Networking Requirements

As shown in Figure 1, a large number of user terminals access the Authenticated Access Zone of a company through ge-1/1/1 of the PICA8 Switch (as the access device). If the user terminals are not authenticated, any visitor may easily steal the company's confidential information or attack the company's intranet, resulting in an insecure intranet.

Figure 1. Networking Diagram for Configuring 802.1X Authentication

To ensure network access security, the administrator employs 802.1X authentication on the Switch and PacketFence server, to control the network access of the user terminals. The Switch allows the user terminals to access resources in the Authenticated Access Zone only when the 802.1X authentication is successfully passed.

There are both PCs and dumb terminals, such as printers and IP phones, connected to the enterprise network. In order to flexibly adapt to different authentication requirements from different access terminals in the user environment, both 802.1X authentication and MAB authentication should be deployed on the PICA8 access switch. Users can access the network through either 802.1X or MAB authentication, or both authentication modes.

Basic Configuration Plan

Table 1. PICA8 Switch Data Plan

Table 2. PacketFence Server Data Plan

Configuration Notes

•   The shared key must be consistently configured on PICA8 switch and the PacketFence server.

•   On the client side also set PEAP and MSCHAPv2 for 802.1X configuration which is same to the RADIUS authentication methods on PacketFence server.

•   Make sure the 802.1X client software is installed and enabled on the client device.

Configuration Roadmap

1.     Configure PICA8 Switch, including the VLAN to which the access interface belongs, parameters for connecting to the PacketFence server, and enabling 802.1X and MAB authentication.

2.     Configure the PacketFence server:

a.  Log in to the PacketFence server.

b.  Add a switch to the PacketFence server.

c.  Add a user and node to the PacketFence server.

d.  Add the secret key and Radius Authentication Methods on the PacketFence server.

e.  Packetfence configuration file changes and miscellaneous configurations.

Procedure

PICA8 Switch Configuration

Step1         Configure the VLAN interface.

admin@XorPlus# set vlans vlan-id 100
admin@XorPlus# set vlans vlan-id 200
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 200
admin@XorPlus# set vlans vlan-id 100 l3-interface vlan100
admin@XorPlus# set vlans vlan-id 200 l3-interface vlan200
admin@XorPlus# set l3-interface vlan-interface vlan100 address 192.168.10.10 prefix-length 24
admin@XorPlus# set l3-interface vlan-interface vlan200 address 192.168.20.10 prefix-length 24

Step2         Configure IP address of PacketFence server and the shared key.

admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 192.168.10.7 shared-key pica8

Step3         Configure the NAS IP address to the L3 VLAN interface IP which connected to the RADIUS server.

admin@XorPlus# set protocols dot1x aaa radius nas-ip 192.168.10.10

    This command is to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the RADIUS server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step4         Enable 802.1X and MAB authentication mode on interface ge-1/1/1.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode 802.1x
admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode mac-radius

Step5         Configure the host mode to multiple for the interface ge-1/1/1.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 host-mode multiple

Step6         (Optional) Configure a RADIUS dynamic authorization client from which the switch  accepts Change of Authorization (CoA) messages.

admin@XorPlus# set protocols dot1x aaa radius dynamic-author client 192.168.10.7 shared-key pica8

Step7         Commit the configuration.

admin@Xorplus# commit

PacketFence Configuration

Step1         Login to the PacketFence server.

   a)      Go to Web login page at: https://server-ip:1443/admin/

   b)     Enter Username/password and click login. (You setup username/password during initial configuration of PacketFence)

Step2         Add a switch to the PacketFence server.

   a)      Click Configuration > Switches > ADD SWITCH >  default.

   b)     Add switch with the switch IP address: 192.168.10.10.

   c)      Choose type as Pica8 and mode as production.

   d)     Click on Radius tab and enter secret key. Make sure you enter this same secret key as shared-key on the switch when configuring 802.1X protocol on PICA8 switch.

   e)      Click on the Roles tab, make sure the Role mapping by VLAN ID is checked, also define your roles and the corresponding VLANs should be defined here.

   f)      For the Deauthentication Method, select RADIUS.

   g)     Make sure the use CoA box is checked.

   h)     Leave all other configuration as they are (default) and click Save to add the switch to PacketFence database.

Refer to Figure 2 which illustrates adding a new switch to PacketFence.

Figure 2. Add PICA8 switch to PacketFence

Step3         Add a User to PacketFence Database.

For 802.1X authentication , we must first add all our users to the PacketFence database. The username and password are the two most important attributes in 802.1X authentication. We must make sure that username and password sent in the Access-Request by clients matches an entry in the PacketFence database otherwise 802.1X authentication won’t be successful. Follow the steps below to add a User to PacketFence.

a)      Click on USERS > Create.

b)     Enter username, password and email address for this user.

c)      You can enter other user details as per requirement like Firstname, Company etc.

d)     Enter the time in Registration Window (mandatory).

e)      In Action, Choose Role and then select a proper role for this user.

f)      Choose appropriate access duration (mandatory).

g)     Click CREATE USERS to save the user to PacketFence. 

