Description:
This article describes how access management via RADIUS (802.1x) can be implemented on a GS-3xxx series switch. This makes it possible to centrally manage user access data.
Requirements:
- GS-3xxx series switch as the RADIUS client
- LANCOM router / access point with LCOS as the RADIUS server
- LCOS as of version 9.24 (download latest version)
- LCOS SX as of version 4.00 (download latest version)
- LANtools from version 9.24 (download latest version)
- Any web browser for accessing the switch web interface
Procedure:
1) Configuring RADIUS authentication on the switch:
1.1) Connect to the switch via the web interface, navigate to the menu Security → RADIUS → Configuration and click Add New Server.
1.2) Modify the following parameters and then click Apply:
- Hostname: Enter the IP address or DNS name of the RADIUS server to be used for authentication when logging on.
- Key: Enter a password that the switch uses to authenticate itself with the RADIUS server.
1.3) Switch to the menu Security → Management → Auth Method.
1.4) For the desired management protocols, use the drop-down menu to select the option radius so that the authentication is performed via the central RADIUS server.
A useful fallback is provided by setting the second method to the option local. If the RADIUS server cannot be reached, authentication is based on the local user table.
Then click Apply.
If HTTPS is active, the redirect option automatically redirects HTTP to HTTPS.
1.5) Click the disk icon in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even if the device is restarted or there is a power failure.
2) Configuring the RADIUS server on a LANCOM router or access point:
2.1) In LANconfig, open the configuration of the router / access point that acts as a RADIUS server. Go to the menu RADIUS → Server and set a checkmark for RADIUS authentication active.
2.2) Navigate to the menu RADIUS services ports.
2.3) Make sure that the authentication port is set to the port 1812.
2.4) Go to the menu IPv4 clients.
2.5) Create a new entry and adjust the following parameters:
- IP address: Enter the IP address of the switch to be authenticated.
- Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
- Client secret: Enter the key specified in step 1.2. This is used for authenticating the switch at the RADIUS server.
2.6) Go to the menu User table.
2.7) Create a new entry and adjust the following parameters:
- Name / MAC address: Enter a username to be used by the user to access the switch.
- Password: Enter a password that the user should use to access the switch.
- Protocol restriction for authentication: Uncheck all options except PAP. This is practical because the GS-3xxx series switches only support PAP.
- Shell privilege level: Set the value to 15 so that the user receives write permissions for all function groups.
- Expiry type: From the drop-down menu, select Never so that the entry remains valid permanently.
The Shell privilege level can be set from 1 – 15, where the value 15 represents the highest priority.
The switch provides the option to assign different privilege levels to individual function groups in the menu Security → Management → Privilege Level. This allows different permissions to be assigned to different users.
2.8) This concludes the configuration of the LANCOM router / access point that acts as the RADIUS server. You can now write the configuration back to the device.
