AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

8. August 2006

freeradius for authenticating over EAPOL

Filed under: Security — ocsic @ 10:20

In this configuration i use a 2950 Catalyst switch and i’m setting up a Radius server for testing purposes. Just to find out how it works together. A quick google search showed, that i should work together.

802.1x Authentication

I’m using a SuSE 10.0 distribution. I know certainly there are probably many other distributions out there and many of them are better. For me and my purpous it’s good enough, of course i have some things, that cold do better, but i‘ using this distribution already since 1996 and i’m just to lazy to change to another one. So please don’t bother me, with this is better than that or that is better than this. In my opinion it does not matter that much which distribution you chooos. But to get further on i will keep up with the topics.

I installed the actual freeradiu package named: freeradius-1.0.4-4.

So now, i can start to configure the Radius server. Here is the setup, i added this to /etc/raddb/radiusd.conf

modules {
pap {
encryption_scheme = crypt
chap {
authtype = CHAP
pam {
pam_auth = radiusd
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
eap {
default_eap_type = md5
timer_expire = 60

md5 {
leap {
mschap {
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no

And in the authorize section you should add „eap“ as type in /etc/raddb/radiusd.conf:

authorize {

That’s all for the first time. You can add a user now, who should authenticate himself.

A line in /etc/raddb/users:

peter User-Password == „passwd“

You can now try to authenticate your client. Just make sure you have set up your switch to proxy the clients request to the right server. Look here how to setup your switch to answer these requests.

802.1x authentication using cisco switches

Filed under: Security — ocsic @ 10:18

There are several ways for authenticate a switchport. This could be neccessary, if you want to make sure, the client is the client you want on the lan. Normaly you would say your environment is worth for trusting, but maybe you should be more suspicous on your neighbours. Don’t trust to easy. Well this is network security.

The 802.1x authentications is a client server based mechanism. So you need a device that can speak IEEE 802.1x-compliant Software so it can answer the authentication server requests.

The switch just acts like a proxy. There are several different way in combining the switch an the client for port and/or vlan authentication.
Here is the setup for a switch forwarding the clients request for authentication on a specific port.

aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
interface FastEthernet0/2
switchport mode access
dot1x port-control auto
radius-server host
radius-server key PASSWORD


« Newer Posts

Powered by WordPress