Howto:802.1X EAP-TLS With FreeRadius: Difference between revisions
No edit summary |
|||
(38 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Introduction= | =Introduction= | ||
From on version 11 innovaphone devices offer support<ref name="ref11-802.1X">[[ | From on version 11 innovaphone devices offer support<ref name="ref11-802.1X">[[Reference11r1:Interfaces/ETH/802.1X|Reference11:Interfaces/ETH/802.1X]]</ref> for wired port access authentication by means of 802.1X with EAP-TLS. | ||
This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable to be utilized as an authentication server in terms of 802.1X. | This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable to be utilized as an authentication server in terms of 802.1X. | ||
Two different certificate handling methods will be outlined below: | |||
*The innovaphone CA certificate is going to be downloaded from a single device. It is going to be added to the list of trusted CA certificates. | |||
*An own PKI is build from scratch. The resulting certificates must be deployed onto innovaphone devices. | |||
=Configuration= | =Configuration= | ||
For the configuration of innovaphone devices refer to [[ | For the configuration of innovaphone devices refer to [[Reference11r1:Interfaces/ETH/802.1X|Reference11:Interfaces/ETH/802.1X]]. | ||
==Prerequisites== | ==Prerequisites== | ||
*An innovaphone Linux AP, IP address 192.168.178.34 | *An innovaphone Linux AP, in this configuration example with IP address 192.168.178.34 | ||
*A NetGear Prosafe switch, e.g. GS110TP | *A NetGear Prosafe switch, e.g. GS110TP | ||
*An innovaphone end device. Ideally facilitated with: | *An innovaphone end device. Ideally facilitated with: | ||
Line 15: | Line 19: | ||
==FreeRadius== | ==FreeRadius== | ||
*Installation within a debian distribution | *Installation within a debian distribution | ||
sudo apt-get install freeradius | sudo apt-get install freeradius | ||
*Edit /etc/freeradius/eap.conf | |||
*Edit /etc/freeradius/eap.conf | eap { | ||
.. | |||
default_eap_type = tls | |||
.. | |||
tls { | |||
# Trusted Root CA list | |||
CA_file = ${cadir}/ca.crt | |||
} | |||
.. | |||
} | |||
*In order to include the innovaphone CA certificate into the list of trusted CAs | *In order to include the innovaphone CA certificate into the list of trusted CAs | ||
**Download the innovaphone CA certificate as e.g. ''inno-ca.pem.crt'' from the innovaphone device | **Download the innovaphone CA certificate as e.g. ''inno-ca.pem.crt'' from the innovaphone device | ||
**Append that certificate to the list of trusted CAs<code | **Append that certificate to the list of trusted CAs <code>cat inno-ca.pem.crt >> ca.crt</code> | ||
</code> | |||
***I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt. | ***I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt. | ||
*Edit /etc/freeradius/clients.conf | *Edit /etc/freeradius/clients.conf | ||
#IP address range, covering the Authenticator/NetGear switch | |||
client 192.168.0.0/16 { | |||
secret = testing123 | |||
shortname = private-network-192-168 | |||
} | |||
;secret | |||
:This is the shared secret encrypting the RADIUS-traffic between FreeRadius and the NetGear switch. | |||
;shortname | |||
:Just a nickname | |||
===Debugging=== | ===Debugging=== | ||
As recommended by the FreeRadius manual | As recommended by the FreeRadius manual | ||
*kill the freeradius daemon | *kill the freeradius daemon | ||
*run freeradius in debugging mode<code | *run freeradius in debugging mode <code>freeradius -X</code> | ||
freeradius -X | ===Known Issues=== | ||
</code> | *FreeRadius complains about certificate problems after starting for the 1st time and terminates | ||
**Walk through the section [[#Hand-crafted Certificates|Hand-crafted Certificates]], sub-sections for ca- and server certificate | |||
*FreeRadius complains about a missing file dh | |||
**Create the Diffie Hellmann parameters file <code>openssl dhparam -out /etc/freeradius/certs/dh 1024</code> | |||
==NetGear== | ==NetGear== | ||
