2020-06-03 1/17

— 1KGT151134, JUN 03RD, 2020

Application Note

Configuring IEEE 802.1X using

FreeRADIUS on EDS500

2020-06-03 2/17

Table of Content

1 Introduction ................................................................................................................................ 3

1.1 Motivation ..................................................................................................................................... 3 1.2 Principle of Operation ................................................................................................................ 3

2 Configuration ............................................................................................................................. 4 2.1 Setup.............................................................................................................................................. 4 2.2 Client Configuration (Microsoft Windows 10) ......................................................................5 2.3 500NMD Configuration ............................................................................................................. 9 2.4 Configuration File for 500NMD .............................................................................................. 10 2.5 FreeRADIUS Configuration ...................................................................................................... 11 2.6 Configuration Summary for FreeRADIUS ............................................................................. 12

3 Verifying operation .................................................................................................................. 14 3.1 Verification of configuration and operation on EDS500 .................................................. 14 3.2 Verification of operation of FreeRADIUS .............................................................................. 14

4 Ordering Information ............................................................................................................... 15

5 References ................................................................................................................................. 16

2020-06-03 3/17

1 Introduction This document describes the settings required to enable 802.1X using an EDS500 managed

Ethernet switch as Authenticator.

As an example, this document describes a simple configuration of IEEE 802.1X on a Microsoft

Windows 10 client.

1.1 Motivation

Growing security and access control awareness in communication networks increases the use

of the IEEE 802.1X protocol to authenticate clients regardless of operating system, device

type and purpose.

EDS500 managed switches support IEEE 802.1X by working as authenticator that forwards

authentication information to a central (RADIUS) server. For clients not able to support IEEE

802.1X, EDS500 provides a MAC authentication feature (refer to separate application note

referenced in chapter 5).

1.2 Principle of Operation

If 802.1X is enabled on an EDS500 managed switches a client that is newly connected (link up

event) is requested to provide identification information, which can be a pre-shared key, a

certificate or something else depending on the clients’ configuration.

In this example the client is configured to request username and password (popup dialog)

from the user currently logged in to the system.

If the information is provided by the client, it is forwarded to a central RADIUS authentication

server by the EDS500 managed switch. The server checks the request and answers with ‘ac-

cept’ or ‘reject’. Based on this answer the switch enabled the port the client is connected to

or not.

The packet send to the authentication server includes the information elements listed below.

Access-Request information elements for IEEE 802.1X authentication

Property Content Example

User-Name Username as give by the user bob

NAS-IP-Address IP Address of the switch 192.168.5.178

NAS-Port Numerical interface id at the switch 6

NAS-Port-Id Port name of the switch port2

NAS-Port-Type Communication media the client uses to

connect

Ethernet

2020-06-03 4/17

2 Configuration Chapter 2 describes the configuration steps to configure IEEE 802.1X authentication on a Mi-

crosoft Windows based client, an EDS500 managed switch and a FreeRADIUS based authenti-

cation server.

Chapter 2.1 illustrates the setup while chapters 2.2 to 2.6 describe the settings and configura-

tion steps.

2.1 Setup

A IEEE 802.1X capable client is connected directly to Port2 of a 500NMD01 managed switch.

Figure 1: Setup

The switch has a configuration to forward authentication requests to a FreeRADIUS based

central server.

2020-06-03 5/17

2.2 Client Configuration (Microsoft Windows 10)

The example below explains the configuration of a Microsoft Windows 10 Pro version 1909

client.

Tasks – Configure metwork settings

Description

Command(s)

Make sure the service ‘Wired Autoconfig’ is started and the startup mode is set ‘Auto’.

Type - R (Execute) and enter ‘services.msc’. Search for ‘Wired Autoconfig’. If not running

start the service and set start type to ‘automatic’.

Open network connections overview.

Type - R (Execute) and enter ‘ncpa.cpl’.

2020-06-03 6/17

Change the network adapter properties.

Double-click the network where IEEE 802.1X shall be enabled. In the status window click

‘Properties’.

Select the ‘Authentication’ tab.

2020-06-03 7/17

Make sure ‘IEEE 802.1X authentication’ is checked.

Being not in a PKI environment in this example, we disable the verification of the server’s iden-

tity. Also make sure that ‘Secured password (EAP-MSCHAP v2)’ is selected.

2020-06-03 8/17

Click ‘Configure’ at the authentication method and deselect ‘Automatically use my Windows lo-

gon name and password’. In this example this is done for simplicity, due to eliminating the need

to synchronize FreeRADIUS with a domain controller / Active Directory server. Instead the

username and password is stored in the FreeRADIUS configuration files.

Close all dialogs by clicking ‘OK’.

