Introduction to 802.

1x for enterprise
network
Mukhammad Andri Setiawan, PhD
andri.setiawan@uii.ac.id
andri@idnic.net

Presented at IDNIC workshop, 27-28 November 2018

(part of the 1st Annual Member Meeting, IDNIC)
Manhattan Hotel, JAKARTA, INDONESIA

VALUES INNOVATION PERFECTION

https://s.id/intro8021x

VALUES INNOVATION PERFECTION

Hello, I’m Andri Setiawan
• Training & Community, IDNIC
• CIO, Universitas Islam Indonesia
• Lecturer, Informatics Department, Universitas Islam Indonesia
• Administrator, eduroam Indonesia, a free wifi roaming
services for research and education, available at 101 countries,
with more than 12,000 institutions providing the eduroam WiFi
• “Gerilyawan” , Indonesia Research Education Network
(IdREN)
• Instructor Trainer, CISCO Networking Academy (Netacad)
INDONESIA
• Websites:
• https://andrisetiawan.com
• VALUES
https://ideas.andrisetiawan.com INNOVATION PERFECTION
Disclaimer:
This workshop is ONLY an INTRODUCTION i.e. to give you the big concept or
rough idea of how 802.1x works. You can’t simply copy and paste and have your
network 802.1x ready. However, we strive to explain how 802.1x protocol works as
much as possible. Some technical jargons will be explained, some won’t. Some
configurations will be explained, some won’t. A further reading and lots of
experiments are needed.
VALUES INNOVATION PERFECTION
Agenda

• Introduction to 802.1x protocol

• Why 802.1x

• Study case of 802.1x in WiFi network

• Study case of 802.1x in Windows Domain environment (wired

network)

VALUES INNOVATION PERFECTION

802.1x – what is it?
• IETF defines 802.1X as port-based network access control

• It is a mechanism by which devices connecting to a local area

network are authenticated

• 802.1x uses Extensible Authentication Protocol (EAP) over LAN

(EAPoL) that is a network port authentication protocol PNAC (Port
Based Network Access Control) to give a generic network sign-on to
access network resources
VALUES INNOVATION PERFECTION
Parties involved

• a supplicant,

• an authenticator, and

• an authentication server

VALUES INNOVATION PERFECTION

EAPOL handshakes

VALUES INNOVATION PERFECTION

Why 802.1x

VALUES INNOVATION PERFECTION

Business Case 1: 802.1x in
WiFi

VALUES INNOVATION PERFECTION

Business case 1: 802.1x in WiFi Network

• You must be already

familiar with this
• Yes, the notorious captive
portal

VALUES INNOVATION PERFECTION

Why Captive Portal is not good
• Unsecured network, it’s OPEN
• Problematics (often the portal did not show up)
• You will have all of your users in one big pool (one vlan)
• Association before Authentication
• You received IP address, then authenticate yourself using captive
portal
• Prone to MAC Spoofing

VALUES INNOVATION PERFECTION

802.1x in WiFi
• Users need to authenticate themselves before associating to
the network
• That means, NO ip address before authentication
• It’s a SET and FORGET system
• Trust me, your users will love it, a lot!!!
• Some vendors allow Single SSID multiple VLAN
• especially those enterprise grade vendor e.g. Cisco, Aruba, Ruckus,
etc.

VALUES INNOVATION PERFECTION

802.1x in actions

VALUES INNOVATION PERFECTION

802.1x in Wi-Fi, the scenario
• We broadcast an SSID called eduroam
• This SSID will be a single SSID but with multiple VLAN
• Users will be distinguished by their directory’s group (we are
using Active Directory), each group will represent a single VLAN
• We assume Active Directory has been set up

VALUES INNOVATION PERFECTION

802.1x in Wi-Fi, the topology

VALUES INNOVATION PERFECTION

The topology explained
• All APs are within the same VLAN
• The beauty of CAPWAP (centralised protocol for WLC) is that it can
tunnel VLANs within a VLAN (just like Q-in-Q) i.e 802.11ad
• WLC connect with NAT Router with a trunk mode
• You can refer to: Router on a stick concept
• freeRADIUS uses Active Directory as the backend
• I will show the example of accessing AD with both AD protocol and
LDAP protocol, but for different purposes: Authentication and VLAN
allocation

VALUES INNOVATION PERFECTION

The implementation
• Client uses smartphone (can be Android or iPhone)
• Cisco WLC 5500 series, Cisco Aironet Access Points
• freeRADIUS 3.0
• Active Directory (Windows Server 2012)
• NAT Router – Mikrotik CCR

VALUES INNOVATION PERFECTION

Settings in WLC
• Setup SSID eduroam
• Set Authentication Security
• Set dynamic VLAN allocation

VALUES INNOVATION PERFECTION

SSID eduroam

VALUES INNOVATION PERFECTION

SSID eduroam

VALUES INNOVATION PERFECTION

WLC
Interfaces
(dynamic
VLAN)

VALUES INNOVATION PERFECTION

RADIUS authentication (IP + secret)

