Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
2020-06-03 1/17
— 1KGT151134, JUN 03RD, 2020
Application Note
Configuring IEEE 802.1X using
FreeRADIUS on EDS500
2020-06-03 2/17
Table of Content
1 Introduction ................................................................................................................................ 3
1.1 Motivation ..................................................................................................................................... 3 1.2 Principle of Operation ................................................................................................................ 3
2 Configuration ............................................................................................................................. 4 2.1 Setup.............................................................................................................................................. 4 2.2 Client Configuration (Microsoft Windows 10) ......................................................................5 2.3 500NMD Configuration ............................................................................................................. 9 2.4 Configuration File for 500NMD .............................................................................................. 10 2.5 FreeRADIUS Configuration ...................................................................................................... 11 2.6 Configuration Summary for FreeRADIUS ............................................................................. 12
3 Verifying operation .................................................................................................................. 14 3.1 Verification of configuration and operation on EDS500 .................................................. 14 3.2 Verification of operation of FreeRADIUS .............................................................................. 14
4 Ordering Information ............................................................................................................... 15
5 References ................................................................................................................................. 16
2020-06-03 3/17
1 Introduction This document describes the settings required to enable 802.1X using an EDS500 managed
Ethernet switch as Authenticator.
As an example, this document describes a simple configuration of IEEE 802.1X on a Microsoft
Windows 10 client.
1.1 Motivation
Growing security and access control awareness in communication networks increases the use
of the IEEE 802.1X protocol to authenticate clients regardless of operating system, device
type and purpose.
EDS500 managed switches support IEEE 802.1X by working as authenticator that forwards
authentication information to a central (RADIUS) server. For clients not able to support IEEE
802.1X, EDS500 provides a MAC authentication feature (refer to separate application note
referenced in chapter 5).
1.2 Principle of Operation
If 802.1X is enabled on an EDS500 managed switches a client that is newly connected (link up
event) is requested to provide identification information, which can be a pre-shared key, a
certificate or something else depending on the clients’ configuration.
In this example the client is configured to request username and password (popup dialog)
from the user currently logged in to the system.
If the information is provided by the client, it is forwarded to a central RADIUS authentication
server by the EDS500 managed switch. The server checks the request and answers with ‘ac-
cept’ or ‘reject’. Based on this answer the switch enabled the port the client is connected to
or not.
The packet send to the authentication server includes the information elements listed below.
Access-Request information elements for IEEE 802.1X authentication
Property Content Example
User-Name Username as give by the user bob
NAS-IP-Address IP Address of the switch 192.168.5.178
NAS-Port Numerical interface id at the switch 6
NAS-Port-Id Port name of the switch port2
NAS-Port-Type Communication media the client uses to
connect
Ethernet
2020-06-03 4/17
2 Configuration Chapter 2 describes the configuration steps to configure IEEE 802.1X authentication on a Mi-
crosoft Windows based client, an EDS500 managed switch and a FreeRADIUS based authenti-
cation server.
Chapter 2.1 illustrates the setup while chapters 2.2 to 2.6 describe the settings and configura-
tion steps.
2.1 Setup
A IEEE 802.1X capable client is connected directly to Port2 of a 500NMD01 managed switch.
Figure 1: Setup
The switch has a configuration to forward authentication requests to a FreeRADIUS based
central server.
2020-06-03 5/17
2.2 Client Configuration (Microsoft Windows 10)
The example below explains the configuration of a Microsoft Windows 10 Pro version 1909
client.
Tasks – Configure metwork settings
Description
Command(s)
Make sure the service ‘Wired Autoconfig’ is started and the startup mode is set ‘Auto’.
Type - R (Execute) and enter ‘services.msc’. Search for ‘Wired Autoconfig’. If not running
start the service and set start type to ‘automatic’.
Open network connections overview.
Type - R (Execute) and enter ‘ncpa.cpl’.
2020-06-03 6/17
Change the network adapter properties.
Double-click the network where IEEE 802.1X shall be enabled. In the status window click
‘Properties’.
Select the ‘Authentication’ tab.
2020-06-03 7/17
Make sure ‘IEEE 802.1X authentication’ is checked.
