The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).



Similar documents
What information will you find in this document?

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

This How To Note describes one possible basic VRRP configuration.

Configure A Secure Network Solution For Schools. What information will you find in this document?

Configuring PEAP / LDAP based authentication using FreeRADIUS on Debian Sarge and Cisco AP1200, with WPA2 AES encryption

Configure A Secure School Network Based On 802.1x

AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes

Configure WAN Load Balancing

How To Behind A Dynamically-Assigned Public IP Address

Apply Firewall Policies And Rules

How To Create A VPN Between An Allied Telesis Router And A Microsoft Windows XP 1 Client, Without Using NAT-T

802.1X Port Based Authentication HOWTO

What information will you find in this document?

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, Without Using NAT-T.

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

How To Set Up a RADIUS Server for User Authentication

Allow Public and Private Address Access to Servers at a Service Provider Client Site. What information will you find in this document?

SURFnet. Supplicant. Gast Employee. Commercial VLAN VLAN. Student. Proxy server VLAN

What information will you find in this document?

AlliedWare Plus OS How To. Configure QoS to prioritize SSH, Multicast, and VoIP Traffic. Introduction

In fact, the three most common reasons for a network slow down are: congestion data corruption collisions

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

Integrating a Hitachi IP5000 Wireless IP Phone

Configure the Firewall VoIP Support Service (SIP ALG)

FreeRADIUS Database Connection Best Practice Document

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows 7 Client, with or without NAT-T.

Configure QoS on x900-24, x900-12, and SwitchBlade x908 Series Switches

Deploying the BIG-IP System v11 with RADIUS Servers

Wireless Network Configuration Guide

What information will you find in this document?

x900 Switch Access Requestor

Wireless Alphabet. Soup CHAP WPA(2) 802.1x RADIUS TKIP AES i CBC-MAC EAP TSN WPA(1) EAPOL PEAP WEP PAP RSN CCMP

How to Configure a BYOD Environment with the Unified AP in Standalone Mode

802.1X Client Software

Management Software AT-WA7400/NA. User s Guide Rev. B

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Linux based RADIUS Setup

Deploying and Configuring Polycom Phones in 802.1X Environments

vwlan External RADIUS 802.1x Authentication

802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Chapter 5 - Basic Authentication Methods

User Guide for eduroam

How to configure 802.1X authentication with a Windows XP or Vista supplicant

Application Note User Groups

Mobility System Software Quick Start Guide

What information you will find in this document

How To Set Up An Ipa 1X For Aaa On A Ipa 2.1X On A Network With Aaa (Ipa) On A Computer Or Ipa (Ipo) On An Ipo 2.0.1

Network Security Solutions Implementing Network Access Control (NAC)

Network Startup Resource Center

Lab Configuring LEAP/EAP using Local RADIUS Authentication

Recommended Security System for wireless networks Implementation of IEEE 802.1X Best Practice Document

Create a VPN between an Allied Telesis and a SonicWALL Router, with NAT-T

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Dynamic VLAN assignment using RADIUS. Network Diagram

Configuring a Windows 2003 Server for IAS

Abstract. Avaya Solution & Interoperability Test Lab

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

AlliedWare Plus OS How To Use Web-authentication

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

WIRELESS SETUP FOR WINDOWS 7

Management Authentication using Windows IAS as a Radius Server

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

WLAN Outdoor CPE For 2.4G. Quick Installation Guide

A practical guide to Eduroam

TECHNICAL BULLETIN. Configuring Wireless Settings in an i-stat 1 Wireless Analyzer

How To Set Up Wireless Network Security Part 1: WEP Part 2: WPA-PSK Part 3-1: RADIUS Server Installation Part 3-2: 802.1x-TLS Part 3-3: WPA

Tested Solution: Protecting your network with Symantec Network Access Control (NAC) and Allied Telesis Switches

Create a VPN between an Allied Telesis and a NetScreen Router

An Experimental Study on Wireless Security Protocols over Mobile IP Networks

IEA Software, Inc x/EAP Authentication Guide RadiusNT/X V5.1

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Wifi Web Server Module w TF Socket User s Guide

Securing Wireless LANs with LDAP

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Particularities of security design for wireless networks in small and medium business (SMB)

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

Configuring idrac6 for Directory Services

Thor VM1. Quick Start Guide. Vehicle-Mount Computer. with Microsoft Windows Embedded CE 6 or Windows Embedded Standard 2009 Operating System

The network configuration for these examples is shown in the following figure. Load Balancer 1. public address

MX7 Tecton. Quick Start Guide. Hand-Held Computer. With Microsoft Windows Embedded CE 6 or Windows Mobile 6.5 Operating System. TECTON-QS Rev A 4/12

Tested Solution: Network Configuration and Inventory Management using Upgrade Manager

Implementing Security for Wireless Networks

Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

How to connect to the diamonds wireless network with Vista.

