Quelle anzeigen

Description:

In case only certain network participants are to be granted network access, RADIUS authentication has to be used on the switch. If a network participant cannot authenticate itself via RADIUS and therefore cannot act as a RADIUS Supplicant, as an alternative this participant can also be authenticated via its MAC address. When using an XS series switch in most cases other network devices will be used due to the XS series featuring mostly SFP ports, although the authentication of end devices on the Ethernet ports is possible.

This article describes how MAC address authentication for a network device can be configured on an XS series switch, so that network access is only granted for the authenticated device.

Requirements:

LANCOM router as RADIUS server
XS series switch with LCOS SX as of version 5.10 Rel (download latest version)
LCOS as of version 10.30 on the router, which serves as the RADIUS server (download latest version)
LANtools as of version 10.30 (download latest version)
Any web browser for accessing the webinterface of the XS series switch

Scenario:

A switch without RADIUS supplicant support is connected to an XS series switch. The aim is to ensure, that only the switch can be connected directly to the XS series switch and no other network devices can be connected instead and are able to communicate via this port. Therefore the switch is authenticated via its MAC address. Thus no additional configuration steps are necessary on the switch without RADIUS supplicant support.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Scenario.png

Procedure:

1) Configuring the RADIUS server on the LANCOM router:

1.1) In LANconfig, open the configuration for the router, navigate to the menu RADIUS → Server and set a checkmark next to RADIUS authentication active.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router1.png

1.2) Navigate to the menu RADIUS services ports.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router2.png

1.3) Check that the authentication port is set to 1812.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router3.png

1.4) Go to the menu IPv4 clients.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router4.png

1.5) Create a new entry and enter the following parameters:

IP address: Enter the XS series switch IP address so that it can authenticate itself as the RADIUS authenticator at the RADIUS server.
Netmask: Enter the netmask 255.255.255.255. This stands for a single IP address.
Protocols: Check that the protocol is set to RADIUS.
Client secret: Enter a password that the XS series switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.8.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router5.png

1.6) Go to the menu User table.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router6.png

1.7) Create a new entry and adjust the following parameters:

Name / MAC address: Enter the MAC address of the network device, which is to be authenticated by its MAC address, in capital letters in the format 00:A0:57:12:34:56.
Password: Enter the MAC address of the network device analogous to the parameter Name / MAC address.
Service type: From the drop-down menu, select Call check.
Expiry type: From the drop-down menu, select Never so that the user account remains permanently valid.

The Service type Call check is supported as of LCOS 10.30.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Router7.png

1.8) This concludes the configuration of the RADIUS server on the LANCOM router. You can now write the configuration back to the device.

2) Configuring the RADIUS Authenticator on the switch:

2.1) Connect to the webinterface of the device and go to the menu System → AAA → Authentication List.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 1.png

2.2) Select the entry dot1xList and click Edit.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 2.png

2.3) Under the Available Methods select the option Radius and click on the upper arrow symbol, so that it is applied to the Selected Methods. Click Submit afterwards.

The application of the option RADIUS is mandatory, as otherwise the switch won't forward the RADIUS requests to the RADIUS server.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 3.png

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 4.png

2.4) Change to the menu Security → Port Access Control → Configuration.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 5.png

2.5) For Admin Mode select the option Enable and click Submit.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 6.png

2.6) Go to the menu Security → RADIUS → Named Server.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 7.png

2.7) Click Add to enter parameters for a RADIUS server.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 8.png

2.8) Modify the following parameters and click Submit:

IP Address/Host Name: Enter an IP address or the hostname of the RADIUS server which is to be used for the authentication.
Server Name: Optionally you can edit the group name for the RADIUS server (in this example the name remains on the default setting Default-RADIUS-Server).
Port Number: Leave the RADIUS port on the default value 1812.
Secret: Enter the Client secret set in step 1.5.
Server Type: Select the option Primary.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 9.png

The status of the Named Server under Current only changes to True, when the switch receives a RADIUS request.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > Server_True.png

2.9) Go to the menu Security → Authentication Manager → Interface Configuration.

Under no circumstances should the Admin Mode be activated (Enable) at this point in the menu Security → Authentication Manager → Configuration, as the authentication is activated globally for all ports. Otherwise configuration access to the switch won't be possible anymore!

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 10.png

2.10) Select the interface used for configuration access (in this example the port 1/0/9), for Control Mode select the option Force Authorized and click Submit. With this setting no authentication is performed on this port.

Set the option Force Authorized on all ports where no authentication is to be used.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 11.png

2.11) Select a port to be authenticated (in this example 1/0/10), modify the following parameters and click Submit:

Make sure, that the option Auto is selected for the Control Mode. Thereby no communication is possible via this port until the connected network participant has authenticated itself.
For the Host Mode select the authentication method Multiple Host. Thereby only one network participant has to authenticate itself. Then all other participants can also communicate via this port.
Activate the MAB Mode (MAC-based Authentication Bypass). Instead of username and password the MAC address is used for authentication.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 12.png

2.12) Go to the tab Configuration, select the option Enable for the Admin Mode and click Submit.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 13.png

2.13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

As an alternative you can also save the configuration as start configuration via the CLI with the command write memory.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 22.png

2.14) Acknowledge the save process by clicking OK.

LANCOM Support Knowledge Base > MAC address authentication of a network device via an XS series switch at a LANCOM router as RADIUS server (802.1X) > 23.png