Line 63: | Line 66: | ||
[[Image:Ng-basic.PNG|center|thumb|200px|Port Based Authentication]] | [[Image:Ng-basic.PNG|center|thumb|200px|Port Based Authentication]] | ||
[[Image:Ng-advanced.PNG|center|thumb|200px|Port Control]] | [[Image:Ng-advanced.PNG|center|thumb|200px|Port Control]] | ||
===Design Considerations=== | |||
The NetGear switch GS110TP does not support 802.1X single-host authentication. The switch's port can only be authenticated as a whole - it behaves alike a Cisco port in multi-host mode(see below). It is therefore a considerable decision to permanently disable an IP phone's ''PC''-port, in order to prevent traffic from unauthenticated stations. | |||
==Cisco== | |||
A Catalyst switch 3750-24p with IOS version 12.2(55) served as a test switch. Cisco offers four so-called host-modes in 802.1X. | |||
;single-host: A single network peer can authenticate. No other peers are allowed to communicate | |||
;multi-host: As in ''single-host'' mode, a single network peer can authenticate. After that, all succeeding peers will be granted access without any authentication. | |||
;multi-domain: One peer can authenticate within the ''VOICE'' domain and one peer can authenticate within the ''DATA'' domain. Each peer joins a dedicated VLAN. | |||
;multi-auth: Similar to multi-domain this host-mode allows for multiple ''DATA'' devices and one ''VOICE'' device. | |||
A simple testbed with one protected port is sketched as follows: | |||
*The single port fastEthernet 1/0/11 is protected by 802.1X means. | |||
*The authentication '''host-mode''' is set to '''multi-domain'''. This allows two devices, one phone and one PC to be authenticated. | |||
*The Radius server's ip is 192.168.178.34:1812. | |||
*The shared secret between the switch and FreeRADIUS server be ''testing123''. | |||
*A syslog server at 192.168.178.27 collects debugging/tracing info. | |||
*The switch's ip address for management purposes is 192.168.178.32 | |||
The testbed's configuration excerpt illustrating 802.1X-specific parameters follows: | |||
Switch#show running-config | |||
Building configuration... | |||
Current configuration : 3792 bytes | |||
! | |||
version 12.2 | |||
... | |||
! | |||
aaa new-model | |||
! | |||
! | |||
aaa authentication dot1x default group radius | |||
aaa authorization network default group group group radius | |||
! | |||
! | |||
! | |||
aaa session-id common | |||
! | |||
! | |||
dot1x system-auth-control | |||
! | |||
... | |||
! | |||
vlan internal allocation policy ascending | |||
lldp run | |||
! | |||
! | |||
! | |||
interface FastEthernet1/0/1 | |||
! | |||
... | |||
! | |||
interface FastEthernet1/0/11 | |||
switchport mode access | |||
switchport voice vlan 101 | |||
authentication host-mode multi-domain | |||
authentication port-control auto | |||
dot1x pae authenticator | |||
spanning-tree portfast | |||
! | |||
interface FastEthernet1/0/12 | |||
! | |||
... | |||
! | |||
interface Vlan1 | |||
ip address 192.168.178.32 255.255.255.0 | |||
! | |||
... | |||
! | |||
ip radius source-interface FastEthernet1/0/1 | |||
logging trap debugging | |||
logging 192.168.178.27 | |||
radius-server host 192.168.178.34 auth-port 1812 acct-port 1813 | |||
radius-server key testing123 | |||
! | |||
... | |||
! | |||
end | |||
A successful authentication of the VOICE peer and the DATA peer shows up by means of the command show ''authentication interface ..''. Watch out for the column entitled '''Domain'''. | |||
Switch#show authentication interface fastethernet 1/0/11 | |||
Client list: | |||
Interface MAC Address Method Domain Status Session ID | |||
Fa1/0/11 0090.3326.00b6 dot1x VOICE Authz Success C0A8B2200000000300373929 | |||
Fa1/0/11 000c.2958.4b33 dot1x DATA Authz Success C0A8B22000000004003F9C51 | |||