2020-06-03 9/17

2.3 500NMD Configuration

The example below shows the configuration of an IEEE 802.1X enabled 500NMD01 switch.

Configuration must be done via the command-line interface (CLI) accessible via Webbrowser,

Telnet, SSH or serial console.

The example uses an VLAN based configuration. The management interface is assigned to

VLAN 10.

The authentication server to be connected to has the address 192.168.99.10. The pre-shared

secret is ‘eds12345’. The UDP port the authentication server listens for request is ‘1812’.

The interface where IEEE 802.1X authentication shall be used is Port 2.

Tasks – Configure IP settings

Description

CLI command

Set IP address for VLAN 10.

set interface vlan 10 ip-address 192.168.5.178 255.255.255.0

Set gateway address for VLAN 10.

set interface vlan 10 gateway 192.168.5.1

Disable non-VLAN based IP address.

set system no ip

Optional: Configure hostname.

set system hostname switch-178

Tasks – Configure authentication server

Description

CLI command

Set authentication server including IP address, UDP port and pre-shared secret. Multiple serv-

ers can optionally be configured by executing the command multiple times with different tar-

get IPs.

set system radius server 192.168.99.10 1812 eds12345

Optional: Set source interface (vlan) for RADIUS requests. Required in a multihomed environ-

ment.

set system radius source vlan 10

Tasks – Configure IEEE 802.1X on Port 2

Description

CLI command

Enable IEEE 802.1X on Port 2.

set dot1x portcontrol port2 pae-auto

2020-06-03 10/17

2.4 Configuration File for 500NMD

The listing below represents a sample configuration file for enabling IEEE 802.1X on a

500NMD01 device.

! version 2.0

! common

set dot1x portcontrol port2 pae-auto

set interface vlan 10 ip-address 192.168.5.178 255.255.255.0

set interface vlan 10 gateway 192.168.5.1

set system no ip

set system radius server 192.168.99.10 1812 eds12345

set system radius source vlan 10 (optional)

set system web-server enable

! interface state

set interface dsl1 no shutdown

set switch port1 no shutdown

set switch port2 no shutdown

set switch port3 no shutdown

set switch port4 no shutdown

2020-06-03 11/17

2.5 FreeRADIUS Configuration

The example below shows the configuration of FreeRADIUS. The version used is 3.0.20 on Ub-

untu 20.04 LTS (Long Term Support). Examples use ‘vim’ as text editor. FreeRADIUS has been

installed as basic version without database support for simplicity.

The base directory for the configuration files is usually ‘/etc/freeradius/3.0’ or ‘/etc/raddb’.

The 500NMD switch is the ‘Network Access Server’ or ‘client’ in FreeRadius terminology, the

client is a ‘user’ in FreeRadius terminology.

The tasks to do are add the 500NMD01 as Network Access Server and add a test user. The de-

fault configuration of FreeRADIUS 3.0 is sufficient to support Microsoft Windows IEEE 802.1X

based network authentication.

Tasks – Configure the Network Access Server (Client in FreeRADIUS)

Description

CLI command

Open the file ‘clients.conf’ located in ‘/etc/freeradius/3.0’.

sudo vim /etc/freeradius/3.0/clients.conf

Add a new client (press ‘i’ to edit the file in ‘vim’) by adding the following lines.

client switch-178 { # usually the host name of the device

ipaddr = 192.168.5.178 # IP address of the 500NMD01

secret = eds12345 # shared secret entered at 500NMD01

}

Save the file and close ‘vim’ (press Escape-‘wq’ in ‘vim’).

Tasks – Configure the Client (User in FreeRADIUS)

Description

CLI command

Open the file ‘authorize’ file located in ‘/etc/freeradius/3.0/mods-config/files’.

Note: In some installations the file is named ‘users’ in ‘/etc/freeradius/3.0’ or ‘/etc/raddb’.

sudo vim /etc/freeradius/3.0/mods-config/files/authorize

Add a new user (press ‘i’ to edit the file in ‘vim’) by adding the following lines or uncomment

the default test user.

bob Cleartext-Password := "hello"

Reply-Message := "Hello, %{User-Name}"

Save the file and close ‘vim’ (press Escape-‘wq’ in ‘vim’).

2020-06-03 12/17

2.6 Configuration Summary for FreeRADIUS

The listings below represent the configuration files for FreeRADIUS. The example uses the

standard configuration files. In larger and/or more complex scenarios a database backend

instead of a user configuration file is recommended.

Please notice that a restart of the service is required if any configuration file is changed.

