Setup HowTo provides a more extensive example).
example:/#> config example:/config/#> port-access example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#> dot1x example:/config/port-access/dot1x/#> authentication-server 1 example:/config/port-access/dot1x/#> leave example:/#>
Figure 2 and Figure 3 illustrate the principles of a successful authentication with IEEE 802.1X. In reality the protocol exchanges several messages between the supplicant, the authenticator and the RADIUS backend server (see the standard documents for details). The WeOS unit acts as an IEEE 802.1X authenticator, relaying the EAP messages to the RADIUS server.
Authentication |
Server .--.-.
.------. ( ( )__
|RADIUS| (_, \ ) ,_)
'--+---' '-'--`--'
RADIUS ^ | |Internet/
EAP Request | | |Intranet
.--+------+------+------+--.
| 5 6 7 8 | Authenticator
| WeOS | (Switch/Router)
| 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
EAPoL ^ | (All Blocked by
Request | | Authenticator)
.--+-.
| H1 |
'----'
Figure 2: H1 (Supplicant) initiates EAP authentication handshake (EAPoL Request). Authenticator relays EAP message onto backend RADIUS server.
Authentication |
Server .--.-.
.------. ( ( )__
|RADIUS| (_, \ ) ,_)
'--+---' '-'--`--'
RADIUS | | |Internet/
EAP Success V | |Intranet
.--+------+------+------+--.
| 5 6 7 8 | Authenticator
| WeOS | (Switch/Router)
| 1 2 3 4 |
'--+------+------+------+--'
| | X X X <== Controlled Ports
EAPoL | | (Port 1 unblocked
Reply V | by Authenticator)
.--+-.
| H1 |
'----'
Figure 3: At the end of a successful EAP handshake, the RADIUS server sends an EAP Success message. The Authenticator unblocks the port.
Note
A WeOS unit acting as Authenticator will only unlock the port for the authorised MAC address. Other MAC addresses are still blocked on that port. This mode is stricter than defined in the IEEE 802.1X1 standard.
Specifying Authentication Server
WeOS requires an external RADIUS server to authenticate the 802.1X supplicant. It is possible to specify two servers for 802.1x where the secondary specified server will be used if the first fail to answer the radius authentication request.
Note
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 Creating new remote server 1 example:/config/aaa/remote-server-1/#> address 192.168.2.1 example:/config/aaa/remote-server-1/#> password MyS3cret example:/config/aaa/remote-server-1/#> end example:/config/aaa/#> remote-server 2 example:/config/aaa/remote-server-2/#> address 192.168.3.1 example:/config/aaa/remote-server-2/#> password MyS3cret example:/config/aaa/remote-server-2/#> end example:/config/#> port-access example:/config/port-access/#> dot1x example:/config/port-access/dot1x/#> authentication-server 1,2 example:/config/port-access/dot1x/#>
See AAA configuration for more information on how to define RADIUS servers in WeOS.
Authenticator Initiation
WeOS supports Authenticator initiated authentication as defined by §8.1.2.1 in IEEE 802.1X1. This is enabled by default with interval 30 seconds.
When enabled, authenticator actively sends EAP Identity Requests every 30 seconds by default until a supplicant successfully authenticates. The interval is configurable in range 10-300 seconds). The example below shows how to set the interval to 60 seconds.
example:/config/port-access/#> dot1 example:/config/port-access/dot1x/#> active-authentication 60 example:/config/port-access/dot1x/#>
no active-authentication disables authenticator initiated
authentication. If disabled the 802.1X client (supplicant) must be capable
to initiate the authentication procedure to gain access.
Re-authentication Interval
The authenticator can periodically request the supplicant to re-authenticate itself. By default, period re-authentication is disabled. If enabled, the default request interval is 3600 seconds, see the example below. The interval can be configured in range 600 to 352800 seconds.
example:/config/port-access/#> dot1x example:/config/port-access/dot1x/#> re-authenticate example:/config/port-access/dot1x/#> show re-authenticate 3600 example:/config/port-access/dot1x/#>
MAC Authentication
MAC based authentication is not as secure as IEEE 802.1X. Devices are granted access based on the MAC address without any cryptographic authentication ex- change, and it is fairly easy to modify the MAC address on a PC and most other equipment.