As can be seen in the command output the innovaphone device with the MAC address 00-90-33-26-00-b6 was assigned into the ''VOICE'' domain. In order to achieve this, a Cisco-specific RADIUS-attribute '''cisco-avpair''' must be passed from the FreeRADIUS server back to the Catalyst switch. The required FreeRADIUS configuration can be supplied by editing the file ''/etc/freeradius/sites-enabled/default''. A simple detection for innovaphone MAC address prefixes ensures that the cisco-avpair attribute gets returned within the Radius Access-Accept Message. The lines to be added to the ''default'' file's '''post-auth''' section follow: | |||
#file /etc/freeradius/sites-enabled/default | |||
#language FreeRADIUS's un-language | |||
post-auth { | |||
.. | |||
if (Calling-Station-Id =~ /^00-90-33/i) { | |||
update reply { | |||
cisco-avpair += "device-traffic-class=voice" | |||
} | |||
} | |||
} | |||
[[Image:Screenshot-cisco-avpair.PNG|center|thumb|200px|Radius accept carrying 'cisco-avpair' attribute]] | |||
=Hand-crafted Certificates= | =Hand-crafted Certificates= | ||
This section isn't necessary for a successful deployment of 802.1X EAP-TLS with innovaphone devices. It just serves as a memory aid thereby sketching the required steps for a PKI based on an own private CA. The CA will be used in turn to sign a server certificate and one or more client certificates. | This section isn't necessary for a successful deployment of 802.1X EAP-TLS with innovaphone devices. It just serves as a memory aid thereby sketching the required steps for a PKI based on an own private CA. The CA will be used in turn to sign a server certificate and one or more client certificates. | ||
==Creation Of A Self-Signed CA Certificate== | ==Creation Of A Self-Signed CA Certificate== | ||
*Change into FreeRadius' certificates directory<code | *Change into FreeRadius' certificates directory <code>cd /etc/feeradius/certs</code> | ||
cd /etc/feeradius/certs | *Generate the CA's pair of public and private key <code>openssl genrsa -out ca.key 1024</code> | ||
</code> | |||
*Generate the CA's pair of public and private key<code | |||
openssl genrsa -out ca.key 1024 | |||
</code> | |||
**Note: For an encrypted ca.key file the '''-des3''' option is required | **Note: For an encrypted ca.key file the '''-des3''' option is required | ||
*Prepare and generate a certificate signing request for the actual CA certificate | *Prepare and generate a certificate signing request for the actual CA certificate | ||
**Firstly a small configuration file ca.conf needs to be created/edited | **Firstly a small configuration file ca.conf needs to be created/edited | ||
[ req ] | [ req ] | ||
default_bits = 1024 | default_bits = 1024 | ||
distinguished_name = req_DN | distinguished_name = req_DN | ||
string_mask = nombstr | string_mask = nombstr | ||
[ req_DN ] | [ req_DN ] | ||
countryName = "1. Country Name (2 letter code)" | countryName = "1. Country Name (2 letter code)" | ||
countryName_default = DE | countryName_default = DE | ||
countryName_min = 2 | countryName_min = 2 | ||
countryName_max = 2 | countryName_max = 2 | ||
stateOrProvinceName = "2. State or Province Name (full name) " | stateOrProvinceName = "2. State or Province Name (full name) " | ||
stateOrProvinceName_default = Berlin | stateOrProvinceName_default = Berlin | ||
localityName = "3. Locality Name (eg, city) " | localityName = "3. Locality Name (eg, city) " | ||
localityName_default = Berlin | localityName_default = Berlin | ||
0.organizationName = "4. Organization Name (eg, company) " | 0.organizationName = "4. Organization Name (eg, company) " | ||
0.organizationName_default = Mustermann | 0.organizationName_default = Mustermann | ||
organizationalUnitName = "5. Organizational Unit Name (eg, section) " | organizationalUnitName = "5. Organizational Unit Name (eg, section) " | ||
organizationalUnitName_default = Certificate Authority | organizationalUnitName_default = Certificate Authority | ||
commonName = "6. Common Name (eg, CA name) " | commonName = "6. Common Name (eg, CA name) " | ||
commonName_max = 64 | commonName_max = 64 | ||
commonName_default = Mustermann CA | commonName_default = Mustermann CA | ||