Being not in a PKI environment in this example, we disable the verification of the server’s iden-
tity. Also make sure that ‘Secured password (EAP-MSCHAP v2)’ is selected.
2020-06-03 8/17
Click ‘Configure’ at the authentication method and deselect ‘Automatically use my Windows lo-
gon name and password’. In this example this is done for simplicity, due to eliminating the need
to synchronize FreeRADIUS with a domain controller / Active Directory server. Instead the
username and password is stored in the FreeRADIUS configuration files.
Close all dialogs by clicking ‘OK’.
2020-06-03 9/17
2.3 500NMD Configuration
The example below shows the configuration of an IEEE 802.1X enabled 500NMD01 switch.
Configuration must be done via the command-line interface (CLI) accessible via Webbrowser,
Telnet, SSH or serial console.
The example uses an VLAN based configuration. The management interface is assigned to
VLAN 10.
The authentication server to be connected to has the address 192.168.99.10. The pre-shared
secret is ‘eds12345’. The UDP port the authentication server listens for request is ‘1812’.
The interface where IEEE 802.1X authentication shall be used is Port 2.
Tasks – Configure IP settings
Description
CLI command
Set IP address for VLAN 10.
set interface vlan 10 ip-address 192.168.5.178 255.255.255.0
Set gateway address for VLAN 10.
set interface vlan 10 gateway 192.168.5.1
Disable non-VLAN based IP address.
set system no ip
Optional: Configure hostname.
set system hostname switch-178
Tasks – Configure authentication server
Description
CLI command
Set authentication server including IP address, UDP port and pre-shared secret. Multiple serv-
ers can optionally be configured by executing the command multiple times with different tar-
get IPs.
set system radius server 192.168.99.10 1812 eds12345
Optional: Set source interface (vlan) for RADIUS requests. Required in a multihomed environ-
ment.
set system radius source vlan 10
Tasks – Configure IEEE 802.1X on Port 2
Description
CLI command
Enable IEEE 802.1X on Port 2.
set dot1x portcontrol port2 pae-auto
2020-06-03 10/17
2.4 Configuration File for 500NMD
The listing below represents a sample configuration file for enabling IEEE 802.1X on a
500NMD01 device.
! version 2.0
! common
set dot1x portcontrol port2 pae-auto
set interface vlan 10 ip-address 192.168.5.178 255.255.255.0
set interface vlan 10 gateway 192.168.5.1
set system no ip
set system radius server 192.168.99.10 1812 eds12345
set system radius source vlan 10 (optional)
set system web-server enable
! interface state
set interface dsl1 no shutdown
set switch port1 no shutdown
set switch port2 no shutdown
set switch port3 no shutdown
set switch port4 no shutdown
2020-06-03 11/17
2.5 FreeRADIUS Configuration
The example below shows the configuration of FreeRADIUS. The version used is 3.0.20 on Ub-
untu 20.04 LTS (Long Term Support). Examples use ‘vim’ as text editor. FreeRADIUS has been
installed as basic version without database support for simplicity.
The base directory for the configuration files is usually ‘/etc/freeradius/3.0’ or ‘/etc/raddb’.
The 500NMD switch is the ‘Network Access Server’ or ‘client’ in FreeRadius terminology, the
client is a ‘user’ in FreeRadius terminology.
The tasks to do are add the 500NMD01 as Network Access Server and add a test user. The de-
fault configuration of FreeRADIUS 3.0 is sufficient to support Microsoft Windows IEEE 802.1X
based network authentication.
Tasks – Configure the Network Access Server (Client in FreeRADIUS)
Description
CLI command
Open the file ‘clients.conf’ located in ‘/etc/freeradius/3.0’.
sudo vim /etc/freeradius/3.0/clients.conf
Add a new client (press ‘i’ to edit the file in ‘vim’) by adding the following lines.
client switch-178 { # usually the host name of the device
ipaddr = 192.168.5.178 # IP address of the 500NMD01
secret = eds12345 # shared secret entered at 500NMD01
}
Save the file and close ‘vim’ (press Escape-‘wq’ in ‘vim’).
Tasks – Configure the Client (User in FreeRADIUS)
Description
CLI command
Open the file ‘authorize’ file located in ‘/etc/freeradius/3.0/mods-config/files’.
