Description:

If an access point is installed in a publicly accessible area (e.g. at a school or hotel), we recommend that you use RADIUS authentication to ensure that a client (e.g. a notebook PC) is unable to gain access to the management network even if it is connected by cable to the Ethernet socket that is intended for use by the access point.

This article describes how RADIUS authentication is set up for an access point with LCOS LX so that only this has access to the management network.

Access points that are operated in a WLC scenario must each be configured individually. A central configuration of the steps described here via a WLC is not possible.

This scenario can also be implemented with LCOS LX access points.



Requirements:


Scenario:


Procedure:

1) Configuring the RADIUS server on the LANCOM router:

1.1) In LANconfig, open the configuration for the router, navigate to the menu RADIUS → Server and set a checkmark next to RADIUS authentication active.

1.2) Navigate to the menu RADIUS services ports.

1.3) Check that the authentication port is set to 1812.

1.4) Go to the menu IPv4 clients.

1.5) Create a new entry and enter the following parameters:

1.6) Go to the menu User table.

1.7) Create a new entry and adjust the following parameters:

As of SWOS 4.00 RU2 the switch sends RADIUS requests with the Service type Call check. In this case the Service type in this menu als has to be set to Call check. As an alternative the option Any can also be selected.

As of LCOS SX 4.00 RU5 the Service type Framed is used for RADIUS requests and the Service type Call-Check is used for MAC-based requests. In this case the Service type has to be set to Framed. As an alternative the option Any can also be selected.

The Service type Call check is supported as of LCOS 10.30.

1.8) This concludes the configuration of the RADIUS server on the LANCOM router. You can now write the configuration back to the device.



2) Configuring the RADIUS authenticator on the GS-3xxx switch:

2.1) Open the webinterface of the device, switch to the menu Security → RADIUS → Configuration and click Add New Server.

2.2) Modify the following parameters in the Server Configuration and click Apply:

2.3) Go to the menu Security → 802.1X → Configuration and activate the 802.1X authentication by setting the slider Mode to on.

2.4) In the Port Configuration select the Admin State Port-based 802.1X in the dropdown menu for the port that the access point will be connected to. Click Apply afterwards.

With the option Port-based 802.1X, solely the access point should be able to authenticate itself. All other end devices connected via WLAN can communicate via the switch port without authentication. For this reason it is important to provide the WLAN end devices with their own network that is separated from the management network by VLAN. You can use this Knowledge Base article to help you here.


2.5) Click the red disk symbol on the upper right side to save the configuration as Start configuration

The Start configuration is boot persistent and is therefore available even after a restart or a power failure.

2.6) This concludes the configuration of the switch.



3) Configuring the RADIUS supplicant on the access point:

In order for the access point to be able to authenticate at the RADIUS server of the WLAN controller, the authentication method must be set and user data have to be set for logging in. This example uses the authentication method PEAP/MSCHAPv2. The user data of the access point was configured on the router in step 1.7.

3.1) Connect to the access Point via CLI and switch to the path Supplicant-Ifc-Setup:

cd /Setup/LAN/IEEE802.1x/Supplicant-Ifc-Setup

3.2) Go to the path for the LAN interface. For this example we are using interface LAN-1.

cd LAN-1

3.3) Use the following command to set the user data for authentication at the RADIUS server:

set credentials <username>:<password>

In this example, the command is set credentials ap1:ap1

3.4) Use the following command to set the authentication method as PEAP/MSCHAPv2:

set Method PEAP/MSCHAPv2

As an alternative, you can use the following script to upload the changes to the access point with LANconfig. Please be sure to add the relevant username and password to the file first.

Skript_Credentials_Auth-Method.lcs

In a WLAN-Controller scenario the script can also be rolled out to the access points via the WLAN-Controller.