emailAddress = "7. Email Address (eg, name@FQDN)" | emailAddress = "7. Email Address (eg, name@FQDN)" | ||
emailAddress_max = 40 | emailAddress_max = 40 | ||
emailAddress_default = ca@mustermann.de | emailAddress_default = ca@mustermann.de | ||
**Generate the certificate signing request ca.csr <code>openssl req -config ca.conf -new -key ca.key -out ca.csr</code> | |||
**Generate the certificate signing request ca.csr<code | |||
openssl req -config ca.conf -new -key ca.key -out ca.csr | |||
</code> | |||
*Generate the CA certificate | *Generate the CA certificate | ||
**The certificate will receive a few extensions. Edit/create a new file ca.ext | **The certificate will receive a few extensions. Edit/create a new file ca.ext | ||
extensions = x509v3 | |||
[ x509v3 ] | |||
basicConstraints = CA:true,pathlen:0 | |||
crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl | |||
nsCertType = sslCA,emailCA,objCA | |||
nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm" | |||
nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl" | |||
nsComment = "Mustermann CA" | |||
**The actual CA certificate is going to be created <code>openssl x509 -days 1095 -extfile ca.ext -signkey ca.key -in ca.csr -req -out ca.crt</code> | |||
**The actual CA certificate is going to be created<code | |||
openssl x509 -days 1095 -extfile ca.ext -signkey ca.key -in ca.csr -req -out ca.crt | |||
</code> | |||
***The result is a self-signed CA certificate ca.crt | ***The result is a self-signed CA certificate ca.crt | ||
==Creation Of A Server Certificate== | ==Creation Of A Server Certificate== | ||
*The envisaged server | *The envisaged server certificate needs a public/private key <code>openssl genrsa -out server.key 1024</code> | ||
openssl genrsa -out server.key 1024 | *A config file ''server.conf'' needs to be prepared | ||
</code> | [ req ] | ||
*A config file ''server.conf'' needs to be prepared | default_bits = 1024 | ||
[ req ] | distinguished_name = req_DN | ||
default_bits = 1024 | string_mask = nombstr | ||
distinguished_name = req_DN | |||
string_mask = nombstr | [ req_DN ] | ||
countryName = "1. Country Name (2 letter code)" | |||
[ req_DN ] | countryName_default = DE | ||
countryName = "1. Country Name (2 letter code)" | countryName_min = 2 | ||
countryName_default = DE | countryName_max = 2 | ||
countryName_min = 2 | stateOrProvinceName = "2. State or Province Name (full name) " | ||
countryName_max = 2 | #stateOrProvinceName_default = | ||
stateOrProvinceName = "2. State or Province Name (full name) " | localityName = "3. Locality Name (eg, city) " | ||
#stateOrProvinceName_default = | localityName_default = Berlin | ||
localityName = "3. Locality Name (eg, city) " | 0.organizationName = "4. Organization Name (eg, company) " | ||
localityName_default = Berlin | 0.organizationName_default = Mustermann | ||
0.organizationName = "4. Organization Name (eg, company) " | organizationalUnitName = "5. Organizational Unit Name (eg, section) " | ||
0.organizationName_default = Mustermann | organizationalUnitName_default = Server | ||
organizationalUnitName = "5. Organizational Unit Name (eg, section) " | commonName = "6. Common Name (eg, CA name) " | ||
organizationalUnitName_default = Server | commonName_max = 64 | ||
commonName = "6. Common Name (eg, CA name) " | commonName_default = www.mustermann.de | ||
commonName_max = 64 | emailAddress = "7. Email Address (eg, name@FQDN)" | ||
commonName_default = www.mustermann.de | emailAddress_max = 40 | ||
emailAddress = "7. Email Address (eg, name@FQDN)" | emailAddress_default = webmaster@mustermann.de | ||
emailAddress_max = 40 | *Some certificate extensions can be specified in server.ext | ||
emailAddress_default = webmaster@mustermann.de | extensions = x509v3 | ||
*Some certificate extensions can be specified in server.ext | [ x509v3 ] | ||
extensions = x509v3 | nsCertType = server | ||
keyUsage = digitalSignature,nonRepudiation,keyEncipherment | |||
[ x509v3 ] | extendedKeyUsage = msSGC,nsSGC,serverAuth | ||