VALUES INNOVATION PERFECTION

freeRADIUS settings
• Assumptions:
• freeRADIUS 3 is installed in Linux machine
• there is connectivity between freeRADIUS and Active Directory
• Steps involved:
• Join freeRADIUS machine with AD with Samba
• Setup RADIUS machine clients.conf (to allow communication between WLC and
RADIUS)
• Enable these modules:
• eap
• ntlm_auth – Auth Users
• ldap – allocate groups for dynamic VLAN
• Tag vlan with vendor attributes in post-auth

VALUES INNOVATION PERFECTION

freeRADIUS + AD
• Details: https://wiki.freeradius.org/guide/freeradius-active-
directory-integration-howto

// JOIN DOMAIN
#net join –U Administrator

// TEST AUTH
// We will use this command in the ntlm_auth module of freeRADIUS
#ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_user

VALUES INNOVATION PERFECTION

freeRADIUS, first thing first
• To authenticate WLC to freeRADIUS, we need:
• IP address of our WLC
• Secret i.e. the password

client wlc {
ipaddr = 10.x.x.x
secret = myRADIUS
}

VALUES INNOVATION PERFECTION

freeRADIUS configuration
• Types of EAP authentication method
• EAP-TLS, EAP-TTLS, EAP-MD5, EAP-IKEv2, EAP-FAST, EAP-SIM
• Types of EAP encapsulation
• EAP-PEAP (it’s actually TTLS but with added improvement from
Microsoft, CISCO, etc, hence it is encapsulation, not simply an
authentication)
• In our case, we will use EAP-PEAP

VALUES INNOVATION PERFECTION

Authentication: Enable EAP-PEAP
• To enable such authentication (as per previous slides), we need to
enable few modules
• In freeRADIUS 3, they are under /etc/freeradius/mods-enabled
• In our case:
• /etc/freeradius/mods-enabled/eap – and enable PEAP (FYI: peap ONLY if
you are using AD, but if you are using other than AD e.g. LDAP, you can’t use
PEAP, but EAP-TTLS

eap {
default_eap_type = peap
}
VALUES INNOVATION PERFECTION
Authentication: Enable MSCHAPv2
• Available at /etc/freeradius/mods-enabled/mschap

mschap {
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --domain=%{%{mschap:NT-Domain}:-myDOMAIN}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--require-membership-of='myDOMAIN\\eduroam'”
}

VALUES INNOVATION PERFECTION

Authorization: inner-tunnel
• Once our users are successfully authenticated, we need to authorize them
to our network
• /etc/freeradius/sites-enabled/inner-tunnel

authorize {
mschap
}
authenticate {
ntlm_auth
Auth-Type MS-CHAP {
mschap
}
eap
}

VALUES INNOVATION PERFECTION

Authorization: LDAP module
• We use LDAP to assign the VLAN of each group, so we need to make sure that ldap module is
enabled
• /etc/freeradius/mods-enabled/ldap

ldap {
server = '10.254.254.101’
port = 389
identity = 'CN=Administrator,CN=Users,DC=uii,DC=ac,DC=id’
password = thisIsAVeryLongPasswordDoNotForgetIt
base_dn = 'OU=Accounts,DC=uii,DC=ac,DC=id’
user {
base_dn = "${..base_dn}”
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})”
}
}

VALUES INNOVATION PERFECTION

Pre / Post Auth
• In freeRADIUS, depends on your company policies, users
action can be arranged e.g. they are on different networks

VALUES INNOVATION PERFECTION

Authorization: inner-tunnel
post-auth { ##STAFF-REKTORAT

##reject user from group alumni if ((Ldap-Group == "CN=STAFF-

REKTORAT,OU=Group,OU=Accounts,DC=uii,DC=ac,DC=i
if (Ldap-Group ==
d")) {
"CN=ALUMNI,OU=Group,OU=Accounts,DC=uii,DC=ac,DC
=id") { update reply {

update reply { Tunnel-Type = VLAN

Reply-Message = "reject user Tunnel-Medium-Type = IEEE-802

from group ALUMNI"
Tunnel-Private-Group-Id = 400
}
}
reject
}
}
}

VALUES INNOVATION PERFECTION

DHCP Allocation (CCR Mikrotik)

VALUES INNOVATION PERFECTION

Case 1: Recap
• WiFi (and WLC) part:
• Setup SSID
• Setup WPA Enterprise (enable
802.1x Authentication)
• Setup RADIUS as 802.1x
security backend
• Setup VLAN allocation (give
VLAN ID number)
VALUES INNOVATION
• freeRADIUS:
• Join freeRADIUS machine with
AD (using samba)
• Setup clients.conf (connect
RADIUS and WLC)
• Setup authentication part
• Setup authorisation part
PERFECTION
Business Case 1: 802.1x in
wired

VALUES INNOVATION PERFECTION

Scenario
• Business wants every user need to logged-in to the workstation
they are using with their own credentials
• The environment is Windows Domain
• Authentication is against Windows Server 2012 with Active
Directory
• However, different group of people has different roles and
permissions, hence we need to put them on different VLAN
• We are going to use 802.1x, dynamic VLAN will be delivered
using Catalyst CISCO 2960X
VALUES INNOVATION PERFECTION
Assumptions
• Windows Domain Controller is being used, and all machines
already joined the Domain
• AD has been set up, as directory backend
• We are going to use Windows NPS (built-in RADIUS in
Windows Server 2012)
• One workstation can be used by multiple users who might have
different roles i.e. different group in Active Directory

