802.1x RADIUS accounting involves recording the information of devices that are authenticated to the 802.1x network and the session duration. The device information, usually the MAC address and port number, are sent in a packet to the accounting server when the session begins. But it is not sooo complex. In the easiest setup (with mac authentication), you need a switch, that can act as authenticator, and a authentication server. But IEEE 802.1x is not much more complicated. A brief overview over IEEE 802.1x. IEEE 802.1X offers authentication. May 15, 2016 Save the Configuration Profile; Scripting the Wireless 802.1x EAP-TLS Configuration Profile. Now at this point you can use the JSS to automatically deploy the configuration profile and hope there are AD users logged into the Mac’s, for me I wanted to control how and when the configuration profile is installed.
ON THIS PAGE
EX Series switches support port firewall filters.Port firewall filters are configured on a single EX Series switch,but in order for them to operate throughout an enterprise, they mustbe configured on multiple switches. To reduce the need to configurethe same port firewall filter on multiple switches, you can insteadapply the filter centrally on the RADIUS server by using RADIUS serverattributes. Terms are applied after a device is successfully authenticatedthrough 802.1X. For more information, read this topic.
Example: Applying a Firewall Filter to 802.1X-AuthenticatedSupplicants by Using RADIUS Server Attributes on an EX Series Switch
You can use RADIUS server attributes and a portfirewall filter to centrally apply terms to multiple supplicants (enddevices) connected to an EX Series switch in your enterprise. Termsare applied after a device is successfully authenticated through 802.1X.If the firewall filter configuration is modified after end devicesare authenticated using the 802.1X authentication, then the established802.1X authentication session must be terminated and re-establishedfor the firewall filter changes to take effect.
EX Series switches support port firewall filters. Port firewallfilters are configured on a single EX Series switch, but in orderfor them to operate throughout an enterprise, they must be configuredon multiple switches. To reduce the need to configure the same portfirewall filter on multiple switches, you can instead apply the filtercentrally on the RADIUS server by using RADIUS server attributes.
The following example uses FreeRADIUS to apply a port firewallfilter on a RADIUS server. For information about configuring yourserver, consult the documentation that was included with your RADIUSserver.
This example describes how to configure a port firewall filterwith terms, create counters to count packets for the supplicants,apply the filter to user profiles on the RADIUS server, and displaythe counters to verify the configuration:
Requirements
This example uses the following software and hardwarecomponents:
NoteThis example also applies to QFX5100 switches.
- Junos OS Release 9.3 or later for EX Series switches
- One EX Series switch acting as an authenticator port accessentity (PAE). The ports on the authenticator PAE form a control gatethat blocks all traffic to and from supplicants until they are authenticated.
- One RADIUS authentication server. The authentication serveracts as the backend database and contains credential information forhosts (supplicants) that have permission to connect to the network.
Before you connect the server to the switch,be sure you have:
- Set up a connection between the switch and the RADIUSserver. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
- Configured 802.1X authentication on the switch, with thesupplicant mode for interface ge-0/0/2 set to multiple. See Configuring 802.1X Interface Settings (CLI Procedure) and Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch.
- Configured users on the RADIUS authentication server (inthis example, the user profiles for Supplicant 1 and Supplicant 2in the topology are modified on the RADIUS server).
Overview and Topology
When the 802.1X configuration on an interface is set to multiple supplicant mode, you can apply a single port firewallfilter configured through the Junos OS CLI on the EX Series switchto any number of end devices (supplicants) by adding the filter centrallyto the RADIUS server. Only a single filter can be applied to an interface;however, the filter can contain multiple terms for separate end devices.
For more information about firewall filters, see Firewall Filters for EX Series Switches Overview or Overview of Firewall Filters (QFX Series).
RADIUS server attributes are applied to the port where the enddevice is connected after the device is successfully authenticatedusing 802.1X. To authenticate an end device, the switch forwards theend device’s credentials to the RADIUS server. The RADIUS servermatches the credentials against preconfigured information about thesupplicant located in the supplicant’s user profile on the RADIUSserver. If a match is found, the RADIUS server instructs the switchto open an interface to the end device. Traffic then flows from andto the end device on the LAN. Further instructions configured in theport firewall filter and added to the end device’s user profileusing a RADIUS server attribute further define the access that theend device is granted. Filtering terms configured in the port firewallfilter are applied to the port where the end device is connected after802.1X authentication is complete.