nsCertType = server | *A certificate serial number will be maintained in ca.serial <code>echo -ne '01' > ca.serial</code> | ||
keyUsage = digitalSignature,nonRepudiation,keyEncipherment | |||
extendedKeyUsage = msSGC,nsSGC,serverAuth | |||
*A certificate serial number will be maintained in ca.serial<code | |||
echo -ne '01' > ca.serial | |||
</code> | |||
**Note: ca.serial will be auto-incremented on later invokations by openssl | **Note: ca.serial will be auto-incremented on later invokations by openssl | ||
*The signing request for the server certificate is generated by<code | *The signing request for the server certificate is generated by <code>openssl req -config server.conf -new -key server.key -out server.csr</code> | ||
openssl req -config server. | *The siging request is executed by <code>openssl x509 -days 730 -extfile server.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in server.csr -req -out server.crt</code> | ||
</code> | |||
*The siging request is executed by <code | |||
openssl x509 -days 730 -extfile server.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in server.csr -req -out server.crt | |||
</code> | |||
**Note: Server.crt is signed by the CA from above. | **Note: Server.crt is signed by the CA from above. | ||
==Creation Of A Client Certificate== | ==Creation Of A Client Certificate== | ||
*The envisaged | The following steps need to be repeated, if endpoint devices shall receive individual unique certificates. | ||
openssl genrsa -out client.key 1024 | *The envisaged client certificate needs a public/private key <code>openssl genrsa -out client.key 1024</code> | ||
</code> | *client.conf | ||
*client. | [ req ] | ||
[ req ] | default_bits = 1024 | ||
default_bits = 1024 | distinguished_name = req_DN | ||
distinguished_name = req_DN | string_mask = nombstr | ||
string_mask = nombstr | |||
[ req_DN ] | |||
[ req_DN ] | countryName = "1. Country Name (2 letter code)" | ||
countryName = "1. Country Name (2 letter code)" | countryName_default = DE | ||
countryName_default = DE | countryName_min = 2 | ||
countryName_min = 2 | countryName_max = 2 | ||
countryName_max = 2 | stateOrProvinceName = "2. State or Province Name (full name) " | ||
stateOrProvinceName = "2. State or Province Name (full name) " | stateOrProvinceName_default = Berlin | ||
localityName = "3. Locality Name (eg, city) " | |||
localityName = "3. Locality Name (eg, city) " | localityName_default = Berlin | ||
localityName_default = | 0.organizationName = "4. Organization Name (eg, company) " | ||
0.organizationName = "4. Organization Name (eg, company) " | 0.organizationName_default = Mustermann | ||
0.organizationName_default = Mustermann | organizationalUnitName = "5. Organizational Unit Name (eg, section) " | ||
organizationalUnitName = "5. Organizational Unit Name (eg, section) " | #organizationalUnitName_default = | ||
#organizationalUnitName_default = | commonName = "6. Common Name (eg, CA name) " | ||
commonName = "6. Common Name (eg, CA name) " | commonName_max = 64 | ||
commonName_max = 64 | commonName_default = Max Mustermann | ||
commonName_default = Max Mustermann | emailAddress = "7. Email Address (eg, name@FQDN)" | ||
emailAddress = "7. Email Address (eg, name@FQDN)" | emailAddress_max = 40 | ||
emailAddress_max = 40 | emailAddress_default = max@mustermann.de | ||
emailAddress_default = max@mustermann.de | *client.ext | ||
extensions = x509v3 | |||
*client.ext | |||
[ x509v3 ] | |||
nsCertType = client,email,objsign | |||
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment | |||
extensions = x509v3 | *Certificate signing request <code>openssl req -config client.conf -new -key client.key -out client.csr</code> | ||
*Actual client certificate <code>openssl x509 -days 730 -extfile client.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in client.csr -req -out client.crt</code> | |||
[ x509v3 ] | *Before deploying the client certificate on an innovaphone device, the key needs to be appended <code>cat client.crt client.key > client.pem.crt</code> | ||
