manual

ManualsBrandsAllied Telesis ManualsNetworkingAT-8624T/2M-V2

C613-16091-00 REV A

www.alliedtelesis.com

How To|

Introduction

This How To Note details how to take advantage of 802.1x security to ensure that users who

connect to your wireless LAN are authorised first. Additionally, it gets the RADIUS server to

pass a WEP key to the supplicant so that wireless conversations to the access points are

encrypted.

The example in this Note uses Linux for both the access

controller (RADIUS server) and the supplicant (client).

References

• The sections on freeRADIUS and Xsupplicant were

worked out by following the excellent HOWTO

written by Lars Strand: 802.1x Port-Based

Authentication HOWTO.

• If you want to create a freeRADIUS and Windows

supplicant solution, then consult this document for

the Linux configuration, and How To Use 802.1x EAP-

TLS or PEAP-MS-CHAP v2 with Microsoft Windows

Server 2003 to Make a Secure Network for the

Windows configuration. This How To Note is

available from the Allied Telesis website.

Equipment

We used the following devices and software to create

and test this setup. The instructions are generic enough

to cover any Linux platform, not just Mandrake.

• 2 x AT-8624PoE switches

• 1 x AT-8624T/2M switch

• 2 x AT-WA7400 wireless access points

• 1 x Mandrake 10.1 PC with freeRADIUS 1.0.5

(compiled from source)

• 1 x Mandrake 10.1 laptop with xsupplicant-1.0-2mdk

(Mandrake package)

Terminology

User:

A person.

Client:

A user’s laptop or PC.

Wireless Node:

A client on a wireless

network. A wireless node

is not necessarily

authenticated or

authorised to use the

network.

Supplicant:

The intermediary

application normally

contained within the

wireless node, which

handles authentication.

Controlled/uncontrolled

port:

These are virtual concepts.

The client attempts to gain

access to the controlled

port by authenticating

through the uncontrolled

port. However, since these

terms are just concepts,

they share the same

medium (in this case

thin air).

Use 802.1x Security with AT-WA7400 APs, AT-8624PoE

Switches, and Linux’s freeRADIUS and Xsupplicant

Summary of content (12 pages)

PAGE 1
How To| Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux’s freeRADIUS and Xsupplicant Introduction This How To Note details how to take advantage of 802.1x security to ensure that users who connect to your wireless LAN are authorised first. Additionally, it gets the RADIUS server to pass a WEP key to the supplicant so that wireless conversations to the access points are encrypted.
PAGE 2
The Allied Telesis switches can be any of the following switches: • • • • • • • • • Rapier i Series AT-8600 Series AT-8700XL Series AT-8800 Series AT-9800 Series SwitchBlade AT-8948 AT-9900 Series x900 Series Network Diagram RADIUS server 169.254.4.66 AT-8624T/2M RSTP ring 169.254.4.0/24 AT-8624PoE AT-8624PoE AT-WA7400 169.254.4.230 AT-WA7400 169.254.4.231 supplicant 169.254.4.33 Zone A Zone B 8021x-wa7400-linux.eps Use 802.
PAGE 3
Configure your Switches The three AT-8600 Series switches can run a very simple configuration if you are installing a layer two segment. Because the switches form a ring for a little redundancy, you must enable RSTP on all three switches. Enter the following commands on all three switches: enable stp=default set stp=default mode=rapid Configure your RADIUS Server Your RADIUS server needs to have freeRADIUS and OpenSSL installed. The server also requires a valid certificate to issue.
PAGE 4
radiusd.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type MS-CHAP { mschap } eap } clients.conf client 169.254.4.0/24 { secret = secret shortname = wireless } eap.conf eap { default_eap_type = peap tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cakey.pem certificate_file = ${raddbdir}/certs/cacert.crt CA_file = ${raddbdir}/certs/cacert.
PAGE 5
3. Install OpenSSL unless it is already installed You can use the OpenSSL RPM that is available on Mandrake CDROMs, or you can download it from www.openssl.org and compile it for your platform. Install it in whichever manner you prefer. 4. Generate a self-signed public certificate unless you already have a valid one This step describes how to generate a self-signed certificate and copy it into the RADIUS directory. The following commands should generate as much as you need to get a valid certificate.
PAGE 6
Install and Configure Xsupplicant on your Client This section describes how to configure the client. We assume here that you have a wireless card already working in your client. In this example, our NIC was called ath0, so you should replace all instances of ath0 with your own NIC alias. Once Xsupplicant is installed on your client, there are two or three files to configure, depending on the distribution.
PAGE 7
If you are using a distribution that does not use ifcfg files, Xsupplicant lets you write startup files to the wireless NIC as shown in the following lines of code. Note that these files do not define encryption, because Xsupplicant controls that. /usr/local/etc/1x/startup.
PAGE 8
### NETWORK SECTION allied { allow_types = all identity = manager type = wireless wireless_control = yes eap-peap { root_cert = /usr/local/etc/1x/certs/cacert.
PAGE 9
2. Set the IP address In the “Wired Settings”, set your IP address. 3. Set the radio details In the “Wireless Settings”, set your radio details appropriately for your country. Use 802.
PAGE 10
4. Set the security settings In the “Security” tab, set your authentication method. You might want to disable “Broadcast SSID”. Note that the RADIUS key should be the same as the one you entered in clients.conf on your RADIUS server. Start freeRADIUS and Xsupplicant On your RADIUS server, start freeRADIUS with “-X” to show helpful debugging: # radiusd -X On your client, start Xsupplicant and specify your config file “-c” with debugging options “-d9 f”: # xsupplicant –c /usr/local/etc/1x/xsupplicant.
PAGE 11
Confirm that Authentication Works On the AT-WA7400, check the “Client Association” tab. When you have successfully used Xsupplicant to authenticate against the RADIUS server, you will see the client’s MAC address there. Beside that, under “Status”, should be “Yes” for “Authenticated” and “Associated”. Until you have two “Yes” entries you have not been authorised to use the controlled port. Notice that in the above picture we have changed the GUI view to a different Access Point (169.254.4.231).
PAGE 12
Using a Wired Allied Telesis Switch Instead of the AT-WA7400 All Allied Telesis Rapier, AT8600, AT-8800, AT-9800, Switchblade, AT8900, AT-9900, and x900 Series switches support 802.1x port authentication. You can use any of these switches instead of the AT-WA7400. For example, if you connected your laptop directly to port 1 on the AT-8624 (see "Network Diagram" on page 2), instead of using wireless, you would apply the following configuration to the AT-8624 switch.