Configuring 802.1X

What is 802.1X

802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator.

The authenticator is a network device, such as an Ethernet switch or wireless access point. The authenticator acts like a security guard to a protected network. The supplicant is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.

With 802.1X port-based authentication, the supplicant provides credentials, such as username/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

Authentication

Genian NAC provides a built-in RADIUS Authentication server to provide 802.1X user authentication. To do this, the following settings are typically required on the authenticator (ie, wireless access point).

  • Set the security setting of each access port or SSID to 802.1X
  • RADIUS server settings to forward user authentication requests received from Supplicant

To run Genian NAC's RADIUS server, the administrator must first activate the server through configuration and register the user in the local user database for authentication or integrate with an external user directory (eg LDAP).

Enable Built-In RADIUS Server

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left panel

Under RADIUS Secret

  1. For Shared Secret Key, enter the pre-shared secret key for RADIUS client(authenticator) authentication.
  2. For RADIUS Client IP, enter the IP address or addresses to be allowed as Clients separated by new line.

Under Authentication Server

  1. For EAP Authentication, select On
  2. For Generating Accounting, select On if RADIUS client(authenticator) not support generating RADIUS accounting packet
  3. Enable Local User, Webhook, Email, LDAP, or AD authentication. Further configuration may be required, see: Integrating User Directories

Under Accounting Server

  1. For Accounting Port, enter the RADIUS accounting port number (Default is 1813)
  2. For Single Sign-On, select On For NAC user authentication automatically via RADIUS account packets
  3. For Acct-Status-Type, check box Start and Stop
  4. For Attribute to Match, select MAC or IP, Select Attribute to match node
  5. For Node Status, select All Nodes
  6. Click Update

For user directory integration, See Authentication using RADIUS (802.1x)

MAC Authentication Bypass (MAB)

Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.

When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no reaction is received from the connected device, it will try to authenticate with the RADIUS server using the connected device's MAC address as username and password.

Genian NAC can select the MAC address to be allowed through the Node Group. If the MAC address that is requested to be authenticated is exists in the Node Group, the authentication is allowed; otherwise, the authentication is denied.

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left panel
  3. Under Authentication Server
  4. For MAC Authentication, select On for enable MAC Authentication bypass (MAB)
  5. For Node Group, select Node Group for allow MAC authentication
  6. Click Update

Authorization

Devices can be controlled according to their role by assigning a VLAN at 802.1X authentication. To accomplish this, the switch or access point must support the RADIUS Tunnel-Private-Group-ID attribute.

Enable Quarantine VLAN

Genian NAC provides the ability to specify which VLANs to assign to devices belonging to a specific Node Group for non compliance compliant devices.

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left panel
  3. Under Authentication Server
  4. For EAP Authentication, select On
  5. For Quarantine VLAN, select On
  6. For VLAN Number, enter VLAN ID for non compliant device
  7. For Node Group, select Node Group for non compliant devices
  8. For VLAN for New Node, select On to assign a quarantine VLAN for all new nodes
  9. Click Update

Enable CoA (Change of Authorization)

If device violates compliance during network use, it should be changed back to the isolated VLAN. This is provided through a standard called CoA (Change of Authorization, RFC 5176 - Dynamic Authorization Extensions to RADIUS standard).

The CoA disconnects the current connection to the device for which the enforcement policy has changed. The disconnected device will attempt to reconnect and then move to the isolated VLAN through VLAN assignment.

  1. Go to Policy in the top panel
  2. Go to Policy > Enforcement Policy in the left panel
  3. Click the name of the Enforcement Policy you want to disconnect
  4. Under Enforcement Options > RADIUS Control
  5. For RADIUS CoA, select On
  6. For CoA Commands, select Terminate Session for standard attribute or select other VSA (Vendor Specific Attribute)
  7. For Vendor-Specific-Attribute, enter VSA values (eg Nas-filter-Rule='permit in tcp from any to any 23')
  8. Click Update
  9. Click Apply on top right

Dynamic VLAN Assignment using RADIUS

Genian NAC provides the ability to specify which VLANs to assign to devices or users. Dynamic VLAN assignment is one such feature that places a user or a device into a specific VLAN based on the credentials supplied by the user. This task of assigning users or devices to a specific VLAN is handled by a RADIUS authentication server.

Genian NAC provides the ability to specify which VLANs to assign to devices belonging to a specific Node Group for non compliance compliant devices.

  1. Go to Preferences in the top panel

  2. Go to Service > RADIUS Server in the left panel

  3. Under Authentication Server

  4. For VLAN Assignment, select On

  5. Click Add button to the right of the VLAN Assignment Table

    1. Select User-Name as a Attribute
    2. Select user is one of the User Group as a Operator
    3. Type the name of UserGroup as a Value , like Sales
    4. Type the vlan number as a VLAN Number/ID, like 33
    5. Click Add
  6. Click Update

Note

You can use RADIUS Attribute such as User-Name, Calling-Station-Id, Called-Station-Id, Framed-IP-Address, NAS-IP-Address, NAS-Port, Service-Type, Filter-Id, Login-IP-Host, Class, Vendor-Specific, NAS-Port-Type, Connect-Infox, NAS-Port-ID, Aruba-User-Rolex, Aruba-Essid-Name

Attention

RADIUS Client devices have to support the IEEE 802.1X standard for authenticating clients. RFC2868

Configuring EAP-TLS

When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other.

  1. Go to Preferences in the top panel

  2. Go to Service > RADIUS Server in the left panel

  3. Under Authentication Server

  4. Under EAP Authentication > EAP-TLS, Select On

    1. Click Upload button to the right of the CA Certificate to upload the certificate of the CA.
    2. Click + button on CA certificate window, Select the certification file of the CA.
    3. CACert Information allows you to check the information of the saved CACert.
  5. Click CreateServerCertificate button to the right of the Server Certificate

    1. Input the Common Name like nac.genians.com, The fully qualified domain name (FQDN) of your server or IP of the server. This must match exactly what you type in your web browser or you will receive a name mismatch error.
    2. Input the country code as Country like US, The two-letter ISO code for the country
    3. Input the name of organization as Organization like Genians Inc.
    4. Input the Email as Email like admin@genians.com, An email address used to contact your organization.
    5. Click Generate CSR
    6. Copy All text in the box to the right of the Certificate Signing Request
    7. Send a request to the CA server, issue a server certificate, open a BASE64 encoded file, and copy and paste the text in the box to the right of the Certificate
    8. Click Register
    9. ServerCert Information allows you to check the information of the saved ServerCert.
  6. Input Certificate Revocation List point as CRL distribution point, If you do not verify the CRL, you do not need to enter it.

  7. Input Online Certificate Status Protocol Responder URL as OCSP Responder URL, If you do not use OCSP, you do not need to enter it.

  8. Click Update

Note

To use EAP-TLS, the user must also obtain a certificate from the same CA server or trusted CA server that issued the certificate to the server.

Attention

Issuance, revocation and management of server certificates and user certificates are managed through an external CA server.