cancel
Showing results for 
Search instead for 
Did you mean: 

Implement dot1x on EtremSwtich

Implement dot1x on EtremSwtich

Anonymous
Not applicable
Hello, I am new on ExtremSwitch and am trying to build a port based authentication with Freeradius.
  • And i need your confirmation please about my steps for configuring the Extrem switch as authenticator

This is my Lab Schematic
c4d67015aa874439ae0080fc5e50d0e8.png
This is my switch config that i need your confirmation for it: (is it correct ?)
create vlan purgatory
configure netlogin vlan purgatory
enable netlogin dot1x
enable netlogin ports 1 dot1x
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 restart
configure vlan A ipaddress 192.168.1.1/24
configure radius netlogin primary server 192.168.1.2 1812 client-ip 192.168.1.1 vr "VR-Default"
configure radius netlogin primary shared-secret ilovesecret
enable radius netlogin

on the radius side (MD5 authentication) i created a :
client switch {
ipv4add = 192.168.1.1
secret = ilovesecret
}

on my kali side i just enable port based authentication from the network setting but am not sure is that enough ?
8cf7f96281924a3385a96c1edee06813.png
50e539cd25fa4f8a8fc04471af56d54b.png

when i send request with radclient, my kali not authenticated on the switch  ? do i miss something in my config ?
e92a9cec87ea4787bf2ec78b709f9b55.png
e792650be9c84fb3b08c0319b3adde7b.png

I hope if i detailed my lab and config well , i will be waiting your answers please, thx
4 REPLIES 4

Matthew_Hum
Contributor
I'd check the FreeRadius output. Try running freeradius in debug mode (-X) and capturing the request coming through and seeing if an access-reject is being sent or not. If you don't even see the request then check your firewall or selinux settings. If you see the request then it should give you an idea on why there is a problem or if you have a problem with the supplicant/backend. If freeradius sends an access-accept then you likely have a network problem.
You won't run radclient from your connecting client/laptop. The RADIUS client in this case is the switch, and radclient acts like a switch trying to authenticate a user.

Anonymous
Not applicable
Hi Matthew, thanks for your feedback,

whit the same radclient command, i can say no i don't have any output on the server side, the only output i have is on the switch is the kali mac add not authenticated.
e792650be9c84fb3b08c0319b3adde7b.png
But i can get access accept on the radclient (from kali)  when i disable netlogin on the switch and i can see logs on radius.

There is no tool to send request from the supplicant (kali VM) ?

so what i understand from you radclient play the authenticator rule so how i should used in my scenrio ?

radclient user pass secret  serverip ?
and launch it from where ?

aslo if this switch "ExtremeXOS version 30.2.1.8" support multi host (multi supplicant)
thank you



​​​

When you disable netlogin on the switch, it allows traffic through, which is why the RADIUS message generated by radclient can get through. the end system is not the RADIUS client. you should not be using radclient on your end system. RADIUS is not a protocol used by an end client. it is used by the authenticator (in this case the switch) to verify the end client to a backend service. Hence radclient should not be used on the end system.

Please review how 802.1X and RADIUS works. https://www.networkworld.com/article/2216499/wireless-what-is-802-1x.html

Anonymous
Not applicable
Hi matthew,

it was only miss understanding from me to the tool, i know very well port based authentication how it work (supplicant-authentictor-radius)

I think the problem in my case it could be related that i need to find a way to trigger some request from the virtual kali over the physical adapter NIC of the HP server.
but i don't know how to do that? or even my though is correct ?

Actually I was missing to use wpa_supplicant to configure kali as supplicant and also i can use it to trigger authentication request (https://help.ubuntu.com/community/Network802.1xAuthentication)

2895fd72a1574f3c9adc4d39209cd63e.png
0a66a2b3b7f94653ab12259922812ce9.png
,
GTM-P2G8KFN