Training

Configuring CDRouter for 802.1x Authentication on the WAN

8 min read

CDRouter includes support for configurations involving 802.1X authentication on the WAN. 802.1X is typically used by service providers to authenticate a client or device and open a port on an 802.1X enabled DSLAM or switch for CPE traffic. CPE devices that support 802.1X on the WAN must include 802.1X supplicant functionality in addition to common IPv4 and IPv6 WAN connectivity options such as DHCP and PPPoE.

About IEEE 802.1x

IEEE 802.1X defines

… a mechanism for Port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails.

802.1X utilizes the Extensible Authentication Protocol (EAP) defined in RFC 3748. Although 802.1X and EAP are primarily used for authentication of clients (both wired and 802.11 wireless) on a LAN, they can also be used as an authentication mechanism for subscribers and CPE devices wishing to access a broadband network.

Networks utilizing 802.1X authentication on the WAN require 802.1X capable DSLAMs or managed Ethernet switches which act as a gatekeeper. These devices disable traffic on a port until the CPE connected to that port is successfully authenticated. Once authenticated, the associated port on the DSLAM or switch is enabled, allowing the CPE or client access to the network and additional network resources.

It is important to note that 802.1X provides only an authentication mechanism on the WAN. It is not a WAN connection protocol like DHCP, PPPoE, L2TP, etc. As a result, 802.1X authentication must occur and be successful before a CPE obtains IPv4/IPv6 connectivity to the broadband network and establishes a primary WAN connection via DHCP, PPPoE, etc.

802.1X Authentication

802.1X authentication involves three primary components: the authenticator, the authentication server, and the supplicant. These components are defined in IEEE 802.1X as follows:

  • Authenticator: An entity at one end of a point-to-point LAN segment that facilitates authentication of the entity attached to the other end of that link.

  • Authentication server: An entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the services provided by the authenticator.

NOTE - The authentication server function can be colocated with an authenticator, or it can be accessed remotely via a network to which the authenticator has access. A common access method is RADIUS.

  • Supplicant: An entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator attached to the other end of that link.

NOTE: Although the definitions above specifically reference the LAN, they are also applicable in 802.1X configurations on the WAN. The basic 802.1X authentication flow looks like this:

8021X

The authenticator, authentication server, and supplicant each perform specific functions that are required for successful 802.1X authentication. The supplicant is essentially the client. The authenticator acts as an intermediary between the supplicant and the authentication server; the supplicant and authentication server communicate directly with the authenticator. The authenticator translates the supplicant’s EAP information into RADIUS packets and forwards them to the authentication server. The authenticator also performs the reverse operation, translating RADIUS packets from the authentication server into EAP packets and forwarding them to the supplicant.

If the supplicant and authentication server agree on an EAP type and successfully complete 802.1X authentication, the authenticator will place the supplicant’s port in the authorized state, thus allowing the supplicant access to additional resources on the broadband network.

An overview of this process is also provided in Section 6.2 of IEEE 802.1X.

6.2 Port access entity

The Port Access Entity (PAE) operates the Algorithms and Protocols associated with the authentication mechanisms defined in Clause 8 for a given Port of the System.

In the Supplicant role, the PAE is responsible for responding to requests from an Authenticator for information that will establish its credentials. The PAE that performs the Supplicant role in an authentication exchange is known as the Supplicant PAE.

In the Authenticator role, the PAE is responsible for communication with the Supplicant, and for submitting the information received from the Supplicant to a suitable Authentication Server in order for the credentials to be checked and for the consequent authorization state to be determined. The PAE that performs the Authenticator role in an authentication exchange is known as the Authenticator PAE.

The Authenticator PAE controls the authorized/unauthorized state of its controlled Port (see 6.3) depending on the outcome of the authentication process.

Test Setup

There are several different ways to set up these tests using CDRouter, depending on the needs of your device under test. CDRouter can act as both the 802.1X Authenticator and Authentication server. However, if the network setup you use has its 802.1X Authenticator built into the access node or switch, this function can be disabled in CDRouter by setting the wanAuthenticator test var to “no”. Here are some examples:

A DSL WAN gateway with the DSLAM acting as the 802.1X Authenticator.

8021X_DSL

Note that 802.1X has no impact on the physical test setup or connections. Logically however, the test setup is quite different. When 802.1X is enabled on the CPE, traffic will not be forwarded by the DSLAM until the CPE has been authenticated by a RADIUS authentication server. As a result, the DSLAM performs the role of the authenticator, as described above, and must be properly configured for 802.1X.

An Ethernet WAN gateway with an Ethernet switch acting as the 802.1X Authenticator.

8021X_Switch

In this setup an 802.1X enabled Ethernet switch must be included. The switch, like the DSLAM in the first test setup, acts as the 802.1X authenticator and must be configured accordingly. Specifically, the switch or DSLAM must know the IP address of the RADIUS authentication server and its secret. This implies that the DSLAM or switch is configured with an unused IP address on the same network as CDRouter’s WAN interface.

