Howto:802.1X EAP-TLS With FreeRadius: Difference between revisions
Jump to navigation
Jump to search
m (→Prerequisites) |
m (→FreeRadius) |
||
Line 46: | Line 46: | ||
**'''secret''' This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch. | **'''secret''' This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch. | ||
**'''shortname''' Just a nickname | **'''shortname''' Just a nickname | ||
===Debugging=== | |||
As recommended by the FreeRadius manual | |||
*kill the freeradius daemon | |||
*run freeradius in debugging mode<code type="text"> | |||
freeradius -X | |||
</code> | |||
==NetGear== | ==NetGear== |
Revision as of 21:53, 6 August 2014
Introduction
From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.
This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable be utilized as an authentication server in terms of 802.1X.
Configuration
For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.
Prerequisites
- An innovaphone Linux AP, IP address 192.168.178.34
- A NetGear Prosafe switch, e.g. GS110TP
- An innovaphone end device. Ideally facilitated with:
- An innovaphone CA certificate
- This CA certificate is going to be deployed within a FreeRadius server
- An innovaphone device certificate, signed by the CA from above
- An innovaphone CA certificate
FreeRadius
- Installation within a debian distribution
sudo apt-get install freeradius
- Edit /etc/freeradius/eap.conf
eap {
..
default_eap_type = tls
..
tls {
# Trusted Root CA list
CA_file = ${cadir}/ca.crt
}
..
}
- In order to include the innovaphone CA certificate into the list of trusted CAs
- Download the innovaphone CA certificate as e.g. inno-ca.pem.crt from the innovaphone device
- Append that certificate to the list of trusted CAs
cat ca.crt inno-ca.pem.crt > ca.crt
- I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
- Edit /etc/freeradius/clients.conf
#IP address range, covering the Authenticator/NetGear switch
client 192.168.0.0/16 {
secret = testing123
shortname = private-network-192-168
}
- secret This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
- shortname Just a nickname
Debugging
As recommended by the FreeRadius manual
- kill the freeradius daemon
- run freeradius in debugging mode
freeradius -X
NetGear
- Security/Management Security/Server Configuration Global Radius Server Configuration
- The server address is the one of the Linux AP, 192.168.178.34
- The secret must be the one from above, i.e. testing123
- Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
- Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
- Set non-restricted ports(e.g. for management) to Authorized