Network access control on wired networks with IEEE 802.1X


In production use, you can monitor these activities by entering tail -f /var/log/radius/radius.log:

Info: Ready to process requests.
Auth: Login OK: [uebelacker] (from client uebelhackers port 13 cli 00:19:e0:18:38:5c)

This output indicates that the owner of the certificate issued to uebelacker has logged in to switch port 13. Both Xsupplicant from the OpenSEA Alliance's [7] Open1X project [8] and the slightly better known wpa_supplicant [9] support this type of supplicant login. However, some distributions do not include these two supplicants. On Ubuntu 9.04, the Network Manager acts as a graphical front end for wpa_supplicant (see Figures 2 and 3).

On the Client

The user needs to configure an 802.1X profile in /etc/xsupplicant/xsupplicant.conf (see Listing 6), which can be tested by calling the supplicant as follows:

xsupplicant -D wired -i eth0 -d 5 -f -c /etc/xsupplicant/xsupplicant.conf

Following 802.1X authentication and the unlocking of the network port, which the tool indicates by announcing Changing from AUTHENTICATING to AUTHENTICATED, the start script assigns either a static IP or uses DHCP in the normal way. If the Xsupplicant is run in the background using /etc/init.d/xsupplicant start, and survives a reboot thanks to chkconfig xsupplicant on, 802.1X authentication will take place automatically.

Listing 6


01 default_netname = intranet
02 intranet {
03 type = wired
04 allow_types = eap_tls
05 identity = uebelacker
06 eap_tls {
07 user_cert = "/path/to/"
08 user_key = "/path/to/"
09 user_key_pass = "Usercert-Passwort"
10 root_cert = "/path/to/ca.pem"
11 chunk_size = 1398
12 random_file = /dev/urandom
13 }
14 }


The wpa_supplicant package provides a means for testing the configuration:

wpa_supplicant -i eth0 -D wired -c /etc/wpa_supplicant/wired.conf

Now you need to create a wired.conf configuration file, as specified in Listing 7. Because 802.1X authentication is wire based, you can use version 2 of eapol_version and disable the access point scan.

Listing 7


01 eapol_version=2
02 ap_scan=0
03 fast_reauth=1
04 network={
05 key_mgmt=IEEE8021X
06 eap=TLS
07 identity="uebelacker"
08 ca_cert="/path/to/ca.pem"
09 client_cert="/path/to/"
10 private_key="/path/to/"
11 private_key_passwd="Usercert-Passwort"
12 eapol_flags=0
13 }

The supplicant announces CTRL-EVENT-EAP-SUCCESS in the case of a successful authentication. To run the client permanently in the background and authenticate the client automatically in case of 802.1X ports, users need to modify /etc/network/interfaces, as shown in Listing 8 for Debian – assuming they use DHCP. Otherwise, change dhcp to static and define a static IP address. /etc/init.d/networking restart enables these settings. If the client achieves authorized state via a non-IEEE 802.1X port, the login attempt will be redundant, but the client will work normally.

Listing 8

Interfaces Enables DHCP

01 auto eth0
02 iface eth0 inet dhcp
03 wpa-iface eth0
04 wpa-driver wired
05 wpa-conf /etc/wpa_supplicant/wired.conf

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Radius and 802.1X

    The Radius protocol is typically used to authenticate users in dial-up scenarios. But Radius is also useful in LAN environments: in combination with 802.1X, Radius forces users to authenticate at a low level before the switch opens up a port.

comments powered by Disqus

Direct Download

Read full article as PDF: