802.1X EAP & RADIUS: A Simple Guide

TL;DR

Yes! 802.1X EAP (Extensible Authentication Protocol) and RADIUS (Remote Authentication Dial-In User Service) work very well together. 802.1X handles the initial connection security, while RADIUS provides authentication, authorization, and accounting. This guide explains how they cooperate to secure your network.

How 802.1X EAP & RADIUS Work Together

1. The Connection Request: A device (like a laptop) tries to connect to the network via an 802.1X-enabled switch or access point.
2. Port Access Control: The switch/access point blocks all traffic except for EAP packets on that port. This is called Port Access Control.
3. EAP Negotiation: The device and the network start an EAP conversation to determine the authentication method (e.g., TLS, TTLS, PEAP). Think of this as agreeing how to prove identity.
4. RADIUS Request: Once EAP negotiation is complete, the switch/access point sends an authentication request to a RADIUS server. This request includes information about the user and the chosen EAP method.
5. User Credentials: The RADIUS server asks for the user’s username and password (or other credentials).
6. Authentication: The RADIUS server verifies these credentials against its database (e.g., Active Directory, local users).
7. Authorization: If authentication is successful, the RADIUS server decides what network access the user gets (e.g., full internet access, limited VLAN access).
8. RADIUS Response: The RADIUS server sends a response back to the switch/access point, telling it whether to allow or deny access and with what permissions.
9. Access Granted/Denied: The switch/access point enforces the RADIUS server’s decision. If granted, the user gets network access; if denied, they remain blocked.

Setting up 802.1X with RADIUS

Here’s a simplified overview of the steps involved. The exact configuration varies depending on your hardware and software.

Step 1: Configure Your RADIUS Server

• Install & Configure: Install a RADIUS server (e.g., FreeRADIUS, Microsoft Network Policy Server).
• Database Integration: Connect the RADIUS server to your user database (Active Directory is common).
• Client Settings: Add your network switches/access points as RADIUS clients. You’ll need their IP addresses and a shared secret key. This key must match on both the switch/AP and the RADIUS server.

# Example FreeRADIUS client configuration (clients.conf)

client my_switch {

    ipaddr 192.168.1.100

    secret testing_password

}

Step 2: Configure Your Network Switches/Access Points

• Enable 802.1X: Enable 802.1X authentication on the ports you want to secure.
• RADIUS Server Details: Enter the IP address and shared secret key of your RADIUS server.
• EAP Method: Choose an EAP method (e.g., PEAP, TLS). PEAP is often easier to set up with Microsoft infrastructure.
• Authentication Port: Specify the UDP port used for RADIUS authentication (usually 1812 or 1645).

# Example Cisco switch configuration snippet

aaa new-model

radius server radius_server

    address ipv4 192.168.1.50 auth-port 1812 acct-port 1813 key testing_password

dot1x system auth control

Step 3: Configure Clients (Laptops, Phones)

• EAP Settings: Configure the wireless or wired network settings on your devices to use the appropriate EAP method.
• Server Validation: Ensure clients are configured to trust the RADIUS server’s certificate if using TLS-based authentication.

Troubleshooting

• RADIUS Logs: Check your RADIUS server logs for errors (authentication failures, client issues).
• Switch/AP Logs: Examine the switch/access point logs for 802.1X-related messages.
• Shared Secret: Double-check that the shared secret key is identical on both the RADIUS server and the switches/access points.
• Firewall Rules: Ensure firewalls aren’t blocking communication between your devices, switches/APs, and the RADIUS server (UDP ports 1812 & 1645).