802.1X authenticator for Ethernet ports

Using the 802.1X authenticator, devices connected to the Ethernet ports of a LANCOM device can be authenticated using 802.1X. This increases security against unauthorized access to the network via Ethernet cables and ports.

In LANconfig you configure the 802.1X authenticator for Ethernet ports under Interfaces > LAN in the section 802.1x authenticator.

You perform the configuration in the table 802.1x authenticator for ETH ports. Each interface is specified here and indicates the existing Ethernet ports.

Authentication required
Use this control to specify whether 802.1X authentication is required for this port.
Mode
Possible values:
Single host
Just one client can authenticate and then operate on this port. If a further client with its own MAC address is detected on this port, the port is reset to the unauthenticated state.
Multiple hosts
Several clients (with different MAC addresses) can operate on this port. Authentication only needs to be performed once. This mode can be used, for example, if a WLAN access point is operated on a port configured in this way and the payload data is not tunneled to a central controller. In this case, data packets from WLAN clients that have their own MAC addresses would also be seen on the Ethernet port configured in this way.
Multiple authentications
Several clients can each perform their own 802.1X authentication on this port.
MAC-based auth. bypass
This specifies whether a failed attempt to start an 802.1X negotiation should be followed by a check of the client’s MAC address via RADIUS and a subsequent opening of the port. In this case, the MAC address is transmitted as a RADIUS user name and password in the format "aabbccddeeff". It must also be stored in the RADIUS server in this format.
Important: The MAC address is easy to fake and does not protect against malicious attacks.
Note: In the standard configuration, the 802.1X authenticator will try to start an 802.1X negotiation for 90 seconds before falling back to the MAC address check. This time can be set for each port by changing the command-line parameters Setup > IEEE802.1X > Ports > Max Req (default: 3 attempts) and Setup > IEEE802.1X > Ports > Supp-Timeout (default: 30 seconds). Alternatively, the mode for MAC Auth Bypass can be set to "Immediate". This mode immediately starts a MAC address check without waiting for a timeout.
Possible values:
No
MAC address authentication is not possible.
Yes
MAC address authentication is possible.
Immediately
Authentication is immediately performed by MAC address.
RADIUS server
Specifies which RADIUS server is used both for 802.1X and for MAC address validation. To do this, reference one of the entries under Interfaces > 802.1X > Radius servers or create a new entry there if necessary.
Note: You configure the format of the MAC address transmitted to the RADIUS server for MAC authentication using the command-line option Setup > LAN > IEEE802.1X > Username-Attribute-Format. The individual bytes of the MAC address are represented here as the variables %a to %f. In the default setting specified here, the bytes of the MAC address are output one after the other. In addition to these variables, any of the characters supported by the LCOS can be added. Another commonly used format for the MAC address "aabbcc-ddeeff" (with "-" as separator) can be configured as follows: "%a%b%c-%d%e%f"

In the table Authenticator settings per port you set the login information for the local network interfaces.

Interface
Each interface is specified here and indicates the available Ethernet and WLAN interfaces.
Re-authentication required
Here you activate regular re-authentication. If a new authentication starts, the user remains registered during the negotiation.
Re-authentication interval
The default value for re-authentication interval for regular re-authentication is 3,600 seconds.
Enable dynamic re-keying
Here you activate the regular generation and transmission of a dynamic WEP key.
Re-keying interval
The default value for the re-keying interval is 900 seconds.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo