Network access control on wired networks with IEEE 802.1X

Monitoring

In production use, you can monitor these activities by entering tail -f /var/log/radius/radius.log:

Info: Ready to process requests.
Auth: Login OK: [uebelacker] (from client uebelhackers port 13 cli 00:19:e0:18:38:5c)

This output indicates that the owner of the certificate issued to uebelacker has logged in to switch port 13. Both Xsupplicant from the OpenSEA Alliance's [7] Open1X project [8] and the slightly better known wpa_supplicant [9] support this type of supplicant login. However, some distributions do not include these two supplicants. On Ubuntu 9.04, the Network Manager acts as a graphical front end for wpa_supplicant (see Figures 2 and 3).

On the Client

The user needs to configure an 802.1X profile in /etc/xsupplicant/xsupplicant.conf (see Listing 6), which can be tested by calling the supplicant as follows:

xsupplicant -D wired -i eth0 -d 5 -f -c /etc/xsupplicant/xsupplicant.conf

Following 802.1X authentication and the unlocking of the network port, which the tool indicates by announcing Changing from AUTHENTICATING to AUTHENTICATED, the start script assigns either a static IP or uses DHCP in the normal way. If the Xsupplicant is run in the background using /etc/init.d/xsupplicant start, and survives a reboot thanks to chkconfig xsupplicant on, 802.1X authentication will take place automatically.

Listing 6

xsupplicant.conf

 

Testing

The wpa_supplicant package provides a means for testing the configuration:

wpa_supplicant -i eth0 -D wired -c /etc/wpa_supplicant/wired.conf

Now you need to create a wired.conf configuration file, as specified in Listing 7. Because 802.1X authentication is wire based, you can use version 2 of eapol_version and disable the access point scan.

Listing 7

wired.conf

 

The supplicant announces CTRL-EVENT-EAP-SUCCESS in the case of a successful authentication. To run the client permanently in the background and authenticate the client automatically in case of 802.1X ports, users need to modify /etc/network/interfaces, as shown in Listing 8 for Debian – assuming they use DHCP. Otherwise, change dhcp to static and define a static IP address. /etc/init.d/networking restart enables these settings. If the client achieves authorized state via a non-IEEE 802.1X port, the login attempt will be redundant, but the client will work normally.

Listing 8

Interfaces Enables DHCP

 

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Radius and 802.1X

    The Radius protocol is typically used to authenticate users in dial-up scenarios. But Radius is also useful in LAN environments: in combination with 802.1X, Radius forces users to authenticate at a low level before the switch opens up a port.

comments powered by Disqus

Direct Download

Read full article as PDF:

News