Refer to Figure 3 below for an illustration.

Figure 3. Adding a User in PacketFence

Step4         Add a connection profile in Packetfence.

   a)      Click on CONFIGURATION > Connection Profiles > ADD PROFILE.

   b)     Give it any name and description, say dot1x.

   c)      Add a filter in dot1x profile, If Any,... Connection Type = Ethernet-EAP.

   d)     Choose sources as local.

   e)      For Device registration select default.

   f)      Leave the remaining options as they are (default values).

   g)     Click Save to save your changes.

Note: Ethernet-EAP connection type means the client is connecting using 802.1X credentials.

The above Connection Profile would be activated whenever 802.1X authentication requests are received at the PacketFence server.

Refer to Figure 4 for illustration.

Figure 4. Adding a Connection Profile

Step5         Configure PacketFence for MAC Authentication.

   For MAC authentication we need to perform the following steps:

   a)      Add a node to the PacketFence database (similar to how we add a node for 802.1X Authentication).

   b)     Add the MAC address: 00:00:06:00:00:07. Note: No need to specify a username and password for MAC authentication in PacketFence database (the node’s MAC address is used by the switch as    the username and password when sending an Access Request on behalf of the client).

   c)      Add a connection profile for MAC authentication. Even though we can have a single Connection Profile for both 802.1X and MAC authentications, it would be however, better if we have separate Connection Profile for the two different types of authentications. To add a MAC authentication profile follow the procedure mentioned in the 802.1X section of adding a Connection Profile with the exception of Connection Type in Filter. While adding a Connection Profile for MAC authentication, choose Connection Type as WIRED_MAC_AUTH. The rest of the procedure is same as that of the 802.1X.

Step6         Configure Radius Authentication Methods in Packetfence.

   a)      Click on CONFIGURATION > System Config (bottom item on far left) > Authentication Methods.

   b)     For EAP Auth Type, remove all methods except MSCHAPv2 and PEAP, you can add MD5 here as well if you wish to use MD5 with 802.1X.

   c)      Click SAVE.

   d)     On the client side also set PEAP and MSCHAPv2 for 802.1X configuration.

Refer to Figure 5 below for illustration.

Figure 5. Configuring Radius Authentication Methods

Step7         Miscellaneous configurations.

   a)      We need to change or set the way how PacketFence stores passwords in its database. For PICA8 switches, we need to save user passwords as plaintext. To achieve this follow the steps below:

          Click on Configuration > System Config > >dvanced > Database passwords hashing method > choose plaintext.

   b)     To enable radius communication on the management interface we need to make the following changes to ensure radius messages are accepted on the management interface.

          Click on Configuration > Network Configuration > Interfaces > click eth0 > Type = Management.

  For the Additionnal listening daemon(s) choose radius.

Step8         Packetfence configuration file changes.

   a)      To allow local authentication with radius integrated with packetfence, uncomment the line packetfence-local-auth in /usr/local/pf/conf/radiusd/packetfence-tunnel. 

   b)     To allow EAP-MD5 authentication, add packetfence-eap-mac-policy line just before packetfence-eap-mac-policy in file /usr/local/pf/conf/radiusd/packetfence 

Note: It is recommended to use PEAP for 802.1X authentication as it is considered  more secure compared to MD5.

Verify the Configuration

• Run the run show dot1x interface and run show dot1x mab command to check the 802.1X and MAB authentication configurations. The command output (PortEnabled = true) shows that the 802.1X authentication has been enabled on the interface ge-1/1/1 and MAC address 00:00:06:00:00:07 is successfully authenticated.

admin@Xorplus# run show dot1x interface gigabit-ethernet ge-1/1/1
Interface ge-1/1/1:
============================================================
  Client MAC              : 00:00:06:00:00:07
  Status                  : authorized
  Success Auth Method     : 802.1x
  Dynamic VLAN ID         : 200 (active)
============================================================
Client MAC                  : e0:db:55:cd:84:62
  Status                    : authorized
  Success Auth Method       : MAB
  Dynamic VLAN ID           : 200 (active)
============================================================

• The user starts the 802.1X client software on the terminal, enters the username and password, and starts authentication.

• If the user name and password are correct, there will be an authentication success message displayed. Then users can access the network through this port.

Appendix

A sample configuration file of the switch when using the out-of-band (OOB) management port (i.e. eth0) to connect to PacketFence is provided here.

# ge-1/1/11 and ge-1/1/13 are the access ports which have enabled 802.1x authentication.
  set interface gigabit-ethernet ge-1/1/11 family ethernet-switching port-mode "trunk"
  set interface gigabit-ethernet ge-1/1/13 family ethernet-switching port-mode "trunk"
  set protocols dot1x interface ge-1/1/11 auth-mode "mac-radius"
  set protocols dot1x aaa radius authentication server-ip 10.10.53.234 shared-key "test"
  set vlans vlan-id 10
  set vlans vlan-id 20
  set vlans vlan-id 30