Configuring RADIUS Enforcement

Genian ZTNA includes a built in RADIUS server for use with wireless and wired 802.1x authentication (credential or client certificate), or MAC/MAB Authentication (based on MAC Address only).

In order for the Genian ZTNA RADIUS server to accept authentication requests from RADIUS clients/authenticators (switches, controllers, access points, etc), they must first be added as a known RADIUS client. See the instructions below to add RADIUS clients to the RADIUS server.

The RADIUS server can also register devices into the policy server database. IP addresses and other information can be collected through RADIUS accounting.

Enable Built-In RADIUS Server

  1. Go to Preferences in the top panel.
  2. Go to Service > RADIUS Server in the left panel.

Under RADIUS Secret

  1. For Shared Secret Key, enter the shared secret key for RADIUS the client/authenticator. This must match what is configured on the switch, controller or access point.
  2. For RADIUS Client IP, enter the IP address or addresses. Each entry must be on a separate line. Individual IPs and CIDR notation for subnets are supported.

Under Authentication Server

  1. For Generating Accounting, select On to allow for node information collection, if the RADIUS Clients do not support accounting.

For information on RADIUS Accounting from External RADIUS Servers, see: Single Sign-On

802.1X Authentication

802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator.

The authenticator is a network device, such as an Ethernet switch, wireless controller or wireless access point. The authenticator acts like a security guard to a protected network. The supplicant is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.

With 802.1X port-based authentication, the supplicant provides credentials, such as username/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

MAC Authentication Bypass (MAB)

Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.

For wired networks, when Mac Authentication/ MAB is configured on a port, the port will first try to check if the connected device is configured for 802.1X (has an active supplicant), and if no response is received from the connected device, it will try to authenticate with the RADIUS server using the connected device's MAC address as the username and password. You may also configure switch ports to only perform MAC authentication (speeding up the process) or in many cases, the option to change the authentication order is also available (MAC authentication first followed by 802.1X authentication). This will vary by switch vendor.

For wireless networks, the authentication method is typically set on a per SSID basis and is either 802.1X/WPA2E or MAC authentication but not both.

Authorization

AAA refers to Authentication, Authorization and Accounting. Once an endpoint device successfully authenticates to a network, authorization is optional.

Authorization is a method to authorize the device a specific level of access (such as a VLAN or ACL) or apply other attributes to the device that control certain aspects of connectivity (such as QoS attributes).

The Genian ZTNA RADIUS Server supports authorization in the form of initial VLAN assignment. Additional access controls are available with Genian ZTNA outside of the RADIUS server as well (ACLs via ARP Enforcement, etc).