LANCOM Support Knowledgebase Document No. 1507.1610.5724.RHOO - V1.90

Configuring IEEE 802.1X access control (EAP-TLS) for LANCOM switches by means of the LANCOM RADIUS server



Description:

This document describes how to set up certificate-based (IEEE 802.1X) access control for network clients using a LANCOM switch (e.g. the LANCOM GS-2326P) and a RADIUS server provided by a LANCOM router.

In this example, authentication between the network client and the LANCOM switch uses the Extensible Authentication Protocol (EAP) and the authentication protocol Transport Layer Security (TLS).

For EAP-based authentication, a RADIUS server is always required to act as an authentication server. Since all LANCOM routers feature an integrated RADIUS server, this document describes the use of the LANCOM's RADIUS server for authentication.

The ports of the LANCOM switch should only be activated for data transfer after a network client has successfully authenticated at the RADIUS server. In this scenario, the LANCOM switch serves as the authenticator.



Requirements:
  • LCOS firmware as of version 8.0 (download latest version)
  • LANtools as of version 8.0 (download latest version)
  • Valid X.509 server certificate and root certificate of the CA
    • A guide to creating certificates in the LANCOM router (as of LCOS 9.10) is included in the following KnowledgeBase document Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Creating certificates with LANCOM Smart Certificate'.
  • LANCOM switch (e.g. LANCOM GS-23xx)
  • LANCOM router with an integrated RADIUS server (e.g. LANCOM 1781AW)


Scenario:
  • The LANCOM router is already set up to provide Internet access. Also, the RADIUS server in the LANCOM router is used to authenticate the network clients connected to the LANCOM switch. The X.509 server certificate required for authentication is available on the LANCOM router.
  • The ports of the LANCOM switch are configured so that network clients connected by cable must first use their CA root certificate to authenticate at the RADIUS server before the port is activated for data transfer. For security reasons, the port configuration of the switch is operated in single-mode, meaning that only one network client can be authenticated per switch port.

Note:
As in the scenario diagram shows, a LANCOM access point can also authenticate as a network client at the switch. Just like any other network client, all the LANCOM access point needs for this is to be equipped with the CA root certificate.

WLAN clients connecting to the LANCOM access point do not need the root certificate because the access point is already authenticated at the switch and data transfer is possible.



Sample certificates:

This configuration example uses a dedicated X.509 certificate for the RADIUS module of the LANCOM router (LANCOM_Router.p12) and a dedicated X.509 certificate for the network client (LANCOM_Client.p12). Both certificates are valid for 10 years.

The password used in the sample certificate and in the root certificate of the CA is lancom.



LANCOM_Router.p12LANCOM_Router.p12 LANCOM_Client.p12LANCOM_Client.p12


LANCOM router configuration steps:

1) Upload the server certificate

Note:
A guide to creating X.509 certificates with the XCA application is included in the following KnowledgeBase document Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Erstellen von X.509-Zertifikaten mit der Anwendung XCA'.


1.1) In LANconfig, right-click on the LANCOM router and select the option Configuration management -> Upload a certificate from file...



1.2) In the following dialog select the certificate file intended for the LANCOM router. This example uses the name LANCOM_Router.p12.

1.3) In the Certificate type box, select the setting EAP/TLS - container as a PKCS#12 file.

1.4) In the Password field, enter the certificate password. The password in this example is lancom.

1.5) Click on Open to load the certificate into the LANCOM access point.



Note:
You can view the certificate that you loaded into the LANCOM router by starting a Telnet or SSH session on the LANCOM router and entering show eap at the command prompt.




2) Configuring the RADIUS server in the LANCOM router

2.1) Open the menu item Configuration -> RADIUS server -> General.

2.2) Enter the value for the authentication port of the internal RADIUS server (1812).



2.3) Click the button IPv4 clients and add the LANCOM switch to enable it to communicate with the RADIUS server.

  • In this example, the LANCOM switch has the local IP address 192.168.1.11 and the subnet mask is 255.255.255.0
  • Set the protocol to RADIUS.
  • In order for the switch to authenticate as a permitted RADIUS client at the RADIUS server, you need to set a password (shared secret). The password set here is required for the subsequent configuration of the switch.



2.4) Move to the item Configuration -> RADIUS server -> EAP.

2.5) In the selection box Default method select the value TLS.



2.6) Click on OK to accept the settings and to save them to the LANCOM router.



Configuration steps on the LANCOM switch:

3.1) Open the configuration interface for the LANCOM switch and navigate to the menu item Security -> NAS -> Configuration.
  • Set the Mode option to Enabled.
  • Under Port configuration, set the option Port-based 802.1 X for those ports that are to operate with authentication as per 802.1X.

3.2) Scroll to the end of the configuration page and click on apply to accept the new settings.



3.3) Switch to the menu Security -> AAA -> Configuration. In the section RADIUS authentication server configuration, set the option in the first line to Enabled.
  • In the section IP address/host name, enter the local IP address of the LANCOM router.
  • The default port 1812 can be accepted as the LANCOM router also uses this as the RADIUS authentication port.
  • In the field Secret you enter the same shared secret as that entered into the configuration of LANCOM router in step 2.3.



3.4) Scroll to the end of the configuration page and click on Apply to accept the new settings. This concludes the configuration of the LANCOM switch.


Configuring a network client (PC):

Importing the client certificate into Windows Vista and Windows 7:

Note:
A guide to creating X.509 certificates with the XCA application is included in the following KnowledgeBase document Database 'SP Knowledgebase', View '03. Edit Documents\by Responsible, Status', Document 'Creating X.509 certificates using the XCA application'.


4.1) Double click on the Root certificate of the CA. This example uses the file LANCOM_Client.p12.

LANCOM_Client.p12LANCOM_Client.p12

4.2) Click on Install certificate.



4.3.) Click on Next.



4.4) Ensure that the path to the certificate file is specified correctly and click on Next.



4.5) Enter the password used to protect the private key of the certificate. The password for our example certificate is lancom.



4.6) Leave the setting on Automatically select the certificate store, and click on Next.



4.7) Click on Finish to conclude the import of the certificate.



4.8) Confirm the subsequent security warning with Yes.



4.9) A message is displayed to indicate that the certificate was successfully imported.




Configuring the PC:

5.1) Start the Services Manager in Windows and open the Properties dialog of the service Wired AutoConfig.



5.2) Set the Startup type to Automatic and close the dialog with OK.



5.3) Start the service once, manually. After restarting the PC, the service starts automatically.



5.4) In the Network and sharing center, open the Properties dialog for your network adapter. On the Authentication tab, enable the option IEEE 802.1X authentication and set the authentication method to Smart Card or other certificate .



5.5) Click the Settings button.

5.6) For the When connecting option, specify Use a certificate on this computer (default setting). Disable the option to use simple certificate selection.

5.7) Enable the option Validate server certificate and, in the box below, select the relevant Trusted root certification authority for the certificate from the list. In our example this is CA-LANCOM.



5.8) Now close the configuration dialogs with the OK button. This concludes the configuration of the PC.


Function check:

6.1) Make sure that the PC is connected to the switch port that you have configured with access control as per IEEE 802.1X.

6.2) Restart your PC and logon to the system as usual.

6.3) The PC automatically authenticates with the certificate.

6.4) After a successful authentication, the switch port to which the PC is connected is activated for data transfer.


Catchwords: eap; tls; authentication; certificates; X.509; switch
Please review this document! This document was helpful This document was not helpful