nsCertType = client,email,objsign | |||
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment | |||
*Certificate signing request<code | |||
openssl req -config client. | |||
</code> | |||
*Actual client certificate<code | |||
openssl x509 -days 730 -extfile client.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in client.csr -req -out client.crt | |||
</code> | |||
* | |||
cat client.crt client.key > client.crt | |||
</code> | |||
=Notes= | =Notes= | ||
<references/> | <references/> | ||
[[Category: | [[Category:Howto|{{PAGENAME}}]] |
Latest revision as of 08:57, 6 October 2023
Introduction
From on version 11 innovaphone devices offer support[1] for wired port access authentication by means of 802.1X with EAP-TLS.
This article foccusses on FreeRadius. FreeRadius is an open source RADIUS server suitable to be utilized as an authentication server in terms of 802.1X.
Two different certificate handling methods will be outlined below:
- The innovaphone CA certificate is going to be downloaded from a single device. It is going to be added to the list of trusted CA certificates.
- An own PKI is build from scratch. The resulting certificates must be deployed onto innovaphone devices.
Configuration
For the configuration of innovaphone devices refer to Reference11:Interfaces/ETH/802.1X.
Prerequisites
- An innovaphone Linux AP, in this configuration example with IP address 192.168.178.34
- A NetGear Prosafe switch, e.g. GS110TP
- An innovaphone end device. Ideally facilitated with:
- An innovaphone CA certificate
- This CA certificate is going to be deployed within a FreeRadius server
- An innovaphone device certificate, signed by the CA from above
- An innovaphone CA certificate
FreeRadius
- Installation within a debian distribution
sudo apt-get install freeradius *Edit /etc/freeradius/eap.conf eap { .. default_eap_type = tls .. tls { # Trusted Root CA list CA_file = ${cadir}/ca.crt } .. }
- In order to include the innovaphone CA certificate into the list of trusted CAs
- Download the innovaphone CA certificate as e.g. inno-ca.pem.crt from the innovaphone device
- Append that certificate to the list of trusted CAs
cat inno-ca.pem.crt >> ca.crt
- I.e. the FreeRadius list of trusted CAs is a single file and must be enhanced by appending a CA certificate to the end of ca.crt.
*Edit /etc/freeradius/clients.conf #IP address range, covering the Authenticator/NetGear switch client 192.168.0.0/16 { secret = testing123 shortname = private-network-192-168 }
- secret
- This is the shared secret encrypting the RADIUS-traffic between FreeRadius and the NetGear switch.
- shortname
- Just a nickname
Debugging
As recommended by the FreeRadius manual
- kill the freeradius daemon
- run freeradius in debugging mode
freeradius -X
Known Issues
- FreeRadius complains about certificate problems after starting for the 1st time and terminates
- Walk through the section Hand-crafted Certificates, sub-sections for ca- and server certificate
- FreeRadius complains about a missing file dh
- Create the Diffie Hellmann parameters file
openssl dhparam -out /etc/freeradius/certs/dh 1024
- Create the Diffie Hellmann parameters file
NetGear
- Security/Management Security/Server Configuration Global Radius Server Configuration
- The server address is the one of the Linux AP, 192.168.178.34
- The secret must be the one from above, i.e. testing123
- Security/Port Authentication/Basic/802.1X Configuration Set Port Based Authentication State to enable
- Security/Port Authentication/Advanced/Port Authentication For all 802.1X-restricted ports set Port Control to Auto
- Set non-restricted ports(e.g. for management) to Authorized
Design Considerations
The NetGear switch GS110TP does not support 802.1X single-host authentication. The switch's port can only be authenticated as a whole - it behaves alike a Cisco port in multi-host mode(see below). It is therefore a considerable decision to permanently disable an IP phone's PC-port, in order to prevent traffic from unauthenticated stations.
