Scribd
Upload
14 views4 pages

8021X Automated Setup Steps

Uploaded by

Yogananth T V

Copyright:

© All Rights Reserved
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt

8021X Automated Setup Steps

Uploaded by

Yogananth T V
14 views4 pages

Original Title

8021X_Automated_Setup_Steps

Copyright

© © All Rights Reserved

Available Formats

TXT, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt
14 views4 pages

8021X Automated Setup Steps

Uploaded by

Yogananth T V

Copyright:

© All Rights Reserved
Download as TXT, PDF, TXT or read online from Scribd
Download as txt, pdf, or txt
You are on page 1/ 4

802.

1X Certificate-Based Authentication Setup for Wired Network (Automated with


Kickstart)

---

### Overview

This configuration enables automated 802.1X certificate-based authentication on a


wired network using FreeRADIUS and a Kickstart file for deployment. The setup
includes:
1. Generating and installing certificates for FreeRADIUS and devices.
2. Configuring FreeRADIUS to use EAP-TLS for 802.1X.
3. Configuring a network switch for 802.1X on Ethernet ports.
4. Setting up devices with systemd for automatic 802.1X authentication.

---

### Step-by-Step Setup

#### 1. FreeRADIUS Configuration for EAP-TLS

1. **Install FreeRADIUS and Dependencies**:


```bash
sudo yum install -y freeradius freeradius-utils
```

2. **Generate CA and Device Certificates**:


- Create a CA private key and self-signed certificate:
```bash
openssl genpkey -algorithm RSA -out ca.key -aes256
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
```
- Generate and sign a device certificate:
```bash
openssl genpkey -algorithm RSA -out device.key
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out
device.pem -days 3650 -sha256
```

3. **Copy Certificates to FreeRADIUS Directory**:


```bash
sudo cp ca.pem /etc/raddb/certs/
sudo cp device.pem /etc/raddb/certs/
sudo cp device.key /etc/raddb/certs/
```

4. **Configure FreeRADIUS EAP for EAP-TLS**:


Edit `/etc/raddb/mods-available/eap` to enable EAP-TLS.
```plaintext
eap {
default_eap_type = tls
tls-config tls-common {
private_key_file = /etc/raddb/certs/device.key
certificate_file = /etc/raddb/certs/device.pem
ca_file = /etc/raddb/certs/ca.pem
fragment_size = 1024
include_length = yes
}
}
```

5. **Enable EAP Module in FreeRADIUS**:


```bash
sudo ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/
```

6. **Update Default Virtual Server**:


Edit `/etc/raddb/sites-available/default` to enable `eap` in `authorize` and
`authenticate` sections.
```plaintext
authorize {
eap
}

authenticate {
eap
}
```

7. **Restart FreeRADIUS**:
```bash
sudo systemctl restart radiusd
```

---

#### 2. Configure Switch Ports for 802.1X Authentication

Configure managed switches to support 802.1X on Ethernet ports.

- **Example for Cisco Switches**:


```plaintext
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
dot1x auth-fail max-attempts 3
dot1x timeout reauth-period 3600
```

- **Example for HP Switches**:


```plaintext
interface 1
aaa port-access authenticator
aaa port-access authenticator active
aaa port-access authenticator client-limit 1
```

Point the switch to the FreeRADIUS server for 802.1X authentication.

---

#### 3. Kickstart (ks.cfg) Configuration for Device Automation

To automate 802.1X configuration on devices, use the `%post` section in `ks.cfg`:


```plaintext
# Install necessary packages during OS installation
%packages
@^minimal
wpa_supplicant
openssl
%end

%post
# Create 802.1X Configuration File for wpa_supplicant

cat <<EOF > /etc/wpa_supplicant/wpa_supplicant-wired.conf


ctrl_interface=/var/run/wpa_supplicant
ap_scan=0

network={
key_mgmt=IEEE8021X
eap=TLS
identity="<Device_ID>"
private_key="/etc/wpa_supplicant/device.key"
client_cert="/etc/wpa_supplicant/device.pem"
ca_cert="/etc/wpa_supplicant/ca.pem"
eapol_flags=0
}
EOF

# Place Device Certificates and Keys


cp /path/to/ca.pem /etc/wpa_supplicant/ca.pem
cp /path/to/device.pem /etc/wpa_supplicant/device.pem
cp /path/to/device.key /etc/wpa_supplicant/device.key

# Set Permissions on Certificates and Keys


chmod 600 /etc/wpa_supplicant/device.key
chmod 644 /etc/wpa_supplicant/device.pem
chmod 644 /etc/wpa_supplicant/ca.pem

# Create a Systemd Service for 802.1X Authentication


cat <<EOF > /etc/systemd/system/wpa_supplicant-wired.service
[Unit]
Description=WPA supplicant for 802.1X on wired network
After=network.target

[Service]
ExecStart=/usr/sbin/wpa_supplicant -Dwired -ieth0
-c/etc/wpa_supplicant/wpa_supplicant-wired.conf
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

# Reload systemd and enable the service to start on boot


systemctl daemon-reload
systemctl enable wpa_supplicant-wired.service

%end
```

---
### Explanation

- **FreeRADIUS**: Configured for EAP-TLS to use certificates for 802.1X


authentication.
- **Switch**: Configured to require 802.1X authentication for Ethernet devices.
- **Device Setup**: Kickstart `%post` section configures `wpa_supplicant` with
systemd to run on boot, automating 802.1X authentication on the wired interface.

This configuration provides a fully automated, certificate-based 802.1X setup on a


wired network.

---

You might also like