Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

How to configure 802.1x authentication on Reyee wifi6 AP? Reply

GTAC-Sophia

Level 5

Ruijie Staff

How to configure 802.1x authentication on Reyee wifi6 AP?
915 0 2024-8-7 11:32:27
Original

1. Introduction to 802.1X

802.1X authentication is a method of network access control based on interfaces. “Interface-based network access control” refers to the control of network resource access for connected user devices at the interface level of LAN access devices. Compared to traditional access methods, it offers the following advantages:
  • Enhanced Network Security
    : Traditional wireless network authentication often uses static passwords such as pre-shared keys (PSK), which are susceptible to cracking or leakage, posing security risks. In contrast, 802.1X authentication employs dynamic keys. The authentication server dynamically generates and distributes keys, providing greater security.
  • Identity Awareness
    : Facilitates user identity verification, allowing administrators to identify which users are currently accessing the network.

2. 802.1X Architecture


802.1X Architecture
The wireless 802.1X authentication system follows a typical client/server structure, involving three roles: the authentication client, access device, and authentication server. In the wireless 802.1X authentication protocol, allthree roles must participate simultaneously to complete access control to the wireless network, as well as authentication and authorization for wireless clients.
  • Supplicant

An end user who requests to access network resources. A supplicant is usually a wireless STA. A supplicant needs to submit information used for authentication to an authenticator and respond to requests from the authenticator.
  • Authenticator

A NAS that manages supplicants' authentication status and network connection status. An authenticator is an AP. An authentication server provides the authentication service for users. An authentication server is usually a RADIUS server.
  • Authentication Server

Stores legitimate user information and users' authorization information. It checks whether a useris legitimate by verifying the account and password submitted by a supplicant.

3. RAP Wireless 1X Authentication Configuration

Configuring 1X Authentication
  802.1X parameter
  
  Value
  
  802.1x STA service vlan
  
  VLAN 100
  
  802.1x STA dhcp pool range
  
  192.168.100.0/24
  
  SSID name
  
  RAP_Staff_1X
  
  RADIUS authentication parameters
  
  RADIUS authentication group

radius_1
  RADIUS Server IP Address

192.168.1.81
  Authentication Port:1812
  Accounting Port:1813
  Authentication Shared Key

ruijie123.
  AD domain

ruijie007.com
  
  Authentication Account
  
  Username:XXX
  Password:XXX
  (when STA access, need to add domain info, for  example:ruijie@ruijie007.com)
  
Log in to Eweb by clicking Network> SSID to enter the SSID Configuration page.


Change the authentication method of the current SSID to 802.1X (Enterprise) or click “Add Wi-Fi” to add a new Wi-Fi and select the encryption method as 802.1X (Enterprise).


Click the “Edit” button next to the Server Groupinput box to enter the Radius Server configuration interface.


Click “Add Server Group” to configure the RadiusServer.
Server Group Parameters

  Parameter
  
  Description
  
  Server group name
  
  Name of RADIUS server group
  
  Server IP
  
  IP address of the RADIUS server.
  
  Server name
  
  Name of RADIUS server
  
  Auth Port
  
  The port number for the RADIUS server to perform  user authentication.
  
  Accounting Port
  
  The port number for the RADIUS server to perform  user accounting.
  
  Shared Password
  
  Shared key of the RADIUS server.
  
  Match Order
  
  The system supports up to five RADIUS servers. A  larger value indicates a higher priority
  



Click “Save” and return to the SSID configuration interfaceto select the server group.




Enable Global 1X Authentication

After configuring 1X authentication for the SSID, you need to enable global 1X authentication for users to proceed with 1Xauthentication. If this button is not enabled, users will not be able to complete authentication even if the SSID is configured with 1X authentication. If you need to prevent terminal authentication, you do not need to delete theWi-Fi with 1X encryption. Simply turn off this button. When you want to allow users to use 1X authentication again, turn it on.

Wireless User Connection Testing





2.2 Configuring Server Detection
When users configure the server detection function,the Master will periodically probe the server. If the server does not respond within the user-configured period, it will be considered unresponsive.



In the configuration shown in the diagram, the server detection period is set to 1 minute, and the number of server detection attempts is 5. Therefore, the Master will probe the server every 1 minute. Ifafter 5 attempts, the server still does not respond, it will be deemed unresponsiveat that point.
2.3 Configuring Escape WiFi
When the user has configured the Escape WiFi and the configured server is detected as unresponsive, an escape WiFi network covering both 2.4G and 5G frequencies will be created for temporary user access. Once the server is back online, this escape WiFi will be deleted. Users who connect through escape WiFi will need to reconnect to the 802.1X authenticated WiFi and go through the identity authentication process again.



Note:
The server detection function must be enabled touse this feature.
2.4 Configuring Proxy Server
Since 802.1X functionality is a distributed service, when configuring device parameters on the RADIUS server, it is necessary to add the IP address of each device. If the RADIUS server is set upin a Layer 2 network, the server would need to add the IP address of each AP, which can be cumber some for users to configure, especially in large-scale deployments. Therefore, we have added a server proxy function, which is currently supported on the EG3XXX series devices.
When there is an EG3XXX series device within the network that supports the server proxy function, you can enable the server proxy. Once the server proxy is enabled, that device will act as a RADIUS proxy server. All other devices within the network will send their RADIUS packets to this proxy device, which will then forward them to the actual RADIUS server. In this way, the RADIUS server only needs to add the egress IP of the proxy device, simplifying the configuration process.





Usage Restrictions
3.1 Supported EAP Authentication Methods
Only MD5 and PEAP EAP authentication methods aresupported.
3.2 SON Compatibility Restrictions
For software versions R220 and above:
The newly added wireless device that does notsupport 802.1X will not be able to broadcast WiFi signals.
For software versions below R220:
The encryption method will be automatically downgraded to WPA2-PSK. The password will be set to “IEEEdot1x” followed by thelast six characters of the device’s MAC address (since 1X does not require apassword to be configured, if the unsupported device were to operate in an OPEN mode, it would pose security risks).
3.3 Usage Scenario Restrictions
The current wireless 802.1X solution can only beused if all devices within the SON (Service-Oriented Networking) support it.Currently, only WiFi6 RAP (Reyee Access Point) devices and EG3XXX series devices are supported. If a device that does not support 802.1X is added to the SON, this feature will not function properly. For example, in a scenario where there is a pure AP environment (i.e., only RAP devices are present), and 802.1X functionality has already been configured, adding an EG2XX series device (which does not support 1X authentication) will result in the 802.1X feature notworking as intended.




As indicated in the error message shown in the figure, the 802.1X authentication feature on the RAP can only be enabled whenall devices within the SON (Service-Oriented Networking) support 802.1X authentication. If there is any device in the SON that does not support 802.1X, the feature will not be operational.
Solution

To move unsupported devices to a different group by following steps:

Click Expand to enter the Group configuration page



Click“+” to add a Group


After adding a Group, select the device and click“Change Group to modify AP’s assigned Group,

After selecting the destination Group to which you want to move the AP, follow these final steps to complete the AP Group change:


3.4 AP+NBS Networking

In an AP+NBS (Access Point + Network Bridging Switch)network topology where the APs are connected to the NBS’s downstream ports, itis important to ensure that the ports on the NBS that the APs are connected todo not have authentication enabled. otherwise the AP will not be able to accessthe network normally.



RG-RAP6202(G)

Configuration Wireless
There are no replies.
Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd