Authentication using RADIUS (802.1x)
Note
This feature required Enterprise Edition
Genian NAC includes a built-in RADIUS server to support 802.1x port-based access control. In general, 802.1x is widely used to provide improved user authentication for devices that access wireless networks. In a wired network, a user authentication function can be provided for a device connected to the network through a switch supporting 802.1x.
First, you need to enable the RADIUS server. See, Configuring RADIUS Enforcement
For RADIUS authentication against external databases, authentication integrations must be configured. See: Integrating User Directories
The RADIUS accounting must be activated on the client or in Genian NAC in order for the node information to be updated. See Single Sign-On
Enable AD Account for RADIUS
- Go to Preferences in the top panel
- Go to Service > RADIUS Server in the left Preferences panel
- Find RADIUS Server: AD Account section and select On in drop-down
- Enter the following:
- Domain Name (e.g. genians.com)
- Username (Default is Administrator. Account needs to have Admin Privileges)
- Password and retype
- Click Update
Enable URL Account for RADIUS
- Go to Preferences in the top panel
- Go to Service > RADIUS Server in the left Preferences panel
- Find RADIUS Server: URL Account section and select On in drop-down
- Enter the following:
- URL (e.g. http://.com)
- Methods (GET, POST)
- Regex for Authentication (This regular expression will check for successful login)
- Click Update
Enable Email Authentication for RADIUS
- Go to Preferences in the top panel
- Go to Service > RADIUS Server in the left Preferences panel
- Find RADIUS Server: Email Authentication section and select On in
- Click Update
MAC Authentication Bypass
For endpoints not supporting 802.1x such as printers or IP phones, it may be necessary to authenticate using MAC address.
The MAC authentication feature is a mechanism by which incoming traffic originating from a specific MAC address is forwarded only if the source MAC address is successfully authenticated by a RADIUS server. The MAC address itself is used as the username and password for RADIUS authentication. The user does not need to provide a specific username and password to gain access to the network.
- If RADIUS authentication for the MAC address is successful, traffic from the MAC address is forwarded in hardware. - If the RADIUS server cannot validate the user’s MAC address, then it is considered an authentication failure, and a specified authentication-failure action can be taken.