Howto:802.1X EAP-TLS With FreeRadius: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
(New page: =Introduction= From on version 11 innovaphone devices offer support<ref name="ref11-802.1X">Reference11:Interfaces/ETH/802.1X</ref> for wired port acc...)
 
Line 26: Line 26:
}
}
</code>
</code>
***In order to include the innovaphone CA certificate into the list of trusted CAs<code type="text">
*In order to include the innovaphone CA certificate into the list of trusted CAs
**Download the innovaphone CA certificate as e.g. ''inno-ca.pem.crt'' from the innovaphone device
**Append that certificate to the list of trusted CAs<code type="text">
cat ca.crt inno-ca.pem.crt > ca.crt
cat ca.crt inno-ca.pem.crt > ca.crt
</code>
</code>
Line 37: Line 39:
}
}
</code>
</code>
**secret This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
**'''secret''' This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
**shortname Just a nickname
**'''shortname''' Just a nickname
 
==NetGear==
==NetGear==
*'''Security/Management Security/Server Configuration''' Global Radius Server Configuration
*'''Security/Management Security/Server Configuration''' Global Radius Server Configuration

Revision as of 20:33, 6 August 2014

Introduction

From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.

This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable be utilized as an authentication server in terms of 802.1X.

Configuration

For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.

Prerequisites

  • An innovaphone Linux AP, IP address 192.168.178.34
  • A NetGear Prosafe switch, e.g. GS110TP

FreeRadius

  • Installation within a debian distribution

sudo apt-get install freeradius

  • Edit /etc/freeradius/eap.conf

eap { .. default_eap_type = tls .. tls { # Trusted Root CA list CA_file = ${cadir}/ca.crt } .. }

  • In order to include the innovaphone CA certificate into the list of trusted CAs
    • Download the innovaphone CA certificate as e.g. inno-ca.pem.crt from the innovaphone device
    • Append that certificate to the list of trusted CAs

cat ca.crt inno-ca.pem.crt > ca.crt

      • I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
  • Edit /etc/freeradius/clients.conf
   #IP address range, covering the Authenticator/NetGear switch

client 192.168.0.0/16 { secret = testing123 shortname = private-network-192-168 }

    • secret This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
    • shortname Just a nickname

NetGear

  • Security/Management Security/Server Configuration Global Radius Server Configuration
    • The server address is the one of the Linux AP, 192.168.178.34
    • The secret must be the one from above, i.e. testing123
  • Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
  • Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
    • Set non-restricted ports(e.g. for management) to Authorized
Global Radius Server Configuration
Port Based Authentication
Port Control

Notes