Howto:802.1X EAP-TLS With FreeRadius

From innovaphone-wiki

Revision as of 21:33, 6 August 2014 by Inno-mst (Talk | contribs)
Jump to: navigation, search

Contents

Introduction

From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.

This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable be utilized as an authentication server in terms of 802.1X.

Configuration

For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.

Prerequisites

  • An innovaphone Linux AP, IP address 192.168.178.34
  • A NetGear Prosafe switch, e.g. GS110TP

FreeRadius

  • Installation within a debian distribution
    sudo apt-get install freeradius
  • Edit /etc/freeradius/eap.conf
    • eap {
      ..
      default_eap_type = tls
      ..
      tls {
      # Trusted Root CA list
      CA_file = ${cadir}/ca.crt
      }
      ..
      }
  • In order to include the innovaphone CA certificate into the list of trusted CAs
    • Download the innovaphone CA certificate as e.g. inno-ca.pem.crt from the innovaphone device
    • Append that certificate to the list of trusted CAs
      cat ca.crt inno-ca.pem.crt > ca.crt
      • I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
  • Edit /etc/freeradius/clients.conf
    #IP address range, covering the Authenticator/NetGear switch
    client 192.168.0.0/16 {
    secret = testing123
    shortname = private-network-192-168
    }
    • secret This is the shared encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
    • shortname Just a nickname

NetGear

  • Security/Management Security/Server Configuration Global Radius Server Configuration
    • The server address is the one of the Linux AP, 192.168.178.34
    • The secret must be the one from above, i.e. testing123
  • Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
  • Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
    • Set non-restricted ports(e.g. for management) to Authorized
Global Radius Server Configuration
Global Radius Server Configuration
Port Based Authentication
Port Based Authentication
Port Control
Port Control

Notes

  1. Reference11:Interfaces/ETH/802.1X
Personal tools