To define which MAC address(es) to grant, it is possible to configure a local accept list with MAC addresses to grant access. It is also possible to let the WeOS use a backend RADIUS to control what MAC addresses to accept - the latter method is also referred to as MAC authentication bypass (MAB).
Authentication |
Server .--.-.
.------. ( ( )__
|RADIUS| (_, \ ) ,_)
'--+---' '-'--`--'
RADIUS ^ | |Internet/
Calling-ID | | |Intranet
(MAC-H1) .--+------+------+------+--.
| 5 6 7 8 | Authenticator
| WeOS | (Switch/Router)
| 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
^ | (All Blocked by
Data Pkt | | Authenticator)
Src MAC .--+-.
(MAC-H1) | H1 |
'----'
Figure 2: H1 (Host/Supplicant) connects to port controlled by MAC Authentication. Switch looks in local *Accept-list* or (as here) forwards H1's MAC address to a backend RADIUS server.
Authentication |
Server .--.-.
.------. ( ( )__
|RADIUS| (_, \ ) ,_)
'--+---' '-'--`--'
RADIUS | | |Internet/
Accept V | |Intranet
.--+------+------+------+--.
| 5 6 7 8 | Authenticator
| WeOS | (Switch/Router)
| 1 2 3 4 |
'--+------+------+------+--'
| X X X <== Controlled Ports
| (Port 1 unblocked
| by Authenticator)
.--+-.
| H1 |
'----'
- When defining a local accept list, the list can consist of one or more MAC address patterns. MAC patterns may contain a wild-card at the end to match a whole range of ad- dresses. Examples: The pattern 00:11:22:33:44:55 matches exactly one address, while the pattern 00:aa:bb:* matches all addresses beginning with 00:aa:bb.
- When using a RADIUS server (MAB), it is currently only possible to specify a single server. WeOS passes the MAC address of the connecting host in a RADIUS Calling-ID attribute.
- It is possible to use both accept list and RADIUS server.
example:/config/#> aaa example:/config/aaa/#> mac-auth 1 example:/config/aaa/mac-auth-1/#> mac match 00:11:22:33:44:55 example:/config/aaa/mac-auth-1/#> mac match 00:aa:7c:* example:/config/aaa/mac-auth-1/#> end example:/config/aaa/#> end example:/config/#> port-access example:/config/port-access/#> mac-authentication example:/config/port-access/mac-auth/#> accept-list 1 example:/config/port-access/mac-auth/#>
See AAA configuration for more information on how to define RADIUS servers in WeOS.
MAC-Auth using RADIUS and MAC-Auth using local list HowTo’s provide more extensive examples).
802.1X and MAC Authentication co-existence
Warning
Using 802.1X and MAC Authentication at the same time is possible, but currently untested and its use is discouraged.
It is currently only possible to setup a single port access control instance. It is possible to enable both 802.1X and MAC Authentication for this instance. The reason for using both methods could be if you have a mix of 802.1X capable devices and legacy (non-802.X capable) devices in your network.
If both authorisation methods are enabled, 802.1X has precedence. If a client/supplicant indicates that it is 802.1X capable (by exchanging EAPoL messages), it has the following implications
- If the client has MAC-Auth in progress, it will be terminated
- If the client has been authenticated via MAC-Auth, that authentication will be terminated
- If the client fails to authenticate via 802.1X, the switch will not fallback to try MAC-Auth.
CLI Command Syntax
Port Access Control Context
Port Access Control context is reached via the General Configuration context.
example:/#> config example:/config/#> port-access example:/config/port-access/#>
[no] port-access-
Create and configure port access control.
- no
- Remove port access control.
[no] enable-
Activate or deactivate port access control. Deactivating does not remove port access control configuration.
- no
- Disable/deactivate port access control.
[no] port <PORT(S) | all>-
Enable or disable port access control for specified PORT(S).
- port PORT(S)|all
-
This will lock PORT(S) and thus block any host trying to access through PORT(S) until that host has successfully been authenticated. The lock will take effect when the user commits the new configuration.
Use with care as there is a risk to be locked out from management if done remotely (SSH, Web, etc.). In particular, use of the all keyword will lock all layer-2 ports.
