Description:
This document describes how to set up certificate-based (IEEE 802.1X) acces=
s control for network clients using a LANCOM switch (e.g. the LANCOM GS-232=
6P) and a RADIUS server provided by a LANCOM router.
In this example, authentication between the network client and the LANCOM s=
witch uses the Extensible Authentication =
Protocol (EAP) and the P=
rotected Extensible Authentication Protocol (PEAP).
For EAP-based authentication, a RADIUS server is always re=
quired to act as an authentication server. Since all LANCOM routers=
feature an integrated RADIUS server, this docume=
nt describes the use of the LANCOM router's RADIUS server for authenticatio=
n.
The ports of the LANCOM switch should only be activated for data transfer a=
fter a network client has successfully authenticated at the RADIUS server. =
In this scenario, the LANCOM switch serves as the authenticator.
Requirements:
- LCOS as of version 8.0 (download latest version=
)
- LANtools as of version 8.0 (download latest version=
)
- Valid X.509 server certificate and root certificate of the CA=
strong>
- LANCOM switch (e.g. LANCOM GS-23xx)
- LANCOM router with an integrated RADIUS server (e.g. LANCOM 1781AW)
Scenario:
- The LANCOM router is already set up to provide Internet access. Also, t=
he RADIUS server in the LANCOM router is used to authenticate the network c=
lients connected to the LANCOM switch. The X.509 server certificate require=
d for authentication is available on the LANCOM router.
- The ports of the LANCOM switch are configured so that network clients c=
onnected by cable must first use their CA root certificate to authenticate =
at the RADIUS server before the port is activated for data transfer. For security reasons, the port configuration of the switch is operated in=
single-mode, meaning that only one network client can be authenticated per=
switch port.
Configuration steps on the LANCOM ro=
uter:
1) Upload the server certificate
1.1) In LANconfig, right-click on the LANCOM router and=
select the option Configuration management =E2=86=92 Upload a cert=
ificate from file.
1.2) In the following dialog select the certificate file intended for th=
e LANCOM router. This example uses the name LANCOM_Router.p12.
1.3) In the Certificate type box, select the setting EAP/TLS - container as a PKCS#12 file.
1.4) In the Password field, enter the certifica=
te password. The password in this example is lancom.
1.5) Click on Open to load the certificate into the LAN=
COM access point.
2) Configuring the RADIUS server in the LANCOM router
2.1) Open the menu item Configuration =E2=86=92 RADIUS server =
=E2=86=92 General.
2.2) Enter the value for the authentication port of the=
internal RADIUS server (1812).
2.3) Click the button IPv4 clients and add the =
LANCOM switch to enable it to communicate with the RADIUS server.<=
/p>
- In this example, the LANCOM switch has the local IP address 192=
.168.1.11 and the subnet mask is 255.255.255.0
- Set the protocol to RADIUS.
- In order for the switch to authenticate as a permitted RADIUS client at=
the RADIUS server, you need to set a password (shared sec=
ret). The password set here is required for the subsequent configur=
ation of the switch.
2.4) Click the button user table and supplement the list w=
ith one or more entries for the network clients that require authen=
tication.
2.5) In this example, a PC with the user name PC1 is creat=
ed and given the password lancom.
2.6) In the section Protocol restriction for authentication you need to select at least the protocols EAP and MSCHAPv2. If there is no need of a time limit on the PC's access, set the Expiry type to the value Never.
2.7) Now close the dialog with the OK button. You can opti=
onally create further user accounts for network clients now.
2.8) Move to the item Configuration =E2=86=92 RADI=
US server =E2=86=92 EAP.
2.9) In the selection box Default method select the value =
PEAP.
2.10) In the selection box PEAP default, set the value to =
MSCHAPv2.
2.11) Click on OK to accept the settings and to save them =
to the LANCOM router.
Configuration steps on the LAN=
COM switch:
3.1) Open the configuration interface for the LANCOM switch and navigate to=
the menu item Security =E2=86=92 NAS =E2=86=92 Configuration.
- Set the Mode option to Enabled.
- Under Port configuration, set the option Poret=
-based 802.1 X for those ports that are to operate with authentica=
tion as per 802.1X.
3.2) Scroll to the end of the configuration page and click=
on apply to accept the new settings.
3.3) Switch to the menu Security =E2=86=92 AAA =E2=86=92 Configurat=
ion. In the section RADIUS authentication server configura=
tion, set the option in the first line to Enabled=
.
- In the section IP address/host name, enter the local IP address of the LANCOM router.
- The default port 1812 can be accepted as the LANCOM ro=
uter also uses this as the RADIUS authentication port.
- In the field Secret you enter the same shared =
secret as that entered into the configuration of LANCOM ro=
uter in step 2.3.
3.4) Scroll to the end of the configuration page and click=
on Apply to accept the new settings. This concludes the c=
onfiguration of the LANCOM switch.
Configuring a network=
client (PC):
Importing the client certificate int=
o Windows Vista and Windows 7:
Note:
A guide to creating X.509 certificates with the XCA appli=
cation is included in this KnowledgeBase document (only available in german).
4.1) Double click on the Root certificate of the CA. Th=
is example uses the CA-LANCOM.cer file.
4.2) Click on Install certificate.
4.3.) Click on Next.
4.4) The certificate is saved to the certificate store Trusted r=
oot certification authorities.
4.5) Click on Finish to conclude the import of the cert=
ificate.
4.6) Confirm the subsequent security warning with Yes.<=
/p>
4.7) A message is displayed to indicate that the certificate was success=
fully imported.
Configuring th=
e PC:
5.1) Start the Services Manager in Windows and open the=
Properties dialog of the service Wired AutoConfig=
.
5.2) Set the Startup type to Automatic=
and close the dialog with OK.
5.3) Start the service once, manually. After re=
starting the PC, the service starts automatically=
.
5.4) In the Network and sharing center, open the Properties dialog for your network adapter. On =
the Authentication tab, enable the option IEEE 802=
.1X authentication and set the authentication method to Pr=
otected EAP (PEAP).
5.5) Click the Settings button.
5.6) Enable the option Validate server certific=
ate and, in the box below, select the relevant Trusted roo=
t certification authority for the certificate from the list. In ou=
r example this is CA-LANCOM. For the Authenticatio=
n method select Secure password (EAP-MSCHAPv2).=
p>
5.7) Then click the Configure button.
5.8) Disable the option Automatically use my Windows logon name =
and password.
5.9) Click OK to accept your settings.
5.10) On the Authentication tab, click the Addi=
tional settings button.
5.11) In the 802.1X settings dialog, enable the Specify authentication mode option and select the method =
User or computer authentication.
5.12) Now close the configuration dialogs with the OK b=
utton. This concludes the configuration of the PC.
Funct=
ion check:
6.1) Make sure that the PC is connected to the switch port that you have=
configured with access control as per IEEE 802.1X.
6.2) Restart your PC and logon to the system as usual.
6.3) While the PC attempts to connect to the network, you see a note in =
system tray that additional credentials are required to establish o=
f the network connection.
6.4) Click on this note to open a window where you can =
authenticate for the network by entering a user na=
me and password.
6.5) At this stage you enter the user data that you ent=
ered into the LANCOM RADIUS server user table in configuration step=
2.5. In this example is user name is PC1 and the=
password is lancom.
6.6) After you click OK, the PC authenticates and the s=
witch port that the PC is connected to is activated for data transfer.
|