|
|
| (4 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| =Info=
| | ;'''EAP-MD5''': |
| '''802.1X,''' Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!<ref>The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.</ref>) to perform an authentication handshake within the 802.3 link layer (Ethernet). | |
| The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication<ref>It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.</ref><ref>802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.</ref>.
| |
| | |
| The standard specifies the following parties participating in an 802.1X authentication:
| |
| * Supplicant: The party supplying credentials towards an authenticator on the other side of a point-to-point link. An IP phone fulfills a supplicant's role.
| |
| ** innovaphones' IP phones are configured to support pass-through of EAPOL messages. A PC attached to the PC-port of a phone may also become a supplicant and may 802.1X-authenticate independently and separately<ref>Major authenticators do support multi-host authentication</ref>.
| |
| * Authenticator: The party facilitating the authentication. A switch will usually be the authenticator.
| |
| * Authentication Server: The party providing the authentication service to the authenticator. The 802.1X standard mentions a RADIUS server to be an authentication server.
| |
| *'''Sample Protocol Flow, EAP-MD5:'''
| |
| [[Image:802dot1x-EAPOL-640x480.gif]]
| |
| *'''Sample Protocol Flow, EAP-TLS:'''
| |
| [[Image:IP240-eap-tls-success.PNG]]
| |
| | |
| =Configuration=
| |
| =='''EAP-MD5'''==
| |
| * '''User''' Enter the user/identity to authenticate with. | | * '''User''' Enter the user/identity to authenticate with. |
| * '''Password''' Enter the shared secret for the MD5 challenge/response handshake. | | * '''Password''' Enter the shared secret for the MD5 challenge/response handshake. |
| =='''EAP-TLS'''==
| | ;'''EAP-TLS''': |
| | The EAP-MD5 settings are going to reused for EAP-TLS needs. I.e. there's currently no extra setting for EAP-TLS. The configuration for an actual certificate, being fed into the EAP-TLS session, can be found at ''General/Certificates/Device Certificate''. |
| * '''User''' Enter the user/identity<ref>EAP-TLS doesn't mandate that identity to necessarily be the same as the certificates subject/CN</ref> to be sent within the EAP Identity request.<ref name="user-pw">A non-empty user/password just serves as an "on"-switch</ref> | | * '''User''' Enter the user/identity<ref>EAP-TLS doesn't mandate that identity to necessarily be the same as the certificates subject/CN</ref> to be sent within the EAP Identity request.<ref name="user-pw">A non-empty user/password just serves as an "on"-switch</ref> |
| * '''Password''' Enter arbitrary content.<ref name="user-pw"/> | | * '''Password''' Enter arbitrary content.<ref name="user-pw"/> |
| * '''General/Certificates/Device Certificate'''<ref>The server certificate won't be validated</ref> | | * '''General/Certificates/Device Certificate''' |
| **Utilize the innovaphone manufactured device certificate, signed by the innovaphone CA.
| |
| ***The innovaphone CA certificate must then be employed as a trusted CA at the authentication server(e.g.: FreeRadius)
| |
| **Or upload an otherwise handcrafted device certificate to authenticate with at the authenticator.
| |
| ***The certificate must have it's private key aboard. A concatenated PEM-format certificate with the key appended will do. In principle.:<code type="text">
| |
| -----BEGIN CERTIFICATE-----
| |
| MIICxzCCAjCgAwIBAgIBAzANBgkqhkiG9w
| |
| ...
| |
| MVDEBAuPOHunKSoHcpxrlPJQ==
| |
| -----END CERTIFICATE-----
| |
| -----BEGIN RSA PRIVATE KEY-----
| |
| MIICXQIBAAKBgQCX8OyuGH2lP39juhv+Tm4Qa
| |
| ...
| |
| f9/z8tG
| |
| -----END RSA PRIVATE KEY-----
| |
| </code>
| |
|
| |
|
| =Notes= | | =Notes= |
| <references/> | | <references/> |
| | [[Concept_802.1X|Concept 802.1X]] |
| | |
| | [[Howto11r1:802.1X_EAP-TLS_With_FreeRadius|Howto article: 802.1X EAP-TLS With FreeRadius]] |
- EAP-MD5
- User Enter the user/identity to authenticate with.
- Password Enter the shared secret for the MD5 challenge/response handshake.
- EAP-TLS
The EAP-MD5 settings are going to reused for EAP-TLS needs. I.e. there's currently no extra setting for EAP-TLS. The configuration for an actual certificate, being fed into the EAP-TLS session, can be found at General/Certificates/Device Certificate.
- User Enter the user/identity[1] to be sent within the EAP Identity request.[2]
- Password Enter arbitrary content.[2]
- General/Certificates/Device Certificate
Notes
- ↑ EAP-TLS doesn't mandate that identity to necessarily be the same as the certificates subject/CN
- ↑ 2.0 2.1 A non-empty user/password just serves as an "on"-switch
Concept 802.1X
Howto article: 802.1X EAP-TLS With FreeRadius