RADIUS 802.1X

The basic principle

Normally, there is a network-compatible device on one side that wants to log on to a network. It does not matter whether this is done via WLAN or "cable". As soon as the connection is established, the device either asks for an IP address from the network or logs on directly with a manually assigned (static) IP address.

However, with an active Port Access Entitiy, or PAE for short, this is not so "straightforward", as the access requirements are changed:

A special port to the network is opened exclusively for a network-compatible device (the "Sublicant") if the device can prove its right to exist in the network. The router does not decide this itself but forwards the sublicant's request to a responsible authority. In its function as an "authenticator", the router first clarifies whether the requesting device is allowed to access the network at all:

A supplicant needs permission from the responsible server to enter the network at all, and only if the according server agrees will a port be opened for the client, through which it can then use the network for further communication.

In this way, one ensures in the first instance from a central location - in this case a RADIUS server - that only devices that are also authorized by the administrator have access to a LAN.

Confiuration of the 802.1X Support

For this configuration step, please update to firmware version 2.06 or higher.

You need the following menu item:

Additional documentation:

• Article: „The RADIUS server “, within the Help Center   

In this article we explain how to set up a basic RADIUS test server and use it to test the functions of the CS141.

Setting up CS141 for 802.1x

The CS141 uses a machine account to log on to the network as a sublicant. Depending on the network, an encryption method can also be selected to increase communication between all participants.

Note:

Which encryption method you need to use, depends largely on your network - this information can be obtained from the administrator responsible for your network

Guest-level access is already completely sufficient for this.

TLS – certificate-based access without user and password

In fully automated networks, it is also common for the infrastructure systems to authenticate themselves without additional user and password having to be entered. The advantage of TLS-based access lies not only in scalability but also in central administration and the reduction of local configuration errors, as the certificate can be exchanged using drag'n'drop. This makes it possible, for example, to globally block the guest or engineer user and to use 802.1X PAE.

Since 802.1X PAE represents access control to a network, unfortunately no “default certificate” can exist here - it must be created by the responsible administrator. The TLS file must be created in PEM format and consists of 3 elements. It is important that the exact order must be followed, otherwise the certificate will not work as expected:

-----BEGIN RSA PRIVATE KEY-----
[supplicant private key]
-----END RSA PRIVATE KEY----- 
-----BEGIN CERTIFICATE-----
[supplicant certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[supplicant Root certificate]
-----END CERTIFICATE-----

If a supplicant.pem file is available, use drag and drop to place the file into the specified upload box, and click on “Upload”. The CS141 will automatically import the memory and restart needed services.

Test PAE functionality

Connect the CS141 with a 802.1X PAE – secured router or switch port. The according RADIUS server should log and allow a login attempt, and the CS141 should be available via LAN.

For a valid certificate, please refer to your local system administrator or IT department.

Note: Follow the official RADIUS configuration manuals

The CS141 manual provides a small manual to set up a RADIUS for testing purposes – the setup described in this manual can also be used to test PAE. Not included is configuring a RADIUS server for Linux or Windows to use TLS-based access, as this is beyond the scope of this guide. If you need a complete test server, please refer to your local IT department.

Is there a relationship between PAE and RADIUS configuration within the “Users” setup

There is no relationship between these two setting: 802.1X PAE is an independent function with which you can generally define the device’s access to a network. You therefore do not have to grant administrative approval for the CS141 as shown above; it is sufficient that the CS141 is generally authorized to use a port for 802.1X: By doing so, it is possibe configuring the device to meet the requirenments  

• Use General access limitation via RADIUS 802.1X port acces.
• Running the CS141 with only locally configured user restrictions.
• Running with RADIUS users only
• Running generally RADIUS users only but using local users in case of no RADIUS is available

Detailed configuration instructions for the RADIUS server can be found in the article "The RADIUS server" in the Help Center