1. Introduction to 802.1X
802.1X authentication is a method of network access control based on interfaces. “Interface-based network access control” refers to the control of network resource access for connected user devices at the interface level of LAN access devices. Compared to traditional access methods, it offers the following advantages:
- Enhanced Network Security
: Traditional wireless network authentication often uses static passwords such as pre-shared keys (PSK), which are susceptible to cracking or leakage, posing security risks. In contrast, 802.1X authentication employs dynamic keys. The authentication server dynamically generates and distributes keys, providing greater security. - Identity Awareness
: Facilitates user identity verification, allowing administrators to identify which users are currently accessing the network.
2. 802.1X Architecture
802.1X Architecture
The wireless 802.1X authentication system follows a typical client/server structure, involving three roles: the authentication client, access device, and authentication server. In the wireless 802.1X authentication protocol, allthree roles must participate simultaneously to complete access control to the wireless network, as well as authentication and authorization for wireless clients.
An end user who requests to access network resources. A supplicant is usually a wireless STA. A supplicant needs to submit information used for authentication to an authenticator and respond to requests from the authenticator.
A NAS that manages supplicants' authentication status and network connection status. An authenticator is an AP. An authentication server provides the authentication service for users. An authentication server is usually a RADIUS server.
Stores legitimate user information and users' authorization information. It checks whether a useris legitimate by verifying the account and password submitted by a supplicant.
3. RAP Wireless 1X Authentication Configuration
Configuring 1X Authentication
802.1X parameter
| Value
| 802.1x STA service vlan
| VLAN 100
| 802.1x STA dhcp pool range
| 192.168.100.0/24
| SSID name
| RAP_Staff_1X
| RADIUS authentication parameters
| RADIUS authentication group
:
radius_1
RADIUS Server IP Address
:
192.168.1.81
Authentication Port:1812
Accounting Port:1813
Authentication Shared Key
:
ruijie123.
AD domain
:
ruijie007.com
| Authentication Account
| Username:XXX
Password:XXX
(when STA access, need to add domain info, for example:ruijie@ruijie007.com)
| Log in to Eweb by clicking Network> SSID to enter the SSID Configuration page.
Change the authentication method of the current SSID to 802.1X (Enterprise) or click “Add Wi-Fi” to add a new Wi-Fi and select the encryption method as 802.1X (Enterprise).
Click the “Edit” button next to the Server Groupinput box to enter the Radius Server configuration interface.
Click “Add Server Group” to configure the RadiusServer.
Server Group Parameters
Parameter
| Description
| Server group name
| Name of RADIUS server group
| Server IP
| IP address of the RADIUS server.
| Server name
| Name of RADIUS server
| Auth Port
| The port number for the RADIUS server to perform user authentication.
| Accounting Port
| The port number for the RADIUS server to perform user accounting.
| Shared Password
| Shared key of the RADIUS server.
| Match Order
| The system supports up to five RADIUS servers. A larger value indicates a higher priority
|
Click “Save” and return to the SSID configuration interfaceto select the server group.
Enable Global 1X Authentication
After configuring 1X authentication for the SSID, you need to enable global 1X authentication for users to proceed with 1Xauthentication. If this button is not enabled, users will not be able to complete authentication even if the SSID is configured with 1X authentication. If you need to prevent terminal authentication, you do not need to delete theWi-Fi with 1X encryption. Simply turn off this button. When you want to allow users to use 1X authentication again, turn it on.
Wireless User Connection Testing
2.2 Configuring Server Detection
When users configure the server detection function,the Master will periodically probe the server. If the server does not respond within the user-configured period, it will be considered unresponsive.
In the configuration shown in the diagram, the server detection period is set to 1 minute, and the number of server detection attempts is 5. Therefore, the Master will probe the server every 1 minute. Ifafter 5 attempts, the server still does not respond, it will be deemed unresponsiveat that point.
2.3 Configuring Escape WiFi
When the user has configured the Escape WiFi and the configured server is detected as unresponsive, an escape WiFi network covering both 2.4G and 5G frequencies will be created for temporary user access. Once the server is back online, this escape WiFi will be deleted. Users who connect through escape WiFi will need to reconnect to the 802.1X authenticated WiFi and go through the identity authentication process again.
Note:
The server detection function must be enabled touse this feature.
2.4 Configuring Proxy Server
Since 802.1X functionality is a distributed service, when configuring device parameters on the RADIUS server, it is necessary to add the IP address of each device. If the RADIUS server is set upin a Layer 2 network, the server would need to add the IP address of each AP, which can be cumber some for users to configure, especially in large-scale deployments. Therefore, we have added a server proxy function, which is currently supported on the EG3XXX series devices.
When there is an EG3XXX series device within the network that supports the server proxy function, you can enable the server proxy. Once the server proxy is enabled, that device will act as a RADIUS proxy server. All other devices within the network will send their RADIUS packets to this proxy device, which will then forward them to the actual RADIUS server. In this way, the RADIUS server only needs to add the egress IP of the proxy device, simplifying the configuration process.
Usage Restrictions
3.1 Supported EAP Authentication Methods
Only MD5 and PEAP EAP authentication methods aresupported.
3.2 SON Compatibility Restrictions
•For software versions R220 and above:
The newly added wireless device that does notsupport 802.1X will not be able to broadcast WiFi signals.
•For software versions below R220:
The encryption method will be automatically downgraded to WPA2-PSK. The password will be set to “IEEEdot1x” followed by thelast six characters of the device’s MAC address (since 1X does not require apassword to be configured, if the unsupported device were to operate in an OPEN mode, it would pose security risks).
3.3 Usage Scenario Restrictions
The current wireless 802.1X solution can only beused if all devices within the SON (Service-Oriented Networking) support it.Currently, only WiFi6 RAP (Reyee Access Point) devices and EG3XXX series devices are supported. If a device that does not support 802.1X is added to the SON, this feature will not function properly. For example, in a scenario where there is a pure AP environment (i.e., only RAP devices are present), and 802.1X functionality has already been configured, adding an EG2XX series device (which does not support 1X authentication) will result in the 802.1X feature notworking as intended.
As indicated in the error message shown in the figure, the 802.1X authentication feature on the RAP can only be enabled whenall devices within the SON (Service-Oriented Networking) support 802.1X authentication. If there is any device in the SON that does not support 802.1X, the feature will not be operational.
Solution
To move unsupported devices to a different group by following steps:
Click Expand to enter the Group configuration page
Click“+” to add a Group
After adding a Group, select the device and click“Change Group to modify AP’s assigned Group,
After selecting the destination Group to which you want to move the AP, follow these final steps to complete the AP Group change:
3.4 AP+NBS Networking In an AP+NBS (Access Point + Network Bridging Switch)network topology where the APs are connected to the NBS’s downstream ports, itis important to ensure that the ports on the NBS that the APs are connected todo not have authentication enabled. otherwise the AP will not be able to accessthe network normally.
|