VALUES INNOVATION PERFECTION

Topology

VALUES INNOVATION PERFECTION

Setting client in NPS

VALUES INNOVATION PERFECTION

Attributes Settings

VALUES INNOVATION PERFECTION

Settings in NPS

VALUES INNOVATION PERFECTION

 Catalyst’s Config
!-- DEFAULT MANAGEMENT --- !--- CONSOLE LOKAL (biar tetep bisa login ssh dengan user yg
ada di lokal switch)
vlan <vid-mgmt>
int vlan <vid-mgmt> conf t
ip address <ip-mgmt> <mask-ip-mgmt> aaa authentication login console local
no sh aaa authorization exec default local
ip default-gateway <ip-gw-mgmt>
interface range GigabitEthernet0/23 - 24 line con 0
login authentication console
description TRUNK
switchport mode trunk
!-- for VLAN definition, we simply use VTP
!--- APPLY DOT1X ON PORT on g0/1 to g0/10
!--- AAA must enable
conf t interface range g0/1 – 10
conf t switchport mode access
aaa new-model dot1x pae authenticator
aaa authentication dot1x default group radius authentication port-control auto
aaa authorization network default group radius if-
authenticated end
aaa accounting dot1x default start-stop group radius
aaa session-id common

dot1x system-auth-control
radius server <radius-name>
address ipv4 <ip-radius> auth-port 1812 acct-port 1813
key 0 <key-secret-radius>

VALUES INNOVATION PERFECTION

So what happen now?
• Whenever user logged-in to the workstation, he/she will
received a specific VLAN according to his/her roles
• One workstation might be in one VLAN at one time, and
different VLAN at other time, depends on who logged-in to the
workstation i.e. different group provides different VLAN

VALUES INNOVATION PERFECTION

Q&A?

VALUES INNOVATION PERFECTION

Exercises

VALUES INNOVATION PERFECTION

What do we need for this workshop
• Virtualization
• Virtualbox, VMWare, qemu, KVM, whatever virtualization you have
• OS: Linux Ubuntu server
• freeRADIUS
• Files (plain text) as our users backend
• Internet connectivity
• We are going to test using EAP-TTLS for the authentication
methods and PAP for Phase 2 test

VALUES INNOVATION PERFECTION

Setup freeRADIUS
//install freeRADIUS
# sudo apt install freeradius

// setup compiler
# sudo apt-get install git libssl-dev devscripts pkg-config libnl-
3-dev libnl-genl-3-dev

//setup eapol_test
# git clone --depth 1 --no-single-branch
https://github.com/FreeRADIUS/freeradius-server.git
# cd freeradius-server/scripts/travis/
# ./eapol_test-build.sh
# cp ./eapol_test/eapol_test /usr/local/bin/

VALUES INNOVATION PERFECTION

Setup clients.conf
• We need to allow clients who is going to authenticate against
freeRADIUS
• e.g. WLC, switches, etc
• In this example, localhost, config is at
/etc/freeradius/clients.conf

client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
VALUES INNOVATION PERFECTION
Setup testing user
• For this workshop, we simply create a test file as our
authentication part
• File is located at: /etc/freeradius/users
• Add this line

testing Cleartext-Password := "password"

Reply-Message := "Hello, %{User-Name}"

VALUES INNOVATION PERFECTION

Perform a simple test
• Shutdown freeradius service
# /etc/init.d/freeradius stop

• Restart freeRADIUS in debug mode

# freeradius –XXX

• Open another terminal (shell), we’ll test the very basic

authentication
# radtest testing password localhost 0 testing123

VALUES INNOVATION PERFECTION

Perform a simple test
# radtest testing password localhost 0 testing123
Sent Access-Request Id 146 from 0.0.0.0:34897 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 172.16.65.243
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Accept Id 146 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Reply-Message = "Hello, testing"

VALUES INNOVATION PERFECTION

Perform a simple test
Tue Nov 27 07:39:24 2018 : Debug: (1) Received Access-Request Id 216 from
127.0.0.1:40242 to 127.0.0.1:1812 length 77
Tue Nov 27 07:39:24 2018 : Debug: (1) User-Name = "testing”
Tue Nov 27 07:39:24 2018 : Debug: (1) User-Password = "password”
Tue Nov 27 07:39:24 2018 : Debug: (1) NAS-IP-Address = 172.16.65.243
Tue Nov 27 07:39:24 2018 : Debug: (1) NAS-Port = 0
Tue Nov 27 07:39:24 2018 : Debug: (1) Message-Authenticator =
0xe3abe9c22b44049e85611db84c727c9f
Tue Nov 27 07:39:24 2018 : Debug: (1) session-state: No State attribute
.
.
.
.
.

VALUES INNOVATION PERFECTION

Enable EAP-TTLS

VALUES INNOVATION PERFECTION