Configuring RADIUS Client for Dot1x Authentication

Dot1x authentication is enabled when dot1x system-auth-control is enabled, and aaa authentication dot1x default is local. If you enable authentication on a port by using the default setting of dot1x port-control, which is force-authorized, it disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. 802.1x uses EAP (Extensible Authentication Protocol).

Table 1. Default Configuration
Feature	Default Setting
RADIUS-server timeout	10
RADIUS-server retransmit	3
RADIUS-server encryption key	iS5ComRADIUS
dot1x system-auth-control	enabled
aaa authentication dot1x default	local
dot1x port-control	force-authorized

Configuration Steps

For topology setup, refer for figure RADIUS Setup.

At NAS:

Execute the following commands to configure the RADIUS client with server-specific parameters such as host, timeout, key, and retransmit interval and to enable dot1x authentications.
Type the following:
- Enter the Global Configuration Mode.
```
iS5comm# configure terminal
```
- Configure the RADIUS server host.
```
iS5comm(config)# radius-server host 13.0.0.20 auth-port 1812 timeout 6 retransmit 6 key IS5ComRadius primary
```
- Enable 802.1x authentication on the switch.
```
iS5comm(config)#dot1x system-auth-control
```
- Configure the router to use RADIUS server based remote authentication method for all ports.
```
iS5comm(config)# aaa authentication dot1x default group radius
```
- Exit from the Global Configuration Mode.
```
iS5comm(config)# exit
```
- Specify the port (client / supplicant) that is to be enabled for 802.1x authentication.
```
iS5comm(config)# interface gigabitethernet 0/1
```
- Enable 802.1x authentication on that port.
```
iS5comm(config-if)# dot1x port-control auto
```
- Exit from the Global Configuration mode.
```
iS5comm(config)# exit 
```

Execute the following command to view the server-specific configurations.

Perform the following:

iS5comm# show radius server

Primary Server           : 13.0.0.20

Radius Server Host Information

------------------------------

Index                    : 1

Server address           : 13.0.0.20

Shared secret            :

Response Time            : 6

Maximum Retransmission   : 6

Authentication Port      : 1812

Accounting Port          : 1813

Execute the following command to view the RADIUS statistics.

Perform the following:

iS5comm# show radius statistics

Radius Server Statistics

-------------------------

Index                            : 1

Radius Server Address            : 13.0.0.20

UDP port number                  : 1812

Round trip time                  : 0

No of request packets            : 1

No of retransmitted packets      : 0

No of access-accept packets      : 1

No of access-reject packets      : 0

No of access-challenge packets   : 1

No of malformed access responses : 0

No of bad authenticators         : 0

No of pending requests           : 0

No of time outs                  : 0

No of unknown types              : 0

--------------------------------------------

Execute the following command to view the dot1x information for the interface gigabitethernet 0/1. Supplicant State Machine will be authenticated only after running the supplicant on the host.

Perform the following:

iS5comm# show dot1x interface gigabitethernet 0/1

Dot1x Info for Gi0/1

---------------------

PortStatus            = AUTHORIZED

AccessControl         = INACTIVE

AuthSM State          = AUTHENTICATED SuppSM State          = AUTHENTICATED

BendSM State          = IDLE

AuthPortStatus        = AUTHORIZED

SuppPortStatus        = AUTHORIZED

AdminControlDirection = BOTH

OperControlDirection  = BOTH

MaxReq                = 2

Port Control          = Auto

QuietPeriod           = 60 Seconds

Re-authentication     = Disabled

ReAuthPeriod          = 3600 Seconds

ServerTimeout         = 30 Seconds

SuppTimeout           = 30 Seconds

Tx Period             = 30 Seconds

Execute the following command to view the global dot1x information.
Perform the following:
```
iS5comm# show dot1x
```
```
Sysauthcontrol                      = Enabled
```
```
Module Oper Status                  = Enabled
```
```
Dot1x Protocol Version              = 2
```
```
Dot1x Authentication Method         = Radius
```
```
Nas ID                              = fsNas1
```
At RADIUS-Server:
Assume that the FreeRADIUS server code is used for this configuration. Customize the following sample files available in the raddb directory (available in the path \etc\raddb in Linux).
users

clients.conf

radiusd.conf

An example is shown below.
- In the file users, include the following line to allow a user named iS5comm with password iss123 and authentication type as EAP.
```
"[email protected]" Auth-Type := EAP, User-Password == "iss123"
```
- In the file clients.conf, specify the RADIUS client information.
```
client 13.0.0.5 {
```
```
secret      = IS5ComRadius
```
```
shortname   = Rad
```
```
nastype     = other
```
```
}
```
- In the file radiusd.conf, specify the encryption scheme for EAP.
```
eap {
```
```
default_eap_type = md5
```
```
timer_expire     = 60
```
```
md5 {
```
```
 }
```
```
leap {
```
```
 }
```
```
} 
```
```
chap {
```
```
authtype = CHAP
```
```
}
```
At root:
- Start RADIUS on the server.
```
#radiusd –X -A
```
At Host:
- SecureSupplicant (mdc-ssd) in the file mdc-ssd/chap-secrets (available in the path \etc\mdc-ssd in Linux)
identity Server Secret

[email protected] * iss123
- Run the Meetinghouse Data Communications SecureSupplicant (802.1x protocol supplicant daemon).
```
#mdc-ssd logfd 1 nodetach ifname eth0 identity [email protected]
```
The packet flows between the host, RADIUS client, and the RADIUS Server is illustrated in the figure below.

Figure 1. Packet Flow between Supplicant, RADIUS CLIENT, and RADIUS server

Configuring RADIUS Client for Dot1x Authentication

Configuration Guidelines

Default Configuration

Configuration Steps