ALL Mbits Powerline WLAN N Access Point. User s Manual

Massey University Wireless Network - Client

IT Quick Reference Guides Connecting to SU-Secure using Windows 8

Belnet Networking Conference 2013

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Installing Windows 95 Drivers and Utilities for the Cisco Aironet 340/350 Series Client Adapters

Transcription:

How To Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant Introduction This How To Note details how to take advantage of 802.1x security to ensure that users who connect to your wireless LAN are authorised first. Additionally, it gets the RADIUS server to pass a WEP key to the supplicant so that wireless conversations to the access points are encrypted. The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client). References The sections on freeradius and Xsupplicant were worked out by following the excellent HOWTO written by Lars Strand: 802.1x Port-Based Authentication HOWTO. If you want to create a freeradius and Windows supplicant solution, then consult this document for the Linux configuration, and How To Use 802.1x EAP- TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network for the Windows configuration. This How To Note is available from the Allied Telesis website. Equipment We used the following devices and software to create and test this setup. The instructions are generic enough to cover any Linux platform, not just Mandrake. 2 x AT-8624PoE switches 1 x AT-8624T/2M switch 2 x AT-WA7400 wireless access points 1 x Mandrake 10.1 PC with freeradius 1.0.5 (compiled from source) 1 x Mandrake 10.1 laptop with xsupplicant-1.0-2mdk (Mandrake package) Terminology User: A person. Client: A user s laptop or PC. Wireless Node: A client on a wireless network. A wireless node is not necessarily authenticated or authorised to use the network. Supplicant: The intermediary application normally contained within the wireless node, which handles authentication. Controlled/uncontrolled port: These are virtual concepts. The client attempts to gain access to the controlled port by authenticating through the uncontrolled port. However, since these terms are just concepts, they share the same medium (in this case thin air). C613-16091-00 REV B www.alliedtelesis.com

The Allied Telesis switches can be any of the following switches: Rapier i Series AT-8600 Series AT-8700XL Series AT-8800 Series AT-9800 Series SwitchBlade AT-8948 AT-9900 Series x900 Series Network Diagram RADIUS server 169.254.4.66 AT-8624T/2M RSTP ring 169.254.4.0/24 AT-8624PoE AT-8624PoE AT-WA7400 169.254.4.230 supplicant 169.254.4.33 AT-WA7400 169.254.4.231 Zone A Zone B 8021x-wa7400-linux.eps Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 2

Configure your Switches The three AT-8600 Series switches can run a very simple configuration if you are installing a layer two segment. Because the switches form a ring for a little redundancy, you must enable RSTP on all three switches. Enter the following commands on all three switches: enable stp=default set stp=default mode=rapid Configure your RADIUS Server Your RADIUS server needs to have freeradius and OpenSSL installed. The server also requires a valid certificate to issue. If your certificate is self-signed, you need to copy the certificate to the supplicant. This section describes all these elements. Depending on your distribution and the settings you chose when you installed it, you may already have some or all of the elements. 1. Install freeradius unless it is already installed You can use the freeradius version packaged with your distribution, or download it from www.freeradius.org. In this case, we compiled and installed it from source. To install the downloaded source package, we used the following commands: [root@server freeradius-1.0.5]$./configure [root@server freeradius-1.0.5]$ make [root@server freeradius-1.0.5]# make install 2. Edit the freeradius configuration files freeradius configuration files will probably be installed to /usr/local/etc/raddb. In that directory, you need to edit the following files: radiusd.conf clients.conf eap.conf users The following sections show code that the configuration files must include. Your files may also have other configuration options. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 3

radiusd.conf mschap { authorize { preprocess mschap suffix eap files authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes authenticate { Auth-Type MS-CHAP { mschap eap clients.conf client 169.254.4.0/24 { secret = secret shortname = wireless eap.conf eap { default_eap_type = peap tls { private_key_password = whatever private_key_file = ${raddbdir/certs/cakey.pem certificate_file = ${raddbdir/certs/cacert.crt CA_file = ${raddbdir/certs/cacert.pem dh_file = ${raddbdir/certs/dh random_file = ${raddbdir/certs/random peap { default_eap_type = mschapv2 users manager User-Password == friend Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 4

