WeOSMAC authentication using RADIUS (MAB) HowTo
Introduction
This document describes a setup of MAC authentication using a RADIUS to authorise MAC addresses (also referred to as MAB). For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Overview
Below is the topology of the devices in this setup.
|
.--.-.
Authentication ( ( )__
Server (_, \ ) ,_)
.------. '-'--`--'
|RADIUS| | GW 10.0.2.1
'--+---' | VLAN 2
| 10.0.1.2 | 10.0.2.0/24
| | 10.0.2.2
.--+------+------+------+--.
Authenticator | 5 6 7 8 |
(Switch/Router) | WeOS |
10.0.1.1 | 1 2 3 4 |
'--+------+------+------+--'
X X X X <== Controlled Ports
| VLAN 1 (All Blocked by
| 10.0.1.0/24 Authenticator)
.--+-.
| H1 | (Host/Supplicant)
'----' IP 10.0.1.43/24
GW 10.0.1.1
Figure 1: A basic setup of port access control using MAC Authentication. Ports eth1-eth4 are controlled. Here ports eth1-eth7 are on VLAN 1 and eth8 is on VLAN 2, but they could be on the same VLAN.
Configuration
First VLANs and IP addresses of the WeOS router is configured, see Figure 1 above. It is assumed that all ports are assigned (untagged) to VLAN 1 from start. For more information, see VLAN configuration.
example:/#> config example:/config/#> vlan 2 example:/config/vlan-2/#> untagged eth8 example:/config/vlan-2/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> no inet example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#> iface vlan2 example:/config/iface-vlan2/#> inet static 10.0.2.2/24 example:/config/iface-vlan2/inet-static-10.0.2.2/#> end example:/config/iface-vlan2/#> end example:/config/#> ip example:/config/ip/#> route default 10.0.2.1 example:/config/ip/#> leave example:/#>
It is assumed that an external RADIUS server is already setup with appropriate settings for MAC Authentication (WeOS uses RADIUS attribute Calling-ID to convey the MAC address). In this example, the RADIUS server is located at IP address 10.0.1.2, and is listening to the default UDP port (1812). In WeOS, a (RADIUS) remote server instance configured. This is done in the AAA context.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 example:/config/aaa/remote-server-1/#> description MyRADIUS example:/config/aaa/remote-server-1/#> address 10.0.1.2 example:/config/aaa/remote-server-1/#> password TopS3cret example:/config/aaa/remote-server-1/#> leave example:/#>
See Remote Server Settings for more information on how to configure a RADIUS remote server instance.
Note
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
With an authentication server instance created, enabling MAC Authentication on ports eth1-eth4 can be done as follows.
example:/config/#> port-access Creating new Port Access instance 1. example:/config/port-access-1/#> port eth1..eth4 example:/config/port-access-1/#> description "Site A" example:/config/port-access-1/#> port-method mac-based example:/config/port-access-1/#> mac-authentication example:/config/port-access-1/mac-auth/#> authentication-server 1 example:/config/port-access-1/mac-auth/#> leave example:/#>
Port Method
In this example we explicitly set the port method to mac-based, which is
also the default setting. With this method, each individual client must be
authenticated and its MAC address is unlocked on the port. For more
information about port methods, see Port Method.
Status
Port access status can be shown by issuing show port-access in the admin context.
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │No authenticated 802.1X clients found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │1 00:80:c8:3c:25:b8 eth1 MAB (10.0.1.2:1812) Nov 22 18:12:55│ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 1 Authentication 00:80:c8:3c:25:b8 │ │eth2 MAC Based 0 Authentications - │ │eth3 MAC Based 0 Authentications - │ │eth4 MAC Based 0 Authentications - │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 No Unassigned - - - │ │eth2 No Unassigned - - - │ │eth3 No Unassigned - - - │ │eth4 No Unassigned - - - │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
For more information about the status output and the different tables, see Port Access Control Status.