Skip to main content

Register Radius Server

Configuring Radius-Server:

  • To ensure the 802.1x setup runs correctly, certain parameters need to be configured on the Radius server.
  • If you want to change a configuration, you must remove the entire configuration and recreate it.
  • If you disable 802.1x, the ports on the switch remain set to Dynamic and must be manually adjusted, if required.
  • This is a temporary solution. In the future, the default value will be restored.

Enter Radius Servers in the Dashboard:

  • Standard IEEE 802.1X provides you with a general method for authentication and authorization in IEEE-802 networks.
  • In the Settings > RADIUS Server menu item, you can add the configuration for a Radius server:

  1. Click on Settings / Configuration

  2. Create new RADIUS Server Configuration

    • Under Server name you can give the Radius server a user-defined name and enter the IP address of the server.
    • The Radius server can be in any IP segment as long as an IP connection from the Radius client is possible.
    • On the Radius server, you must set a password (shared key) that is no longer than 32 characters.
    • The shared key comprises all clients connected to a Radius server.
    • If you add an additional client, the shared key is automatically applied. You can optionally define a separate shared key for each Radius client (see Section below).

  3. Confirm and save the information

  4. Send the shopping basket to activate the configuration

    • All configurations are not actively written to the network components until you have sent the shopping cart
    • You can do this after each step or (recommended) only after several steps

Defaults for locations:

  • By clicking Settings > RADIUS Server then Defaults for locations menu item, you can define default values, which can be assigned to all locations
  • Set the default Radius server for Radius clients at a location

Attributes:

  • The assignment of the group to the applicant takes place via 3 attributes, Tunnel-Medium-Type, Tunnel-Private-Group-ID and Tunnel-Type.

  • These attributes should be added to the Radius Access-Accept data on the Radius server. Tunnel-Medium-Type = IEEE-802(6)

  • The value of the Tunnel-Medium-Type attribute must be set to IEEE-802. Tunnel-Private-Group-ID = $[VLAN_NAME]

  • The value of the attribute Tunnel-Private-Group-ID must be the character '$', followed by the VLAN name that is assigned to the applicant.

  • If the VLAN name is 'VLAN1', for example, the Tunnel-Private-Group-ID must be defined as follows: Tunnel-Private-Group-ID = $VLAN1

  • If the VLAN name includes spaces, double quotation marks must be added at the beginning and end.

  • If the VLAN name is 'VLAN 2', for example, the Tunnel-Private-Group-ID must be defined as follows: Tunnel-Private-Group-ID = "$VLAN 2" Tunnel-Type = VLAN(13)

  • The value of the Tunnel-Type attribute must be set to VLAN.

  • If some attributes are missing or the authenticator does not match the group name, the applicant will not be assigned to the group.

  • The Tag for the parameters Tunnel-Medium-Type, Tunnel-Private-Group-ID and Tunnel-Type has to remain on 0: AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6) Type: 65 Length: 6 Tag: 0x00 Tunnel-Medium-Type: IEEE-802 (6)

    AVP: t=Tunnel-Private-Group-Id(81) l=9 val=$group1 Type: 81 Length: 9 Tunnel-Private-Group-Id: $group1

    AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13) Type: 64 Length: 6 Tag: 0x00 Tunnel-Type: VLAN (13)

Considerations regarding the Switch:

  • A Switch port that is configured as 802.1X is configured for 802.1X user-based access control for multiple users.
  • In addition, the port is configured as MAC authentication for multiple devices.
  • The authentication method for user-based access is eap-radius, MAC authentication is chap-radius.
  • Each Dynamic port on the Switch support multiple 802.1X supplicants.
  • They can be authenticated MAC based, User based, or Certificate based.

Considerations regarding Access Point:

  • Regarding 802.1x on WLAN, currently the Access Points do not allow that a WiFi supplicant authenticate with MAC.
  • The MAC based authentication is weak security wise.