3. Install OpenSSL unless it is already installed You can use the OpenSSL RPM that is available on Mandrake CDROMs, or you can download it from www.openssl.org and compile it for your platform. Install it in whichever manner you prefer. 4. Generate a self-signed public certificate unless you already have a valid one This step describes how to generate a self-signed certificate and copy it into the RADIUS directory. The following commands should generate as much as you need to get a valid certificate. You will be prompted to answer a series of questions to put in the certificate. Enter the following commands: # mkdir morecerts # cd morecerts # mkdir private # mkdir backup # openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -keyout private/ cakey.pem -out cacert.pem -days 3650 # openssl x509 -in cacert.pem -out cacert.crt # cp cacert.pem /usr/local/etc/raddb/certs/ # cp cacert.crt /usr/local/etc/raddb/certs/ # cp private/cakey.pem /usr/local/etc/raddb/certs/ # openssl dhparam-check-text -5 512 -out/usr/local/etc/raddb/certs/dh # openssl rand -out/usr/local/etc/raddb/certs/random 100 5. Copy the public certificate to the client Copy the RADIUS server s public certificate to the client so that the client s Xsupplicant will be able to recognise it. This example uses secure copy, which only works if your client and server currently have IP connectivity. Otherwise you need to copy the cacert.crt file by some other means (such as sneakernet). # scp cacert.crt root@<client_ip>:/usr/local/etc/1x/certs/cacert.crt If you are using a Windows PC as the supplicant, you can also import the cacert.crt file into the list of certificates. For more information on configuring a Windows supplicant, please consult the How To Note How To Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 5

Install and Configure Xsupplicant on your Client This section describes how to configure the client. We assume here that you have a wireless card already working in your client. In this example, our NIC was called ath0, so you should replace all instances of ath0 with your own NIC alias. Once Xsupplicant is installed on your client, there are two or three files to configure, depending on the distribution. If you are using a Mandrake, Fedora or RedHat distribution you should only have to edit the following files: /etc/sysconfig/network-scripts/ifcfg-ath0 /usr/local/etc/1x/xsupplicant.conf If you are using another distribution, you may need to edit: /usr/local/etc/1x/startup.sh /usr/local/etc/1x/startup2.sh /usr/local/etc/1x/xsupplicant.conf Do not try to use startup scripts and the ifcfg-ath0 script at the same time. If you are going to automate the startup of Xsupplicant on boot, do so after the interface has been initialised (brought up) by the operating system. This basically means waiting until networking has started. 1. Install Xsupplicant You can use the Xsupplicant RPM that is available on Mandrake CDROMs, or you can download it from sourceforge.net/projects/open1x/ and compile it for your platform. 2. Configure either the ifcfg or startup files If you are using a Mandrake, Fedora or RedHat distribution, edit the ifcfg script as follows: /etc/sysconfig/network-scripts/ifcfg-ath0 DEVICE=ath0 BOOTPROTO=static IPADDR=169.254.4.33 NETMASK=255.255.255.0 NETWORK=169.254.4.0 BROADCAST=169.254.4.255 ONBOOT=yes METRIC=10 MII_NOT_SUPPORTED=yes WIRELESS_MODE=Managed WIRELESS_ESSID=allied WIRELESS_FREQ=6 WIRELESS_RATE=auto WIRELESS_ENC_KEY=000000000 WIRELESS_FRAG=2346 WIRELESS_IWCONFIG="key restricted" Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 6

If you are using a distribution that does not use ifcfg files, Xsupplicant lets you write startup files to the wireless NIC as shown in the following lines of code. Note that these files do not define encryption, because Xsupplicant controls that. /usr/local/etc/1x/startup.sh #!/bin/sh echo "Starting $0" /sbin/ifconfig ath0 down sleep 1 /sbin/iwconfig ath0 mode managed essid allied channel 6 rate auto enc 0000000000 #iwpriv ath0 authmode 2 /sbin/ifconfig ath0 allmulti up echo "Finished $0" exit 0 /usr/local/etc/1x/startup2.sh #!/bin/sh echo "Starting $0" iwconfig ath0 /sbin/ifconfig ath0 169.254.4.33 netmask 255.255.255.0 broadcast 255.255.255.0 echo "Finished $0" iwconfig ath0 exit 0 3. Configure the xsupplicant.conf file Edit the xsupplicant.conf file as shown in the following fragment. Take note of these points: This was a Mandrake example, so we did not need to use the startup scripts. Therefore we commented them out in our xsupplicant.conf file below (so they are not run). The eap-md5 section is irrelevant to the basic configuration, but it shows how simple it is to add a different form of EAP authentication to the supplicant configuration. /usr/local/etc/1x/xsupplicant.conf ### GLOBAL SECTION network_list = all default_netname = default #startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND> #first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x startup2.sh<end_command> reauth_command = <BEGIN_COMMAND>echo "authenticated user %i"<end_command> logfile = /var/log/xsupplicant.log allow_interfaces = ath0, wlan0 deny_interfaces = eth0, eth1, sit0 # script continues on next page Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 7

