Description:
This article describes how access management via RADIUS (802.1x) can be implemented on an XS- or GS-45xx series switch. This makes it possible to centrally manage user access data.
Requirements:
- XS- or GS-45xx series switch as the RADIUS client
- LANCOM router / access point with LCOS as the RADIUS server
- LCOS as of version 9.24 (download latest version)
- LCOS SX as of version 5.20 (download latest version)
- LANtools from version 9.24 (download latest version)
- Any web browser for accessing the switch web interface
Procedure:
1) Configuring RADIUS authentication on the switch:
1.1) Connect to the web interface of the switch and navigate to the menu Security → RADIUS → Named Server.
1.2) Click on Add to enter the RADIUS parameters.
1.3) Modify the following parameters and then click Submit:
- IP Address/Host Name: Enter the IP address or DNS name of the RADIUS server to be used for authentication when logging on.
- Secret: Enter a password. The switch uses this password to authenticate itself at the RADIUS server.
- Server Type: Select the option Primary. This RADIUS server is thus the primary RADIUS server.
1.4) Navigate to the menu System → AAA → Authentication List.
1.5) Select the required protocol (in this example HTTPS with the httpslist) and click Edit to make further changes.
The following steps apply analogously for the protocols HTTP (httplist) and Telnet and SSH (networklist).
1.6) Under Selected Methods, choose the option Local and click the arrow icon pointing left to remove it.
1.7) Under Available Methods, hold down the <CTRL> button and select the options Radius and Local and add them by clicking the arrow icon pointing to the right.
The methods under Selected Methods are run through in sequence. Therefore the first must be set as Radius and then Local. If the RADIUS server cannot be reached, authentication falls back on the local user table.
1.8) Click Submit to accept the changes.
1.9) Click Save Configuration in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even if the device is restarted or there is a power failure.
As an alternative, the current configuration can be saved as the start configuration from the comand line interface with the command write memory.
1.10) This concludes the configuration steps on the switch.
2) Configuring the RADIUS server on a LANCOM router or access point:
2.1) In LANconfig, open the configuration of the router / access point that acts as a RADIUS server. Go to the menu RADIUS → Server and set the checkmark for RADIUS authentication active.
2.2) Navigate to the menu RADIUS services ports.
2.3) Make sure that the authentication port is set to the port 1812.
2.4) Go to the menu IPv4 clients.
2.5) Create a new entry and adjust the following parameters:
- IP address: Enter the IP address of the switch to be authenticated.
- Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
- Client secret: Enter the secret set in step 1.3. This is used for authenticating the switch at the RADIUS server.
2.6) Go to the menu User table.
2.7) Create a new entry and adjust the following parameters:
- Name / MAC address: Enter a username to be used by the user to access the switch.
- Password: Enter a password that the user should use to access the switch.
- Protocol restriction for authentication: Uncheck all options except PAP. This is practical because the XS- and GS-45xx series switches only support PAP.
- Shell privilege level: Set the value to 15 so that the user receives read and write permissions.
- Expiry type: From the drop-down menu, select Never so that the entry remains valid permanently.
The shell privilege level can be set from 1 – 15, where the value 15 represents the highest priority.
The XS- and GS-45xx switches have just three different privilege levels:
- 0 – The user is created, but is not allowed to log in to the switch.
- 1 – The user can read the configuration but not make any changes.
- 15 – The user can read and make changes to the configuration.
2.8) This concludes the configuration of the LANCOM router / access point that acts as the RADIUS server. You can now write the configuration back to the device.