Cisco
A Catalyst switch 3750-24p with IOS version 12.2(55) served as a test switch. Cisco offers four so-called host-modes in 802.1X.
- single-host
- A single network peer can authenticate. No other peers are allowed to communicate
- multi-host
- As in single-host mode, a single network peer can authenticate. After that, all succeeding peers will be granted access without any authentication.
- multi-domain
- One peer can authenticate within the VOICE domain and one peer can authenticate within the DATA domain. Each peer joins a dedicated VLAN.
- multi-auth
- Similar to multi-domain this host-mode allows for multiple DATA devices and one VOICE device.
A simple testbed with one protected port is sketched as follows:
- The single port fastEthernet 1/0/11 is protected by 802.1X means.
- The authentication host-mode is set to multi-domain. This allows two devices, one phone and one PC to be authenticated.
- The Radius server's ip is 192.168.178.34:1812.
- The shared secret between the switch and FreeRADIUS server be testing123.
- A syslog server at 192.168.178.27 collects debugging/tracing info.
- The switch's ip address for management purposes is 192.168.178.32
The testbed's configuration excerpt illustrating 802.1X-specific parameters follows:
Switch#show running-config Building configuration... Current configuration : 3792 bytes ! version 12.2 ... ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group group group radius ! ! ! aaa session-id common ! ! dot1x system-auth-control ! ... ! vlan internal allocation policy ascending lldp run ! ! ! interface FastEthernet1/0/1 ! ... ! interface FastEthernet1/0/11 switchport mode access switchport voice vlan 101 authentication host-mode multi-domain authentication port-control auto dot1x pae authenticator spanning-tree portfast ! interface FastEthernet1/0/12 ! ... ! interface Vlan1 ip address 192.168.178.32 255.255.255.0 ! ... ! ip radius source-interface FastEthernet1/0/1 logging trap debugging logging 192.168.178.27 radius-server host 192.168.178.34 auth-port 1812 acct-port 1813 radius-server key testing123 ! ... ! end
A successful authentication of the VOICE peer and the DATA peer shows up by means of the command show authentication interface ... Watch out for the column entitled Domain.
Switch#show authentication interface fastethernet 1/0/11 Client list: Interface MAC Address Method Domain Status Session ID Fa1/0/11 0090.3326.00b6 dot1x VOICE Authz Success C0A8B2200000000300373929 Fa1/0/11 000c.2958.4b33 dot1x DATA Authz Success C0A8B22000000004003F9C51
As can be seen in the command output the innovaphone device with the MAC address 00-90-33-26-00-b6 was assigned into the VOICE domain. In order to achieve this, a Cisco-specific RADIUS-attribute cisco-avpair must be passed from the FreeRADIUS server back to the Catalyst switch. The required FreeRADIUS configuration can be supplied by editing the file /etc/freeradius/sites-enabled/default. A simple detection for innovaphone MAC address prefixes ensures that the cisco-avpair attribute gets returned within the Radius Access-Accept Message. The lines to be added to the default file's post-auth section follow:
#file /etc/freeradius/sites-enabled/default #language FreeRADIUS's un-language post-auth { .. if (Calling-Station-Id =~ /^00-90-33/i) { update reply { cisco-avpair += "device-traffic-class=voice" } } }
Hand-crafted Certificates
This section isn't necessary for a successful deployment of 802.1X EAP-TLS with innovaphone devices. It just serves as a memory aid thereby sketching the required steps for a PKI based on an own private CA. The CA will be used in turn to sign a server certificate and one or more client certificates.