### NETWORK SECTION allied { allow_types = all identity = <BEGIN_ID>manager<END_ID> type = wireless wireless_control = yes eap-peap { root_cert = /usr/local/etc/1x/certs/cacert.crt chunk_size = 1398 random_file = /dev/urandom session_resume = yes #allow_types = eap_md5 allow_types = eap_mschapv2 eap-mschapv2 { username = <BEGIN_UNAME>manager<END_UNAME> password = <BEGIN_PASS>friend<END_PASS> eap-md5 { username = <BEGIN_UNAME>manager<END_UNAME> password = <BEGIN_PASS>friend<END_PASS> Configure the AT-WA7400 The AT-WA7400 will be powered by the AT-8624PoE switch, so there is no need to use the power supply unit included with the AT-WA7400. 1. Connect to the AT-WA7400 If you have not connected to the AT-WA7400 before, you can use your browser to connect to the IP address 192.168.1.230. You connect via the wired port to do this. The default username/password is manager/friend. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 8

2. Set the IP address In the Wired Settings, set your IP address. 3. Set the radio details In the Wireless Settings, set your radio details appropriately for your country. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 9

4. Set the security settings In the Security tab, set your authentication method. You might want to disable Broadcast SSID. Note that the RADIUS key should be the same as the one you entered in clients.conf on your RADIUS server. Start freeradius and Xsupplicant On your RADIUS server, start freeradius with -X to show helpful debugging: # radiusd -X On your client, start Xsupplicant and specify your config file -c with debugging options -d9 f : # xsupplicant c /usr/local/etc/1x/xsupplicant.conf d9 -f When you have both freeradius and Xsupplicant working to your satisfaction, start them without the extra debugging options and they will run quietly in the background. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 10

Confirm that Authentication Works On the AT-WA7400, check the Client Association tab. When you have successfully used Xsupplicant to authenticate against the RADIUS server, you will see the client s MAC address there. Beside that, under Status, should be Yes for Authenticated and Associated. Until you have two Yes entries you have not been authorised to use the controlled port. Notice that in the above picture we have changed the GUI view to a different Access Point (169.254.4.231). This is because the client was actually in an area best covered by the second Access Point. When this happens, the first Access Point (169.254.4.230) does not have a record of a client associated with another Access Point even though, by default, the two Access Points are in a cluster. Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux s freeradius and Xsupplicant 11

Using a Wired Allied Telesis Switch Instead of the AT-WA7400 All Allied Telesis Rapier, AT8600, AT-8800, AT-9800, Switchblade, AT8900, AT-9900, and x900 Series switches support 802.1x port authentication. You can use any of these switches instead of the AT-WA7400. For example, if you connected your laptop directly to port 1 on the AT-8624 (see "Network Diagram" on page 2), instead of using wireless, you would apply the following configuration to the AT-8624 switch. # RADIUS configuration add radius server=169.254.4.66 secret="secret" port=1812 accport=1813 # 802.1X configuration enable portauth=8021x enable portauth=8021x port=1 type=authenticator In the above configuration: the IP address 169.254.4.66 is the IP address of the RADIUS server the RADIUS server is configured to listen on port 1812 for access-requests and 1813 for accounting-requests. This configuration is the same whether you use Linux s Xsupplicant or Microsoft s supplicant client. Naturally, the switch needs to have IP connectivity to the RADIUS server, however, the supplicant does not require any IP connectivity before the port authentication process begins. A DHCP server may assign the supplicant an IP after successful authentication. USA Headquar ters 19800 Nor th Cr eek Parkwa y Suite 100 Bothell WA 98011 USA T: +1 800 424 4284 F: +1 425 481 3895 Eur opean Headquar ters Via Motta 24 6830 Chiasso Switzerland T: +41 91 69769.00 F: +41 91 69769.11 Asia-Pacific Headquar ters 11 T ai Seng Link Singapor e 534182 T: +65 6383 3832 F: +65 6383 3830 www.alliedtelesis.com 2009 Allied Tel esis, Inc. All rights reserved. Information in this document is subject to change without notice. Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C613-16091-00 REV B

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information