Description:

In scenarios where each switch port should support just one network participant, who authenticates via RADIUS and then can communicate via this port, a GS-3xxx switch allows the use of the authentication method Single 802.1X.

If network participants do not support 802.1X or if this is deactivated, they will be rejected and cannot communicate on the switch port. It can therefore make sense to create a separate network for these participants and have the switch automatically move them to the corresponding VLAN. As a result and depending on the configuration of the router, network participants within this network can also communicate with the Internet, but they have no access to the administration network (the router must prevent this by means of firewall rules or interface tags). On a GS-3xxx switch, the feature Guest VLAN supports this.

This article describes how to configure a GS-3xxx switch to use RADIUS authentication with Single 802.1X and an activated Guest VLAN. A LANCOM router acts as the RADIUS server. 


Requirements:


Scenario:

  • The LANCOM router is already setup with the administration network (INTRANET) with the address range 192.168.1.0/24. The router’s IP address in this network is 192.168.1.254.
  • The router additionally supports a guest network (GUEST) for the Guest VLAN. This has the address range 192.168.3.0/24 with the IP address 192.168.3.254.
  • The LANCOM router acts as the RADIUS server.
  • A GS-3xxx series switch with the IP address 192.168.1.250 is operating as a RADIUS authenticator. The switch therefore forwards the requests from the network participants to the RADIUS server.
  • Network participants with 802.1X support (RADIUS authenticator) who login successfully to the RADIUS server gain access to the administration network.
  • Network participants with 802.1X support (RADIUS authenticator) who cannot login to the RADIUS server should have access neither to the administration network nor to the guest network.
  • Network participants without or with deactivated 802.1X support should automatically be moved by the switch into the guest VLAN and thereby gain access to the guest network.



Procedure:

1) Configuration steps on the LANCOM router:

1.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks.

1.2) Click Add to create the network for the Guest VLAN.

1.3) Change the following parameters:

  • Network name: Enter a descriptive network name (in this example GUEST-NETWORK).
  • IP address: Enter an IP address from the network for the Guest VLAN.
  • Netmask: Enter the corresponding subnet mask.
  • VLAN ID: Enter a previously unused VLAN ID (in this example, VLAN ID 3). This also has to be stored in the VLAN configuration on the switch (see step 2.2).
  • Interface tag: Assign a previously unused interface tag (in this example tag 1). This prevents access from the guest network to the other networks.

For the administration network INTRANET there is no need to enter a VLAN ID. Also, there is no need to enable the VLAN module as tagging is handled by the switch. With the Hybrid tagging mode, the port VLAN ID is removed from outbound packets, so that the packets for the INTRANET arriving at the router from the switch are untagged (see step 2.2).  

1.4) Switch to the menu IPv4 → DHCPv4 → DHCP networks.

1.5) Click Add to set up a DHCP network for the network created in step 1.3.

1.6) Change the following parameters:

  • Network name: From the drop-down menu select the network created in step 1.3 (in this case GUEST-NETWORK).
  • DHCP server enabled: Select the option Yes.

You can optionally adjust other parameters such as the address pool and the default gateway.

1.7) Go to the menu RADIUS → Server and set a checkmark for RADIUS authentication active.

1.8) Navigate to the menu RADIUS services ports.

1.9) Check that the authentication port is set to 1812.

1.10) Go to the menu IPv4 clients.

1.11) Create a new entry and enter the following parameters:

  • IP address: Enter the IP address of the switch so that this can authenticate itself as the RADIUS authenticator at the RADIUS server.
  • Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
  • Protocols: Check that the protocol is set to RADIUS.
  • Client secret: Enter a password that the switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.4.

1.12) Go to the menu User table.

1.13) Create a new entry and adjust the following parameters:

  • Name / MAC address: Enter a user name that the network participant uses to authenticate itself at the RADIUS server.
  • Password: Enter a password that the network participant uses to authenticate itself at the RADIUS server.
  • Service type: From the drop-down menu, select Call check.
  • Expiry type: From the drop-down menu, select Never so that the user account remains valid permanently .

The service type “Call check” is only supported as of LCOS 10.30.

1.14) This concludes the configuration steps on the LANCOM router. You can now write the configuration back to the device.



2) Configuration steps on the GS-3xxx switch:

2.1) Open the web interface for the device and switch to the menu item VLAN Management → VLAN Configuration.

2.2) For the switch port the router is connected to, adjust the following parameters and click Apply:

  • Mode: Choose the tagging mode Hybrid.
  • Port VLAN: Leave the setting as the VLAN ID 1.
  • Ingress Acceptance: Select Tagged and Untagged from the drop-down menu, because when using the Hybrid tagging mode, both tagged and untagged packets are allowed.
  • Egress Tagging: Select Untag Port VLAN. When using the Hybrid tagging mode, the VLAN tag is removed from outbound packets that have the port VLAN ID (in this case VLAN ID 1).
  • Allowed VLANs: Enter the VLANs 1 and 3 (in the switch this must be entered as 1,3) since the management network INTRANET (using the VLAN ID 1 on the switch) as well as that GUEST NETWORK (using the VLAN ID 3) are to be transferred.

For more information about VLAN configuration on a GS-3xxx switch, see the following Knowledge Base article:

Configuring VLAN on LANCOM GS-3xxx series switches

2.3) Change to the menu Security → RADIUS → Configuration and click Add New Server.

2.4) Modify the new entry for the server by adjusting the following parameters and click Apply:

  • Hostname: Enter the IP address of the router that was set up as the RADIUS server in step 1.
  • Key: Enter the Client secret set in step 1.11. The switch uses this password to authenticate itself at the RADIUS server.

2.5) Change to the menu Security → 802.1X → Configuration and modify the following parameters:

  • Mode: Activate the 802.1X authentication settings by moving the slider button to “on”.
  • Guest VLAN Enabled: Activate the Guest VLAN.
  • Guest VLAN ID: Enter the VLAN ID for the guest VLAN (in this example, VLAN ID 3).

2.6) In the Port Configuration for the ports where end devices should be authenticated, enter the following parameters and click Apply:

  • Admin State: From the drop-down menu, select the option Single 802.1X.
  • Guest VLAN Enabled: Activate the Guest VLAN on this port. 

With the option  Single 802.1X only one network participant can be authenticated at the port and then communicate. 

If a network participant does not support RADIUS authentication or if it is deactivated, this participant is transferred by the switch to the Guest VLAN so that it can communicate there and does not have access to the management network.

2.7) Save the configuration as the startup configuration by clicking the red floppy disk icon in the top-right corner. 

The Start configuration is boot persistent and is therefore available even after a restart or a power failure.

2.8) This concludes the configuration of the switch.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH