This document describes how to set up certificate-based (IEEE 802.1X) access control for network clients using a LANCOM switch (e.g. the LANCOM GS-2326P) and a RADIUS server provided by a LANCOM router.
In this example, authentication between the network client and the LANCOM switch uses the Extensible Authentication Protocol (EAP) and the authentication protocol Transport Layer Security (TLS).
The ports of the LANCOM switch should only be activated for data transfer after a network client has successfully authenticated at the RADIUS server. In this scenario, the LANCOM switch serves as the authenticator.
Requirements:
Image RemovedImage Added
1.2) In the following dialog select the certificate file intended for the LANCOM router. This example uses the name LANCOM_Router.p12.
1.3) In the Certificate type box, select the setting EAP/TLS - container as a PKCS#12 file.
1.4) In the Password field, enter the certificate password. The password in this example is lancom.
1.5) Click on Open to load the certificate into the LANCOM access point.
Image RemovedImage Added
Info |
---|
You can view the certificate that you loaded into the LANCOM router by starting a Telnet or SSH session on the LANCOM router and entering show eap at the command prompt (as of LCOS 10.70 the command is show eaptls). Image RemovedImage Added |
2.1) Open the menu RADIUS → Server und activate the option RADIUS authentication active.
2.2) Go to the menu RADIUS services ports.
2.3) Make sure, that the Authentication port is set to 1812.
2.4) Go to the menu IPv4 clients.
2.5) Create a new entry and
allow the switch to communicate with the RADIUS server.
- IP address: In this example the switch has the local IP address 192.168.1.11.
- Netmask: Enter the netmask 255.255.255.255. This value represents a single IP address.
- Protocol: Make sure, that the protocol RADIUS is used.
- Client secret: Enter a password the switch has to use for the authentication with the RADIUS server. This password also has to be entered in the switch configuration (see step 3.3).
2.6) Go to the menu EAP.
2.7) As Default method select TLS.
2.8) The configuration of the RADIUS server is now complete. Write the configuration back into the router.
3.1) Open the configuration interface for the LANCOM switch and navigate to the menu item
Security → NAS → Configuration.
- Set the Mode option to Enabled.
- Under Port configuration, set the option Port-based 802.1 X for those ports that are to operate with authentication as per 802.1X.
3.3) Switch to the menu
Security → AAA → Configuration. In the section
RADIUS authentication server configuration, set the option in the first line to
Enabled.
- In the section IP address/host name, enter the local IP address of the LANCOM router.
- The default port 1812 can be accepted as the LANCOM router also uses this as the RADIUS authentication port.
- In the field Secret you enter the same shared secret as that entered into the configuration of LANCOM router in step 2.5.
4.1) Double click on the Root certificate of the CA . 4.2) Click on Install certificate.
Image RemovedImage Added
4.3.) Click on Next.
Image RemovedImage Added
4.4) Ensure that the path to the certificate file is specified correctly and click on Next.
Image RemovedImage Added
4.5) Enter the password used to protect the private key of the certificate. The password for our example certificate is lancom.
Image RemovedImage Added
4.6) Leave the setting on Automatically select the certificate store, and click on Next.
Image RemovedImage Added
4.7) Click on Finish to conclude the import of the certificate.
Image RemovedImage Added
4.8) Confirm the subsequent security warning with Yes.
Image RemovedImage Added
4.9) A message is displayed to indicate that the certificate was successfully imported.
Image Added Image Removed
Configuring the PC:
5.1) Start the Services Manager in Windows and open the Properties dialog of the service Wired AutoConfig.
Image RemovedImage Added
5.2) Set the Startup type to Automatic and close the dialog with OK.
Image RemovedImage Added
5.3) Start the service once, manually. After restarting the PC, the service starts automatically.
Image RemovedImage Added
5.4) In the Network and sharing center, open the Properties dialog for your network adapter. On the Authentication tab, enable the option IEEE 802.1X authentication and set the authentication method to Smart Card or other certificate .
Image RemovedImage Added
5.5) Click the Settings button.
5.6) For the When connecting option, specify Use a certificate on this computer (default setting). Disable the option to use simple certificate selection.
5.7) Enable the option Validate server certificate and, in the box below, select the relevant Trusted root certification authority for the certificate from the list. In our example this is CA-LANCOM.
Image RemovedImage Added
5.8) Now close the configuration dialogs with the OK button. This concludes the configuration of the PC.
Function check:
6.1) Make sure that the PC is connected to the switch port that you have configured with access control as per IEEE 802.1X.
6.2) Restart your PC and logon to the system as usual.
6.3) The PC automatically authenticates with the certificate.
6.4) After a successful authentication, the switch port to which the PC is connected is activated for data transfer.