Note: In some installations the file is named ‘users’ in ‘/etc/freeradius/3.0’ or ‘/etc/raddb’.
sudo vim /etc/freeradius/3.0/mods-config/files/authorize
Add a new user (press ‘i’ to edit the file in ‘vim’) by adding the following lines or uncomment
the default test user.
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Save the file and close ‘vim’ (press Escape-‘wq’ in ‘vim’).
2020-06-03 12/17
2.6 Configuration Summary for FreeRADIUS
The listings below represent the configuration files for FreeRADIUS. The example uses the
standard configuration files. In larger and/or more complex scenarios a database backend
instead of a user configuration file is recommended.
Please notice that a restart of the service is required if any configuration file is changed.
Configuration file ‘clients.conf’ in ‘/etc/freeradius/3.0’
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# [...]
proto = *
# [...]
secret = testing123
# [...]
require_message_authenticator = no
# [...]
nas_type = other # localhost isn't usually a NAS...
# [...]
limit {
#
# [...]
max_connections = 16
# [...]
lifetime = 0
# [...]
idle_timeout = 30
}
}
#
client switch-178 {
ipaddr = 192.168.5.178
secret = eds12345
}
#
# [...]
Figure 2: FreeRADIUS ‘clients.conf’
2020-06-03 13/17
Configuration file ‘authorize’ in ‘/etc/freeradius/3.0/mods-config/files’
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'accounting', in this directory.
#
# [...]
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# [...]
#
# The canonical testing user which is in most of the
# examples.
#
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
#
# [...]
#
Figure 3: FreeRADIUS ‘authorize’
2020-06-03 14/17
3 Verifying operation There are several commands to verify the operation of IEEE 802.1X network authentication.
3.1 Verification of configuration and operation on
EDS500
Description
CLI command
Display the configuration.
show running-configuration
Display IEEE 802.1x port information.
show dot1x
Display realtime events. Deactivate with ‘terminal no monitor’.
terminal monitor
3.2 Verification of operation of FreeRADIUS
Description
CLI command
Test radius server operation with given credentials. Should be done locally with localhosts’
shared secret ‘testing123’.
radtest ‘username’ ‘user-password’ ‘client’ 10 ‘shared secret’
Example: radtest 782bcb7a8628 782bcb7a8628 localhost 10 testing123
Hint: Due to missing Calling-Station-Id attribute this generate a reject message with the
example given.
Execute FreeRADIUS in verbose mode. Depending on configuration, you need to shutdown
freeradius service first. In older installations ‘freeradius’ maybe named ‘radiusd’.
freeradius -X
2020-06-03 15/17
4 Ordering Information For order numbers regarding 500NMDxx the table below can be used.
Product Ident no Description
500NMD01 R0002 1KHW025096R0002 4xRJ-45, 1xSHDSL, 1xRS-232
500NMD02 R0002 1KHW025097R0002 4xRJ-45, 2xSHDSL, 2xRS-232
500NMD11 R0002 1KHW027869R0002 4xRJ-45, 1xSHDSL, 1xSFP, 2xRS-232
500NMD20 R0002 1KHW025098R0002 4xRJ-45, 2xSFP, 2xRS-232
500NMD30 R0002 1KGT038890R0002 4xRJ-45, 1xRS-232
2020-06-03 16/17
5 References
Product Reference(s)
500NMDxx Presentation
500NMDxx Brochure
IEEE 802.1X MAC Authentication Bypass Application note
Contact
Technical questions: [email protected]
Commercial topics, orders: [email protected]
—
ABB Power Grids Germany AG
P.O. Box 10 01 64
D-68128 Mannheim
Germany
solutions.abb/eds500
—
We reserve the right to at all times make technical changes as well as changes
to the contents of this document without prior notice.
The detailed specifications agreed to at the time of ordering apply to all orders.
ABB accepts no responsibility for possible errors or incompleteness in this
document.
We reserve all rights to this document and the topics and illustrations contained
therein. The document and its contents, or extracts thereof, must not be
reproduced, transmitted or reused by third parties without prior written consent
by ABB.
All rights reserved.