For example, if CDRouter’s wanIspIp is 192.168.200.1, the DSLAM or switch could be configured with the IP address 192.168.200.88 (which is normally unused by CDRouter). The DSLAM should also be configured to use CDRouter’s wanIspIp (192.168.200.1) as its default gateway for forwarding all RADIUS and other “outbound” traffic.

Any gateway with CDRouter acting as both the Authenticator and Authentication Server

8021X_CDR

In this case, all test traffic will be sent to CDRouter, which will handle the communication between its Authenticator and Authentication Server internally for the purpose of facilitating the tests.

Basic Configuration of CDRouter’s RADIUS Server

To support 802.1X authentication on the WAN, CDRouter’s WAN RADIUS server must be enabled and the EAP identities used by the supplicant (the CPE) must be properly configured. To enable CDRouter’s WAN RADIUS server, the testvar wanRadiusEnable must be set to yes, and the testvars wanRadiusIp and wanRadiusSecret must be configured.

testvar wanRadiusEnable       yes
testvar wanRadiusIp           3.3.3.44
testvar wanRadiusSecret       qacafe123

NOTE: The 802.1X authenticator (the DSLAM or Ethernet switch in the test setups shown above) must be configured with the correct IP address and secret of CDRouter’s WAN RADIUS server.

CDRouter’s WAN RADIUS server can also be configured to provide specific RADIUS attributes using the testvars wanRadiusServerAttrType and wanRadiusServerData.

testvar wanRadiusServerAttrType1  200
testvar wanRadiusServerAttrData1  04040404
testvar wanRadiusServerAttrType2  201
testvar wanRadiusServerAttrData2  0404040504040406

The EAP type used by CDRouter’s WAN RADIUS server must also be configured using the testvar wanEapType.

CDRouter’s WAN RADIUS server currently supports three different EAP types: EAP-MD5, EAP-TLS, and EAP-TTLS. EAP-MD5 requires only the supplicant’s EAP identity and password, whereas both EAP-TLS and EAP-TTLS require certificate information.

testvar wanEapType        eap-md5

If CDRouter’s WAN RADIUS server is configured for EAP types of EAP-TLS or EAP-TTLS, the server certificate, server certificate password, root CA, and EAP fragment size must also be configured. By default, CDRouter’s WAN RADIUS server uses the self-signed server certificate server.pem and root CA root.pem which are installed in the /usr/share/doc/cdrouter directory. The password for the server.pem certificate is qacafe123 and the default EAP fragment size used by the RADIUS server is 1024 bytes.

testvar wanEapRootCert            /usr/share/doc/cdrouter/root.pem
testvar wanEapServerCertPath      /usr/share/doc/cdrouter/server.pem
testvar wanEapServerCertPassword  qacafe123
testvar wanEapFragmentSize        1024

Configuration of EAP Identities

As mentioned above, CDRouter’s WAN RADIUS server must be configured with the appropriate EAP identity used by the CPE’s 802.1X supplicant. If the EAP identity used by the CPE does not match one of the identities configured within CDRouter, 802.1X authentication will fail.

When EAP-MD5 is used, only the supplicant’s EAP identity and password are required for authentication. The EAP identity and password can be configured within CDRouter’s WAN RADIUS server using the testvars wanEapIdentity1 and wanEapPassword1. Note that up to 20 unique EAP identities can be configured; this is required for Multiport setups involving multiple physical WAN connections (each WAN interface could be configured with its own EAP identity). CDRouter’s WAN RADIUS server can be configured to accept any password provided by the CPE’s 802.1X supplicant by setting wanEapPassword to a value of *.

testvar wanEapIdentity1            user1
testvar wanEapPassword1            qacafe123

OR ignore the supplicant’s password

testvar wanEapIdentity1            user1
testvar wanEapPassword1            *

Note that many CPE will simply use their MAC address as the EAP identity.

# -- Example EAP Identity using MAC address
testvar wanEapIdentity1            00:11:22:33:44:55
testvar wanEapPassword1            *

When EAP-TLS or EAP-TTLS are used, additional certificate information is required. Specifically, the CPE’s 802.1X supplicant must have the correct root CA installed to validate CDRouter’s WAN RADIUS server certificate. Likewise, CDRouter’s WAN RADIUS root CA must be capable of validating the certificate used by the 802.1X supplicant. As mentioned previously, the server and root CA certificates used by CDRouter’s WAN RADIUS server can be configured using the testvars wanEapServerCertPath and wanEapRootCert, respectively.

Note that CDRouter also includes 20 self-signed client certificates that can be validated by the default WAN RADIUS server root CA. These client certificates are available in the /usr/share/doc/cdrouter directory and can be installed on the CPE along with the RADIUS server’s default root CA. Installing CDRouter’s provided client and root CA certificates allow for full validation of both the supplicant certificate on the RADIUS server side and the RADIUS server certificate on the supplicant side.

Get articles like this in your inbox: