# Wired 802.1x with MD5


Authentication server (Freeradius)

# apt-get install freeradius
# cat /etc/freeradius/clients.conf
client c2960_switch {
        ipaddr = 192.168.0.200
        secret = MYSECRET
}
# cat /etc/freeradius/users
"user1" Cleartext-Password := "PASSWORD1"
        Filter-Id = "user1_acl.in"

"user2" Cleartext-Password := "PASSWORD2"
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 10

"000f1f8ce650" Cleartext-Password := "000f1f8ce650" # Supplicant's MAC address
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 11
# cat /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 0
}
listen {
        ipaddr = *
        port = 0
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
# mkdir /var/log/freeradius/radacct
# chown freerad:freerad /var/log/freeradius/radacct
# cat /etc/freeradius/sites-enabled/default
authorize {
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
        }
        files
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        digest
        unix
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
        eap
}

# /etc/init.d/freeradius stop
# freeradius -X


Authenticator/NAS (Cisco Catalyst 2960)

Switch(config)# aaa new-model
Switch(config)# radius server freeradius
Switch(config-radius-server)# address ipv4 192.168.0.100 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key MYSECRET
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# radius-server vsa send accounting
Switch(config)# radius-server vsa send authentication
Switch(config)# interface FastEthernet0/10
Switch(config-if)# switchport mode access
Switch(config-if)# authentication event fail retry 0 action authorize vlan 30
Switch(config-if)# authentication event no-response action authorize vlan 20
Switch(config-if)# authentication port-control auto
Switch(config-if)# mab eap
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x timeout tx-period 1
Switch(config-if)# spanning-tree portfast
Switch(config)# ip access-list extended user1_acl
Switch(config-ext-nacl)#  permit icmp any host 192.168.0.100
Switch# test aaa group radius user1 PASSWORD1 legacy
Switch# !debug dot1x


Supplicant (Windows XP)

C:\> net start "Wired Autoconfig"
NIC > Properties > Authentication
- Enable IEEE 802.1x authentication for this network
- EAP type: MD5-Challenge


References

http://en.wikipedia.org/wiki/IEEE_802.1X
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

No comments: