WeOSIEEE 802.1X Basic Setup HowTo
Introduction
This document describes a basic setup of port access control using 802.1X. For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Overview
Below is the topology of the devices in this setup.
|
.--.-.
Authentication ( ( )__
Server (_, \ ) ,_)
.------. '-'--`--'
|RADIUS| | GW 10.0.2.1
'--+---' | VLAN 2
| 10.0.1.2 | 10.0.2.0/24
| | 10.0.2.2
.--+------+------+------+--.
Authenticator | 5 6 7 8 |
(Switch/Router) | WeOS |
10.0.1.1 | 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
| VLAN 1 (All Blocked by
| 10.0.1.0/24 Authenticator)
.--+-.
| H1 | (Supplicant)
'----' IP 10.0.1.43/24
GW 10.0.1.1
Figure 1: A basic setup of port access control using 802.1X. Ports eth1-eth4 are controlled. Here ports eth1-eth7 are on VLAN 1 and eth8 is on VLAN 2, but they could be on the same VLAN.
Configuration
First VLANs and IP addresses of the WeOS router is configured, see Figure 1 above. It is assumed that all ports are assigned (untagged) to VLAN 1 from start. For more information, see VLAN configuration.
example:/#> config example:/config/#> vlan 2 example:/config/vlan-2/#> untagged eth8 example:/config/vlan-2/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> no inet example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#> iface vlan2 example:/config/iface-vlan2/#> inet static 10.0.2.2/24 example:/config/iface-vlan2/inet-static-10.0.2.2/#> end example:/config/iface-vlan2/#> end example:/config/#> ip example:/config/ip/#> route default 10.0.2.1 example:/config/ip/#> leave example:/#>
It is assumed that an external RADIUS server is already setup with appropriate settings for 802.1X. In this example, the RADIUS server is located at IP address 10.0.1.2, and is listening to the default UDP port (1812). In WeOS, a (RADIUS) remote server instance configured. This is done in the AAA context.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 example:/config/aaa/remote-server-1/#> description MyRADIUS example:/config/aaa/remote-server-1/#> address 10.0.1.2 example:/config/aaa/remote-server-1/#> password TopS3cret example:/config/aaa/remote-server-1/#> leave example:/#>
See Remote Server Settings for more information on how to configure a RADIUS remote server instance.
Note
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
With an authentication server instance created, enabling 802.1X access control on ports eth1-eth4 can be done as follows.
example:/config/#> port-access example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#> description "Site A" example:/config/port-access/#> dot1x Authentication server not set. example:/config/port-access/dot1x/#> authentication-server 1 example:/config/port-access/dot1x/#> leave example:/#>
Status
Port access status can be shown by issuing show port-access in the admin context.
example:/#> show port-access PORT ACCESS Status : Enabled Description : Site A Ports : eth1..eth4 802.1X Status : Enabled Authentication server : 1 Active authentication : 30 Re-authenticate : Disabled MAC AUTHENTICATION Not configured. MAC (802.1X) STATUS AUTH METHOD PORT 00:80:c8:3c:25:b8 authorized RADIUS eth1 RECENT EVENTS (AUTH.LOG) Nov 22 14:13:29 example hostapd: Auth successful for 00:80:c8:3c:25:b8 on eth1 example:/#>