9. Installing 802.1X authentication

Introduction

FreeNAC uses 'vmps' by default for identifying network devices, based on their MAC address. For stronger authentication look at 802.1x (which although not bullet proof, is a cryptographic authentication and more difficult to break).

This step is optional, if you already have the standard FreeNAC running, and don't need the additional security.

For an a technical discussion of 802.1x, see the techguide chapter. This section covers some concrete use cases and how to get up and running with them:

• Basic FreeRadius installation
• Authentication Users in a Windows Domain
• Using Cisco's 'Mac-auth-bypass'

Install FreeRadius

For 802.1X support you need to have a RADIUS server installed. The one we use is FreeRadius because it provides a host of features that others don't.

There are several ways to get freeradius running. If you have the FreeNAC Vm it is included, or you can compile from a tarball, or install the binary packages as follows.

Ubuntu:

 apt-get install freeradius

SuSE:

 yast -i freeradius 

By default, FreeRadius comes with a sample configuration file (radiusd.conf) which allows you to run your RADIUS server out-of-the-box. The location of the different configuration files is distribution dependant.

To test that you have a working server, as root type:

radiusd -xX

If in the end you see the following line

Info: Ready to process requests.

then your Radius server is working. Press Ctrl+C to stop the radius server and activate FreeRadius. Bear in mind that the start up filename is distribution dependant.

Ubuntu:

update-rc.d freeradius defaults 

SuSE:

chkconfig freeradius on 

Basic FreeRadius configuration

You need to define the switches that'll be contacting your Radius server. To do so, create a backup of your clients.conf file and edit it. The configuration files are probably in /etc/freeradius or /usr/local/etc/raddb or /etc/raddb.

cp clients.conf clients.conf.$$
vi clients.conf

Then add an entry for every switch you want to contact your server in the following form.

client 192.168.1.1 {
secret			= whatever
shortname		= my_switch
nastype			= cisco
}

where secret is the string shared between your switch and the Radius server, used to encrypt and sign packets. It doesn't have to be same for all your switches. shortname is your switch's identifier and is used for logging and nastype is the type of switch your are using and this field is optional.

Create a backup of your radiusd.conf file and proceed to configure your radius server.

cp radiusd.conf radiusd.conf.$$ 

802.1x in specific use cases.

Below you'll find two common configuration scenarios for your Radius server.