Scribd Logo
Upload

Welcome to Scribd!

  • 5 views

    8021X Automated Setup Steps

    Uploaded by

    Yogananth T V

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    8021X Automated Setup Steps

    Uploaded by

    Yogananth T V
    5 views4 pages

    Original Title

    8021X_Automated_Setup_Steps

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    5 views4 pages

    8021X Automated Setup Steps

    Uploaded by

    Yogananth T V

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 4

    802.

    1X Certificate-Based Authentication Setup for Wired Network (Automated with


    Kickstart)

    ---

    ### Overview

    This configuration enables automated 802.1X certificate-based authentication on a


    wired network using FreeRADIUS and a Kickstart file for deployment. The setup
    includes:
    1. Generating and installing certificates for FreeRADIUS and devices.
    2. Configuring FreeRADIUS to use EAP-TLS for 802.1X.
    3. Configuring a network switch for 802.1X on Ethernet ports.
    4. Setting up devices with systemd for automatic 802.1X authentication.

    ---

    ### Step-by-Step Setup

    #### 1. FreeRADIUS Configuration for EAP-TLS

    1. **Install FreeRADIUS and Dependencies**:


    ```bash
    sudo yum install -y freeradius freeradius-utils
    ```

    2. **Generate CA and Device Certificates**:


    - Create a CA private key and self-signed certificate:
    ```bash
    openssl genpkey -algorithm RSA -out ca.key -aes256
    openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
    ```
    - Generate and sign a device certificate:
    ```bash
    openssl genpkey -algorithm RSA -out device.key
    openssl req -new -key device.key -out device.csr
    openssl x509 -req -in device.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out
    device.pem -days 3650 -sha256
    ```

    3. **Copy Certificates to FreeRADIUS Directory**:


    ```bash
    sudo cp ca.pem /etc/raddb/certs/
    sudo cp device.pem /etc/raddb/certs/
    sudo cp device.key /etc/raddb/certs/
    ```

    4. **Configure FreeRADIUS EAP for EAP-TLS**:


    Edit `/etc/raddb/mods-available/eap` to enable EAP-TLS.
    ```plaintext
    eap {
    default_eap_type = tls
    tls-config tls-common {
    private_key_file = /etc/raddb/certs/device.key
    certificate_file = /etc/raddb/certs/device.pem
    ca_file = /etc/raddb/certs/ca.pem
    fragment_size = 1024
    include_length = yes
    }
    }
    ```

    5. **Enable EAP Module in FreeRADIUS**:


    ```bash
    sudo ln -s /etc/raddb/mods-available/eap /etc/raddb/mods-enabled/
    ```

    6. **Update Default Virtual Server**:


    Edit `/etc/raddb/sites-available/default` to enable `eap` in `authorize` and
    `authenticate` sections.
    ```plaintext
    authorize {
    eap
    }

    authenticate {
    eap
    }
    ```

    7. **Restart FreeRADIUS**:
    ```bash
    sudo systemctl restart radiusd
    ```

    ---

    #### 2. Configure Switch Ports for 802.1X Authentication

    Configure managed switches to support 802.1X on Ethernet ports.

    - **Example for Cisco Switches**:


    ```plaintext
    interface GigabitEthernet0/1
    switchport mode access
    authentication port-control auto
    dot1x pae authenticator
    dot1x auth-fail max-attempts 3
    dot1x timeout reauth-period 3600
    ```

    - **Example for HP Switches**:


    ```plaintext
    interface 1
    aaa port-access authenticator
    aaa port-access authenticator active
    aaa port-access authenticator client-limit 1
    ```

    Point the switch to the FreeRADIUS server for 802.1X authentication.

    ---

    #### 3. Kickstart (ks.cfg) Configuration for Device Automation

    To automate 802.1X configuration on devices, use the `%post` section in `ks.cfg`:


    ```plaintext
    # Install necessary packages during OS installation
    %packages
    @^minimal
    wpa_supplicant
    openssl
    %end

    %post
    # Create 802.1X Configuration File for wpa_supplicant

    cat <<EOF > /etc/wpa_supplicant/wpa_supplicant-wired.conf


    ctrl_interface=/var/run/wpa_supplicant
    ap_scan=0

    network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="<Device_ID>"
    private_key="/etc/wpa_supplicant/device.key"
    client_cert="/etc/wpa_supplicant/device.pem"
    ca_cert="/etc/wpa_supplicant/ca.pem"
    eapol_flags=0
    }
    EOF

    # Place Device Certificates and Keys


    cp /path/to/ca.pem /etc/wpa_supplicant/ca.pem
    cp /path/to/device.pem /etc/wpa_supplicant/device.pem
    cp /path/to/device.key /etc/wpa_supplicant/device.key

    # Set Permissions on Certificates and Keys


    chmod 600 /etc/wpa_supplicant/device.key
    chmod 644 /etc/wpa_supplicant/device.pem
    chmod 644 /etc/wpa_supplicant/ca.pem

    # Create a Systemd Service for 802.1X Authentication


    cat <<EOF > /etc/systemd/system/wpa_supplicant-wired.service
    [Unit]
    Description=WPA supplicant for 802.1X on wired network
    After=network.target

    [Service]
    ExecStart=/usr/sbin/wpa_supplicant -Dwired -ieth0
    -c/etc/wpa_supplicant/wpa_supplicant-wired.conf
    Restart=on-failure

    [Install]
    WantedBy=multi-user.target
    EOF

    # Reload systemd and enable the service to start on boot


    systemctl daemon-reload
    systemctl enable wpa_supplicant-wired.service

    %end
    ```

    ---
    ### Explanation

    - **FreeRADIUS**: Configured for EAP-TLS to use certificates for 802.1X


    authentication.
    - **Switch**: Configured to require 802.1X authentication for Ethernet devices.
    - **Device Setup**: Kickstart `%post` section configures `wpa_supplicant` with
    systemd to run on boot, automating 802.1X authentication on the wired interface.

    This configuration provides a fully automated, certificate-based 802.1X setup on a


    wired network.

    ---

    You might also like