Ruijie Community

Title: How to configure 802.1x authentication on Reyee wifi6 AP? [Print this page]
Author: zhangqiao@ruiji    Time: 2024-8-7 11:32
Title: How to configure 802.1x authentication on Reyee wifi6 AP?

1. Introduction to 802.1X

802.1X authentication is a method of network access control based on interfaces. “Interface-based network access control” refers to the control of network resource access for connected user devices at the interface level of LAN access devices. Compared to traditional access methods, it offers the following advantages:

2. 802.1X Architecture


802.1X Architecture
The wireless 802.1X authentication system follows a typical client/server structure, involving three roles: the authentication client, access device, and authentication server. In the wireless 802.1X authentication protocol, allthree roles must participate simultaneously to complete access control to the wireless network, as well as authentication and authorization for wireless clients.
An end user who requests to access network resources. A supplicant is usually a wireless STA. A supplicant needs to submit information used for authentication to an authenticator and respond to requests from the authenticator.
A NAS that manages supplicants' authentication status and network connection status. An authenticator is an AP. An authentication server provides the authentication service for users. An authentication server is usually a RADIUS server.
Stores legitimate user information and users' authorization information. It checks whether a useris legitimate by verifying the account and password submitted by a supplicant.

3. RAP Wireless 1X Authentication Configuration

Configuring 1X Authentication
  802.1X parameter
  		  Value
  
  802.1x STA service vlan
  		  VLAN 100
  
  802.1x STA dhcp pool range
  		  192.168.100.0/24
  
  SSID name
  		  RAP_Staff_1X
  
  RADIUS authentication parameters
  		  RADIUS authentication group

radius_1
  RADIUS Server IP Address

192.168.1.81
  Authentication Port:1812
  Accounting Port:1813
  Authentication Shared Key

ruijie123.
  AD domain

ruijie007.com
  
  Authentication Account
  		  Username:XXX
  Password:XXX
  (when STA access, need to add domain info, for  example:ruijie@ruijie007.com)
  
Log in to Eweb by clicking Network> SSID to enter the SSID Configuration page.


Change the authentication method of the current SSID to 802.1X (Enterprise) or click “Add Wi-Fi” to add a new Wi-Fi and select the encryption method as 802.1X (Enterprise).


Click the “Edit” button next to the Server Groupinput box to enter the Radius Server configuration interface.


Click “Add Server Group” to configure the RadiusServer.
Server Group Parameters

  Parameter
  		  Description
  
  Server group name
  		  Name of RADIUS server group
  
  Server IP
  		  IP address of the RADIUS server.
  
  Server name
  		  Name of RADIUS server
  
  Auth Port
  		  The port number for the RADIUS server to perform  user authentication.
  
  Accounting Port
  		  The port number for the RADIUS server to perform  user accounting.
  
  Shared Password
  		  Shared key of the RADIUS server.
  
  Match Order
  		  The system supports up to five RADIUS servers. A  larger value indicates a higher priority
  



Click “Save” and return to the SSID configuration interfaceto select the server group.




Enable Global 1X Authentication

After configuring 1X authentication for the SSID, you need to enable global 1X authentication for users to proceed with 1Xauthentication. If this button is not enabled, users will not be able to complete authentication even if the SSID is configured with 1X authentication. If you need to prevent terminal authentication, you do not need to delete theWi-Fi with 1X encryption. Simply turn off this button. When you want to allow users to use 1X authentication again, turn it on.

Wireless User Connection Testing





2.2 Configuring Server Detection
When users configure the server detection function,the Master will periodically probe the server. If the server does not respond within the user-configured period, it will be considered unresponsive.



In the configuration shown in the diagram, the server detection period is set to 1 minute, and the number of server detection attempts is 5. Therefore, the Master will probe the server every 1 minute. Ifafter 5 attempts, the server still does not respond, it will be deemed unresponsiveat that point.
2.3 Configuring Escape WiFi
When the user has configured the Escape WiFi and the configured server is detected as unresponsive, an escape WiFi network covering both 2.4G and 5G frequencies will be created for temporary user access. Once the server is back online, this escape WiFi will be deleted. Users who connect through escape WiFi will need to reconnect to the 802.1X authenticated WiFi and go through the identity authentication process again.



Note:
 The server detection function must be enabled touse this feature.
2.4 Configuring Proxy Server
Since 802.1X functionality is a distributed service, when configuring device parameters on the RADIUS server, it is necessary to add the IP address of each device. If the RADIUS server is set upin a Layer 2 network, the server would need to add the IP address of each AP, which can be cumber some for users to configure, especially in large-scale deployments. Therefore, we have added a server proxy function, which is currently supported on the EG3XXX series devices.
When there is an EG3XXX series device within the network that supports the server proxy function, you can enable the server proxy. Once the server proxy is enabled, that device will act as a RADIUS proxy server. All other devices within the network will send their RADIUS packets to this proxy device, which will then forward them to the actual RADIUS server. In this way, the RADIUS server only needs to add the egress IP of the proxy device, simplifying the configuration process.





Usage Restrictions
3.1 Supported EAP Authentication Methods
Only MD5 and PEAP EAP authentication methods aresupported.
3.2 SON Compatibility Restrictions
For software versions R220 and above:
The newly added wireless device that does notsupport 802.1X will not be able to broadcast WiFi signals.
For software versions below R220:
The encryption method will be automatically downgraded to WPA2-PSK. The password will be set to “IEEEdot1x” followed by thelast six characters of the device’s MAC address (since 1X does not require apassword to be configured, if the unsupported device were to operate in an OPEN mode, it would pose security risks).
3.3 Usage Scenario Restrictions
The current wireless 802.1X solution can only beused if all devices within the SON (Service-Oriented Networking) support it.Currently, only WiFi6 RAP (Reyee Access Point) devices and EG3XXX series devices are supported. If a device that does not support 802.1X is added to the SON, this feature will not function properly. For example, in a scenario where there is a pure AP environment (i.e., only RAP devices are present), and 802.1X functionality has already been configured, adding an EG2XX series device (which does not support 1X authentication) will result in the 802.1X feature notworking as intended.




As indicated in the error message shown in the figure, the 802.1X authentication feature on the RAP can only be enabled whenall devices within the SON (Service-Oriented Networking) support 802.1X authentication. If there is any device in the SON that does not support 802.1X, the feature will not be operational.
Solution

To move unsupported devices to a different group by following steps:

Click Expand to enter the Group configuration page



Click“+” to add a Group


After adding a Group, select the device and click“Change Group to modify AP’s assigned Group,

After selecting the destination Group to which you want to move the AP, follow these final steps to complete the AP Group change:


3.4 AP+NBS Networking

In an AP+NBS (Access Point + Network Bridging Switch)network topology where the APs are connected to the NBS’s downstream ports, itis important to ensure that the ports on the NBS that the APs are connected todo not have authentication enabled. otherwise the AP will not be able to accessthe network normally.







Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2