NoteIf you modify the port firewall filter after an end deviceis successfully authenticated using 802.1X, you must terminate andre-establish the 802.1X authentication session for the firewall filterconfiguration changes to be effective.
Figure 1 shows the topology used for this example. The RADIUS serveris connected to an EX4200 switch on access port ge-0/0/10. Two enddevices (supplicants) are accessing the LAN on interface ge-0/0/2.Supplicant 1 has the MAC address 00:50:8b:6f:60:3a. Supplicant 2 hasthe MAC address 00:50:8b:6f:60:3b.
NoteThis figure also applies to QFX5100 switches.
Table 1 describes the components in this topology.
Table 1: Componentsof the Firewall Filter and RADIUS Server Attributes Topology
Property | Settings |
---|---|
Switch hardware | EX4200 access switch, 24 Gigabit Ethernet ports: 16 non-PoEports and 8 PoE ports. |
One RADIUS server | Backend database with the address 10.0.0.100 connected to the switch at port ge-0/0/10. |
802.1X supplicants connected to the switch on interface ge-0/0/2 |
|
Port firewall filter to be applied on the RADIUS server | filter1 |
Counters | counter1 counts packets from Supplicant 1, and counter2 counts packets from Supplicant 2. |
Policer | policer p1 |
User profiles on the RADIUS server |
|
In this example, you configure a port firewall filter named filter1. The filter contains terms that will be applied to theend devices based on the MAC addresses of the end devices. When youconfigure the filter, you also configure the counters counter1 and counter2. Packets from each end device are counted,which helps you verify that the configuration is working. Policer p1 limits the traffic rate based on the values for discard parameters.Then, you check to see that the RADIUS server attribute is availableon the RADIUS server and apply the filter to the user profiles ofeach end device on the RADIUS server. Finally, you verify the configurationby displaying output for the two counters.
Configuring the Port Firewall Filter and Counters
CLI Quick Configuration
To quickly configure a port firewall filterwith terms for Supplicant 1 and Supplicant 2 and create parallel countersfor each supplicant, copy the following commands and paste them intothe switch terminal window:
set firewall family ethernet-switching filterfilter1 term supplicant2 from source-mac-address 00:50:8b:6f:60:3b
set firewall family ethernet-switching filterfilter1 term supplicant1 then count counter1
set firewall family ethernet-switching filterfilter1 term supplicant2 then count counter2
Step-by-Step Procedure
To configure a port firewall filter and counters on theswitch:
- Configure a port firewall filter (here, filter1) with terms for each end device based on the MAC address of eachend device:
user@switch# set filter filter1 termsupplicant2 from source-mac-address 00:50:8b:6f:60:3b
- Set policer definition:
user@switch# set firewall policer p1 if-exceeding burst-size-limit 1k
user@switch# set filter filter1 term supplicant1 then count counter1
user@switch# set filterfilter1 term supplicant2 then count counter2
Results
Display the results of the configuration:
Applying the Port Firewall Filter to the Supplicant User Profileson the RADIUS Server
Step-by-Step Procedure
To verify that the RADIUS server attribute Filter-ID is on the RADIUS server and to apply the filter to the user profiles:
- Display the dictionary dictionary.rfc2865 onthe RADIUS server, and verify that the attribute Filter-ID is in the dictionary:
[root@freeradius]# show dot1x firewall commanddisplays counter1 and counter2. Packets from User_1are counted using counter1, and packets from User 2are counted using counter2. The output displays packets incrementingfor both counters. The filter has been applied to both end devices.
See also
Example: Applying Firewall Filters to Multiple Supplicantson Interfaces Enabled for 802.1X or MAC RADIUS Authentication
On EX Series switches, firewall filters thatyou apply to interfaces enabled for 802.1X or MAC RADIUS authenticationare dynamically combined with the per-user policies sent to the switchfrom the RADIUS server. The switch uses internal logic to dynamicallycombine the interface firewall filter with the user policies fromthe RADIUS server and create an individualized policy for each ofthe multiple users or nonresponsive hosts that are authenticated onthe interface.This example describes how dynamic firewall filters are createdfor multiple supplicants on an 802.1X-enabled interface (the sameprinciples shown in this example apply to interfaces enabled for MACRADIUS authentication):Requirements
This example uses the following hardware and softwarecomponents:- Junos OS Release 9.5 or later for EX Series switches
- One EX Series switch
- One RADIUS authentication server. The authentication serveracts as the backend database and contains credential information forhosts (supplicants) that have permission to connect to the network.