- no
- Disable port access control of PORT(S)
[no] description [STRING]-
Free form string describing current port access control configuration.
- no
- Remove description.
[no] dot1x-
Enable (and enter) or disable the 802.1X sub-context.
When enabled, this option enters the 802.1X configuration context. See 802.1X configuration context below.
- no
- Disable 802.1X.
[no] mac-auth-
Enable (and enter) or disable the MAC authentication sub-context.
When enabled, this option enters the MAC authentication configuration context. See MAC authentication configuration context below.
- no
- Disable MAC authentication.
802.1X Configuration Context
802.1X configuration is a sub-context of port access control context.
example:/config/#> port-access example:/config/port-access/#> dot1x example:/config/port-access/dot1x/#>
[no] enable-
Enable or disable 802.1X authentication.
- no
- Disable 802.1X authentication
[no] authentication-server <SERVER-ID|SERVER-ID,SERVER-ID>-
Which authentication server(s) to use
- SERVER-ID
- The ID of the (RADIUS) authentication server to use. If no authentication server with the specified ID exists or is misconfigured, a warning will be shown. For information on configuring authentication server, see AAA configuration.
- no
- Disable the use of the given authentication server.
[no] active-authentication [INTERVAL]-
Enable or disable active-authentication Default: Enabled with interval 30 seconds.
- INTERVAL
- INTERVAL in seconds (range 10-300). Argument is optional with default 30 seconds.
- no
- Disables active-authentication
[no] re-authenticate [INTERVAL]-
Enable or disable periodic re-authenticate Default: Disabled.
- INTERVAL
- INTERVAL in seconds (range 600-352800 seconds, i.e., 10 minutes to 1 week). Argument is optional with default 3600 seconds.
- no
- Disables periodic re-authentication
MAC Auth Configuration Context
MAC authentication configuration is a sub-context of port access context.
example:/config/#> port-access example:/config/port-access/#> mac-authentication example:/config/port-access/mac-auth/#>
[no] enable-
Enable or disable MAC authentication.
- no
- Disable MAC authentication.
[no] authentication-server <SERVER-ID>-
Which authentication server to use
- SERVER-ID
- The ID of the (RADIUS) authentication server to use. If no authentication server with the specified ID exists or is misconfigured, a warning will be shown. For information on configuring authentication server, see AAA configuration.
- no
- Disable the use of the given authentication server.
[no] accept-list <MAC-LIST-ID>-
Which allowed MAC list to use.
- MAC-LIST-ID
- The ID of the MAC List to use. If the specified MAC-LIST-ID does not exists or is misconfigured, a warning will be shown. For information on creating MAC lists, see AAA configuration.
- no
- Disable the use of the given MAC list.
Port Access Control Status
The example below shows status output in a setup where both 802.1X and MAC-Auth are used for port access control on ports eth1..eth4. For MAC-Auth, both a local accept-list and a backend RADIUS server are used.
example:/#> show port-access PORT ACCESS Status : Enabled Description : No description Ports : eth1..eth4 802.1X Status : Enabled Authentication server : 1 Active authentication : 30 Re-authenticate : Disabled MAC AUTHENTICATION Status : Enabled Authentication server : 2 (Server2) Local list : 1 (Site A) MAC (802.1X) STATUS AUTH METHOD PORT 00:80:c8:3c:25:b8 authorized RADIUS eth3 MAC (MAC Auth) STATUS AUTH METHOD PORT b0:b1:b2:b3:b4:b5 authorized RADIUS eth1 f0:f0:f0:11:11:11 authorized accept-list eth1 RECENT EVENTS (AUTH.LOG) Nov 21 10:31:37 example hostapd: Auth successful for 00:80:c8:3c:25:b8 on eth3 Nov 21 10:31:38 example macd[2271]: Auth failed for 00:80:c8:3c:25:b8 on eth3 Nov 21 10:31:39 example macd[2271]: Auth failed for 00:07:7c:06:e0:a4 on eth1 Nov 21 10:31:39 example macd[2271]: Auth successful for b0:b1:b2:b3:b4:b5 on eth1 Nov 21 10:31:45 example macd[2271]: Auth successful for f0:f0:f0:11:11:11 on eth1 example:/#>