Quelle anzeigen

Description:

In scenarios where each switch port should support just one network participant, who authenticates via RADIUS and then can communicate via this port, a GS-3xxx switch allows the use of the authentication method Single 802.1X.

If network participants do not support 802.1X or if this is deactivated, they will be rejected and cannot communicate on the switch port. It can therefore make sense to create a separate network for these participants and have the switch automatically move them to the corresponding VLAN. As a result and depending on the configuration of the router, network participants within this network can also communicate with the Internet, but they have no access to the administration network (the router must prevent this by means of firewall rules or interface tags). On a GS-3xxx switch, the feature Guest VLAN supports this.

This article describes how to configure a GS-3xxx switch to use RADIUS authentication with Single 802.1X and an activated Guest VLAN. A LANCOM router acts as the RADIUS server.

Requirements:

LANCOM router as the RADIUS server
LCOS as of version 10.30 on the router that acts as a RADIUS server (download latest version)
LANtools as of version 10.30 (download latest version)
GS-3xxx series switch
LCOS SX as of version 4.00 RU6 (download latest version)
Any web browser for accessing the web interface of the Gs-3xxx switch

Scenario:

The LANCOM router is already setup with the administration network (INTRANET) with the address range 192.168.1.0/24. The router’s IP address in this network is 192.168.1.254.
The router additionally supports a guest network (GUEST) for the Guest VLAN. This has the address range 192.168.3.0/24 with the IP address 192.168.3.254.
The LANCOM router acts as the RADIUS server.
A GS-3xxx series switch with the IP address 192.168.1.250 is operating as a RADIUS authenticator. The switch therefore forwards the requests from the network participants to the RADIUS server.
Network participants with 802.1X support (RADIUS authenticator) who login successfully to the RADIUS server gain access to the administration network.
Network participants with 802.1X support (RADIUS authenticator) who cannot login to the RADIUS server should have access neither to the administration network nor to the guest network.
Network participants without or with deactivated 802.1X support should automatically be moved by the switch into the guest VLAN and thereby gain access to the guest network.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Scenario.png

Procedure:

1) Configuration steps on the LANCOM router:

1.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > IP-Networks1.png

1.2) Click Add to create the network for the Guest VLAN.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > IP-Networks2.png

1.3) Change the following parameters:

Network name: Enter a descriptive network name (in this example GUEST-NETWORK).
IP address: Enter an IP address from the network for the Guest VLAN.
Netmask: Enter the corresponding subnet mask.
VLAN ID: Enter a previously unused VLAN ID (in this example, VLAN ID 3). This also has to be stored in the VLAN configuration on the switch (see step 2.2).
Interface tag: Assign a previously unused interface tag (in this example tag 1). This prevents access from the guest network to the other networks.

For the administration network INTRANET there is no need to enter a VLAN ID. Also, there is no need to enable the VLAN module as tagging is handled by the switch. With the Hybrid tagging mode, the port VLAN ID is removed from outbound packets, so that the packets for the INTRANET arriving at the router from the switch are untagged (see step 2.2).

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > IP-Networks3.png

1.4) Switch to the menu IPv4 → DHCPv4 → DHCP networks.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > DHCP1.png

1.5) Click Add to set up a DHCP network for the network created in step 1.3.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > DHCP2.png

1.6) Change the following parameters:

Network name: From the drop-down menu select the network created in step 1.3 (in this case GUEST-NETWORK).
DHCP server enabled: Select the option Yes.

You can optionally adjust other parameters such as the address pool and the default gateway.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > DHCP3.png

1.7) Go to the menu RADIUS → Server and set a checkmark for RADIUS authentication active.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router1.png

1.8) Navigate to the menu RADIUS services ports.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router2.png

1.9) Check that the authentication port is set to 1812.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router3.png

1.10) Go to the menu IPv4 clients.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router4.png

1.11) Create a new entry and enter the following parameters:

IP address: Enter the IP address of the switch so that this can authenticate itself as the RADIUS authenticator at the RADIUS server.
Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
Protocols: Check that the protocol is set to RADIUS.
Client secret: Enter a password that the switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.4.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router5.png

1.12) Go to the menu User table.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Router6.png

1.13) Create a new entry and adjust the following parameters:

Name / MAC address: Enter a user name that the network participant uses to authenticate itself at the RADIUS server.
Password: Enter a password that the network participant uses to authenticate itself at the RADIUS server.
Service type: From the drop-down menu, select Call check.
Expiry type: From the drop-down menu, select Never so that the user account remains valid permanently .

The service type “Call check” is only supported as of LCOS 10.30.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > RADIUS-User.png

1.14) This concludes the configuration steps on the LANCOM router. You can now write the configuration back to the device.

2) Configuration steps on the GS-3xxx switch:

2.1) Open the web interface for the device and switch to the menu item VLAN Management → VLAN Configuration.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Switch-VLAN1.png

2.2) For the switch port the router is connected to, adjust the following parameters and click Apply:

Mode: Choose the tagging mode Hybrid.
Port VLAN: Leave the setting as the VLAN ID 1.
Ingress Acceptance: Select Tagged and Untagged from the drop-down menu, because when using the Hybrid tagging mode, both tagged and untagged packets are allowed.
Egress Tagging: Select Untag Port VLAN. When using the Hybrid tagging mode, the VLAN tag is removed from outbound packets that have the port VLAN ID (in this case VLAN ID 1).
Allowed VLANs: Enter the VLANs 1 and 3 (in the switch this must be entered as 1,3) since the management network INTRANET (using the VLAN ID 1 on the switch) as well as that GUEST NETWORK (using the VLAN ID 3) are to be transferred.

For more information about VLAN configuration on a GS-3xxx switch, see the following Knowledge Base article:

Configuring VLAN on LANCOM GS-3xxx series switches

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Switch-VLAN2.png

2.3) Change to the menu Security → RADIUS → Configuration and click Add New Server.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > GS-3xxx_1.png

2.4) Modify the new entry for the server by adjusting the following parameters and click Apply:

Hostname: Enter the IP address of the router that was set up as the RADIUS server in step 1.
Key: Enter the Client secret set in step 1.11. The switch uses this password to authenticate itself at the RADIUS server.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > GS-3xxx_2.png

2.5) Change to the menu Security → 802.1X → Configuration and modify the following parameters:

Mode: Activate the 802.1X authentication settings by moving the slider button to “on”.
Guest VLAN Enabled: Activate the Guest VLAN.
Guest VLAN ID: Enter the VLAN ID for the guest VLAN (in this example, VLAN ID 3).

2.6) In the Port Configuration for the ports where end devices should be authenticated, enter the following parameters and click Apply:

Admin State: From the drop-down menu, select the option Single 802.1X.
Guest VLAN Enabled: Activate the Guest VLAN on this port.

With the option Single 802.1X only one network participant can be authenticated at the port and then communicate.

If a network participant does not support RADIUS authentication or if it is deactivated, this participant is transferred by the switch to the Guest VLAN so that it can communicate there and does not have access to the management network.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Switch-802.1X2.png

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > Switch-802.1X3.png

2.7) Save the configuration as the startup configuration by clicking the red floppy disk icon in the top-right corner.

The Start configuration is boot persistent and is therefore available even after a restart or a power failure.

LANCOM Support Knowledge Base > RADIUS authentication and “Guest VLAN” for end devices on a port of a GS-3xxx series switch with a LANCOM router as the RADIUS server (802.1X) > GS-3xxx_6.png

2.8) This concludes the configuration of the switch.