Creation Of A Self-Signed CA Certificate
- Change into FreeRadius' certificates directory
cd /etc/feeradius/certs
- Generate the CA's pair of public and private key
openssl genrsa -out ca.key 1024
- Note: For an encrypted ca.key file the -des3 option is required
- Prepare and generate a certificate signing request for the actual CA certificate
- Firstly a small configuration file ca.conf needs to be created/edited
[ req ] default_bits = 1024 distinguished_name = req_DN string_mask = nombstr [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Berlin localityName = "3. Locality Name (eg, city) " localityName_default = Berlin 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Mustermann organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Certificate Authority commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = Mustermann CA emailAddress = "7. Email Address (eg, name@FQDN)" emailAddress_max = 40 emailAddress_default = ca@mustermann.de
- Generate the certificate signing request ca.csr
openssl req -config ca.conf -new -key ca.key -out ca.csr
- Generate the certificate signing request ca.csr
- Generate the CA certificate
- The certificate will receive a few extensions. Edit/create a new file ca.ext
extensions = x509v3 [ x509v3 ] basicConstraints = CA:true,pathlen:0 crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl nsCertType = sslCA,emailCA,objCA nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm" nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl" nsComment = "Mustermann CA"
- The actual CA certificate is going to be created
openssl x509 -days 1095 -extfile ca.ext -signkey ca.key -in ca.csr -req -out ca.crt
- The result is a self-signed CA certificate ca.crt
- The actual CA certificate is going to be created
Creation Of A Server Certificate
- The envisaged server certificate needs a public/private key
openssl genrsa -out server.key 1024
- A config file server.conf needs to be prepared
[ req ] default_bits = 1024 distinguished_name = req_DN string_mask = nombstr [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " #stateOrProvinceName_default = localityName = "3. Locality Name (eg, city) " localityName_default = Berlin 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Mustermann organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Server commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = www.mustermann.de emailAddress = "7. Email Address (eg, name@FQDN)" emailAddress_max = 40 emailAddress_default = webmaster@mustermann.de
- Some certificate extensions can be specified in server.ext
extensions = x509v3 [ x509v3 ] nsCertType = server keyUsage = digitalSignature,nonRepudiation,keyEncipherment extendedKeyUsage = msSGC,nsSGC,serverAuth
- A certificate serial number will be maintained in ca.serial
echo -ne '01' > ca.serial
- Note: ca.serial will be auto-incremented on later invokations by openssl
- The signing request for the server certificate is generated by
openssl req -config server.conf -new -key server.key -out server.csr
- The siging request is executed by
openssl x509 -days 730 -extfile server.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in server.csr -req -out server.crt
- Note: Server.crt is signed by the CA from above.
Creation Of A Client Certificate
The following steps need to be repeated, if endpoint devices shall receive individual unique certificates.
- The envisaged client certificate needs a public/private key
openssl genrsa -out client.key 1024
- client.conf
[ req ] default_bits = 1024 distinguished_name = req_DN string_mask = nombstr [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Berlin localityName = "3. Locality Name (eg, city) " localityName_default = Berlin 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Mustermann organizationalUnitName = "5. Organizational Unit Name (eg, section) " #organizationalUnitName_default = commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = Max Mustermann emailAddress = "7. Email Address (eg, name@FQDN)" emailAddress_max = 40 emailAddress_default = max@mustermann.de
- client.ext
extensions = x509v3 [ x509v3 ] nsCertType = client,email,objsign keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
- Certificate signing request
openssl req -config client.conf -new -key client.key -out client.csr
- Actual client certificate
openssl x509 -days 730 -extfile client.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in client.csr -req -out client.crt
- Before deploying the client certificate on an innovaphone device, the key needs to be appended
cat client.crt client.key > client.pem.crt