Network access control on wired networks with IEEE 802.1X
Monitoring
In production use, you can monitor these activities by entering tail -f /var/log/radius/radius.log:
Info: Ready to process requests. Auth: Login OK: [uebelacker] (from client uebelhackers port 13 cli 00:19:e0:18:38:5c)
This output indicates that the owner of the certificate issued to uebelacker has logged in to switch port 13. Both Xsupplicant from the OpenSEA Alliance's [7] Open1X project [8] and the slightly better known wpa_supplicant [9] support this type of supplicant login. However, some distributions do not include these two supplicants. On Ubuntu 9.04, the Network Manager acts as a graphical front end for wpa_supplicant (see Figures 2 and 3).
On the Client
The user needs to configure an 802.1X profile in /etc/xsupplicant/xsupplicant.conf (see Listing 6), which can be tested by calling the supplicant as follows:
xsupplicant -D wired -i eth0 -d 5 -f -c /etc/xsupplicant/xsupplicant.conf
Following 802.1X authentication and the unlocking of the network port, which the tool indicates by announcing Changing from AUTHENTICATING to AUTHENTICATED, the start script assigns either a static IP or uses DHCP in the normal way. If the Xsupplicant is run in the background using /etc/init.d/xsupplicant start, and survives a reboot thanks to chkconfig xsupplicant on, 802.1X authentication will take place automatically.
Listing 6
xsupplicant.conf
Testing
The wpa_supplicant package provides a means for testing the configuration:
wpa_supplicant -i eth0 -D wired -c /etc/wpa_supplicant/wired.conf
Now you need to create a wired.conf configuration file, as specified in Listing 7. Because 802.1X authentication is wire based, you can use version 2 of eapol_version and disable the access point scan.
Listing 7
wired.conf
The supplicant announces CTRL-EVENT-EAP-SUCCESS in the case of a successful authentication. To run the client permanently in the background and authenticate the client automatically in case of 802.1X ports, users need to modify /etc/network/interfaces, as shown in Listing 8 for Debian – assuming they use DHCP. Otherwise, change dhcp to static and define a static IP address. /etc/init.d/networking restart enables these settings. If the client achieves authorized state via a non-IEEE 802.1X port, the login attempt will be redundant, but the client will work normally.
Listing 8
Interfaces Enables DHCP
« Previous 1 2 3 4 Next »