WeOSMAC authentication using RADIUS (MAB) HowTo
Introduction
This document describes a setup of MAC authentication using a RADIUS to authorise MAC addresses (also referred to as MAB). For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Overview
Below is the topology of the devices in this setup.
|
.--.-.
Authentication ( ( )__
Server (_, \ ) ,_)
.------. '-'--`--'
|RADIUS| | GW 10.0.2.1
'--+---' | VLAN 2
| 10.0.1.2 | 10.0.2.0/24
| | 10.0.2.2
.--+------+------+------+--.
Authenticator | 5 6 7 8 |
(Switch/Router) | WeOS |
10.0.1.1 | 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
| VLAN 1 (All Blocked by
| 10.0.1.0/24 Authenticator)
.--+-.
| H1 | (Host/Supplicant)
'----' IP 10.0.1.43/24
GW 10.0.1.1
Figure 1: A basic setup of port access control using MAC Authentication. Ports eth1-eth4 are controlled. Here ports eth1-eth7 are on VLAN 1 and eth8 is on VLAN 2, but they could be on the same VLAN.
Configuration
First VLANs and IP addresses of the WeOS router is configured, see Figure 1 above. It is assumed that all ports are assigned (untagged) to VLAN 1 from start. For more information, see VLAN configuration.
example:/#> config example:/config/#> vlan 2 example:/config/vlan-2/#> untagged eth8 example:/config/vlan-2/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> no inet example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#> iface vlan2 example:/config/iface-vlan2/#> inet static 10.0.2.2/24 example:/config/iface-vlan2/inet-static-10.0.2.2/#> end example:/config/iface-vlan2/#> end example:/config/#> ip example:/config/ip/#> route default 10.0.2.1 example:/config/ip/#> leave example:/#>
It is assumed that an external RADIUS server is already setup with appropriate settings for MAC Authentication (WeOS uses RADIUS attribute Calling-ID to convey the MAC address). In this example, the RADIUS server is located at IP address 10.0.1.2, and is listening to the default UDP port (1812). In WeOS, a (RADIUS) remote server instance configured. This is done in the AAA context.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 example:/config/aaa/remote-server-1/#> description MyRADIUS example:/config/aaa/remote-server-1/#> address 10.0.1.2 example:/config/aaa/remote-server-1/#> password TopS3cret example:/config/aaa/remote-server-1/#> leave example:/#>
See Remote Server Settings for more information on how to configure a RADIUS remote server instance.
Note
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
With an authentication server instance created, enabling MAC Authentication on ports eth1-eth4 can be done as follows.
example:/config/#> port-access example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#> description "Site A" example:/config/port-access/#> mac-authentication example:/config/port-access/dot1x/#> authentication-server 1 example:/config/port-access/dot1x/#> leave example:/#>
Status
Port access status can be shown by issuing show port-access in the admin context.
example:/#> show port-access PORT ACCESS Status : Enabled Description : Site A Ports : eth1..eth4 802.1X Not configured. MAC AUTHENTICATION Status : Enabled Authentication server : 1 (Site A) Local list : Not set MAC (MAC Auth) STATUS AUTH METHOD PORT 00:80:c8:3c:25:b8 authorized RADIUS eth1 RECENT EVENTS (AUTH.LOG) Nov 22 18:12:55 example macd[1965]: Auth successful for 00:80:c8:3c:25:b8 on eth1 example:/#>