Howto:802.1X EAP-TLS With FreeRadius

From innovaphone wiki
Revision as of 20:24, 6 August 2014 by Inno-mst (talk | contribs) (New page: =Introduction= From on version 11 innovaphone devices offer support<ref name="ref11-802.1X">Reference11:Interfaces/ETH/802.1X</ref> for wired port acc...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.

This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable be utilized as an authentication server in terms of 802.1X.

Configuration

For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.

Prerequisites

  • An innovaphone Linux AP, IP address 192.168.178.34
  • A NetGear Prosafe switch, e.g. GS110TP

FreeRadius

  • Installation within a debian distribution

sudo apt-get install freeradius

  • Edit /etc/freeradius/eap.conf

eap { .. default_eap_type = tls .. tls { # Trusted Root CA list CA_file = ${cadir}/ca.crt } .. }

      • In order to include the innovaphone CA certificate into the list of trusted CAs

cat ca.crt inno-ca.pem.crt > ca.crt

      • I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
  • Edit /etc/freeradius/clients.conf
   #IP address range, covering the Authenticator/NetGear switch

client 192.168.0.0/16 { secret = testing123 shortname = private-network-192-168 }

    • secret This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
    • shortname Just a nickname

NetGear

  • Security/Management Security/Server Configuration Global Radius Server Configuration
    • The server address is the one of the Linux AP, 192.168.178.34
    • The secret must be the one from above, i.e. testing123
  • Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
  • Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
    • Set non-restricted ports(e.g. for management) to Authorized
Global Radius Server Configuration
Port Based Authentication
Port Control

Notes