Configuration file ‘clients.conf’ in ‘/etc/freeradius/3.0’

# -*- text -*-

##

## clients.conf -- client configuration directives

##

## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $

#######################################################################

#

# Define RADIUS clients (usually a NAS, Access Point, etc.).

#

# Defines a RADIUS client.

#

# '127.0.0.1' is another name for 'localhost'. It is enabled by default,

# to allow testing of the server after an initial installation. If you

# are not going to be permitting RADIUS queries from localhost, we suggest

# that you delete, or comment out, this entry.

#

#

#

#

# Each client has a "short name" that is used to distinguish it from

# other clients.

#

# In version 1.x, the string after the word "client" was the IP

# address of the client. In 2.0, the IP address is configured via

# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x

# format is still accepted.

#

client localhost {

# [...]

proto = *

# [...]

secret = testing123

# [...]

require_message_authenticator = no

# [...]

nas_type = other # localhost isn't usually a NAS...

# [...]

limit {

#

# [...]

max_connections = 16

# [...]

lifetime = 0

# [...]

idle_timeout = 30

}

}

#

client switch-178 {

ipaddr = 192.168.5.178

secret = eds12345

}

#

# [...]

Figure 2: FreeRADIUS ‘clients.conf’

2020-06-03 13/17

Configuration file ‘authorize’ in ‘/etc/freeradius/3.0/mods-config/files’

#

# Configuration file for the rlm_files module.

# Please see rlm_files(5) manpage for more information.

#

# This file contains authentication security and configuration

# information for each user. Accounting requests are NOT processed

# through this file. Instead, see 'accounting', in this directory.

#

# [...]

#

# For a list of RADIUS attributes, and links to their definitions,

# see: http://www.freeradius.org/rfc/attributes.html

#

# Entries below this point are examples included in the server for

# educational purposes. They may be deleted from the deployed

# configuration without impacting the operation of the server.

#

#

# Deny access for a specific user. Note that this entry MUST

# be before any other 'Auth-Type' attribute which results in the user

# being authenticated.

#

# [...]

#

# The canonical testing user which is in most of the

# examples.

#

bob Cleartext-Password := "hello"

Reply-Message := "Hello, %{User-Name}"

#

# [...]

#

Figure 3: FreeRADIUS ‘authorize’

2020-06-03 14/17

3 Verifying operation There are several commands to verify the operation of IEEE 802.1X network authentication.

3.1 Verification of configuration and operation on

EDS500

Description

CLI command

Display the configuration.

show running-configuration

Display IEEE 802.1x port information.

show dot1x

Display realtime events. Deactivate with ‘terminal no monitor’.

terminal monitor

3.2 Verification of operation of FreeRADIUS

Description

CLI command

Test radius server operation with given credentials. Should be done locally with localhosts’

shared secret ‘testing123’.

radtest ‘username’ ‘user-password’ ‘client’ 10 ‘shared secret’

Example: radtest 782bcb7a8628 782bcb7a8628 localhost 10 testing123

Hint: Due to missing Calling-Station-Id attribute this generate a reject message with the

example given.

Execute FreeRADIUS in verbose mode. Depending on configuration, you need to shutdown

freeradius service first. In older installations ‘freeradius’ maybe named ‘radiusd’.

freeradius -X

2020-06-03 15/17

4 Ordering Information For order numbers regarding 500NMDxx the table below can be used.

Product Ident no Description

500NMD01 R0002 1KHW025096R0002 4xRJ-45, 1xSHDSL, 1xRS-232

500NMD02 R0002 1KHW025097R0002 4xRJ-45, 2xSHDSL, 2xRS-232

500NMD11 R0002 1KHW027869R0002 4xRJ-45, 1xSHDSL, 1xSFP, 2xRS-232

500NMD20 R0002 1KHW025098R0002 4xRJ-45, 2xSFP, 2xRS-232

500NMD30 R0002 1KGT038890R0002 4xRJ-45, 1xRS-232

2020-06-03 16/17

5 References

Product Reference(s)

500NMDxx Presentation

500NMDxx Brochure

IEEE 802.1X MAC Authentication Bypass Application note

Contact

Technical questions: de-eds-sales-support@abb.com

Commercial topics, orders: substationautomation-products@de.abb.com

—

ABB Power Grids Germany AG

P.O. Box 10 01 64

D-68128 Mannheim

Germany

solutions.abb/eds500

—

We reserve the right to at all times make technical changes as well as changes

to the contents of this document without prior notice.

The detailed specifications agreed to at the time of ordering apply to all orders.

ABB accepts no responsibility for possible errors or incompleteness in this

document.

We reserve all rights to this document and the topics and illustrations contained

therein. The document and its contents, or extracts thereof, must not be

reproduced, transmitted or reused by third parties without prior written consent

by ABB.

All rights reserved.