Before you apply firewall filters to an interface foruse with multiple supplicants, be sure you have:- Set up a connection between the switch and the RADIUSserver. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
- Configured 802.1X authentication on the switch, with theauthentication mode for interface ge-0/0/2 set to multiple. See Configuring 802.1X Interface Settings (CLI Procedure) and Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch.
- Configured users on the RADIUS authentication server.
Overview and Topology
When the 802.1X configuration on an interface is setto multiple supplicant mode, the system dynamically combines interfacefirewall filter with the user policies sent to the switch from theRADIUS server during authentication and creates separate terms foreach user. Because there are separate terms for each user authenticatedon the interface, you can, as shown in this example, use countersto view the activities of individual users that are authenticatedon the same interface.When a new user (or a nonresponsive host) is authenticated onan interface, the system adds a term to the firewall filter associatedwith the interface, and the term (policy) for each user is associatedwith the MAC address of the user. The term for each user is basedon the user-specific filters set on the RADIUS server and the filtersconfigured on the interface. For example, as shown in Figure 2, when User1 isauthenticated by the EX Series switch, the system creates the firewallfilter dynamic-filter-example. When User2 is authenticated,another term is added to the firewall filter, and so on.This is a conceptual model of the internal process—youcannot access or view the dynamic filter.NoteIf the firewall filter on the interface is modified afterthe user (or nonresponsive host) is authenticated, the modificationsare not reflected in the dynamic filter unless the user is reauthenticated.In this example, you configure a firewall filter to count therequests made by each endpoint authenticated on interface ge-0/0/2 to the file server, which is located on subnet 192.0.2.16/28, and set policer definitions to rate limit the traffic. Figure 3 shows the networktopology for this example.Configuration
To configure firewall filters for multiple supplicantson 802.1X-enabled interfaces:Configuring Firewall Filters on Interfaces with Multiple Supplicants
CLI Quick Configuration
To quickly configure firewall filters formultiple supplicants on an 802.1X-enabled interface copy the followingcommands and paste them into the switch terminal window:set firewall familyethernet-switching filter filter1 term term1 from destination-address192.0.2.16/28
set firewall familyethernet-switching filter filter1 term term1 then count counter1
- Configure interface ge-0/0/2 for multiple supplicantmode authentication:
[edit protocols dot1x]
user@switch# show policer p1 |display set
set firewall policer p1 if-exceeding bandwidth-limit 1m
set firewall policer p1 if-exceeding burst-size-limit 1k
set firewall policer p1 then discard- Configure a firewall filter to count packets from eachuser and a policer that limits the traffic rate. As each new useris authenticated on the multiple supplicant interface, this filterterm will be included in the dynamically created term for the user:
[edit firewall family ethernet-switching]
user@switch# set filter filter1 termterm1 then count counter1
user@switch#- Check the results with one user authenticated on the interface.In this case, the user is authenticated on ge-0/0/2:
- When a second user, User2, is authenticated on the sameinterface, ge-0/0/2, you can verify that the filter includesthe results for both of the users authenticated on the interface:
Meaning
The results displayed by the multiple. See Configuring 802.1X Interface Settings (CLI Procedure) and Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch.Configured users on the RADIUS authentication server.Overview and Topology
When the 802.1X configuration on an interface is setto multiple supplicant mode, the system dynamically combines the interfacefirewall filter with the user policies sent to the switch from theRADIUS server during authentication and creates separate terms foreach user. Because there are separate terms for each user authenticatedon the interface, you can, as shown in this example, use countersto view the activities of individual users that are authenticatedon the same interface.When a new user (or a nonresponsive host) is authenticated onan interface, the system adds a term to the firewall filter associatedwith the interface, and the term (policy) for each user is associatedwith the MAC address of the user. The term for each user is basedon the user-specific filters set on the RADIUS server and the filtersconfigured on the interface. For example, as shown in Figure 4, when User 1is authenticated by the EX Series switch, the system adds a term tothe firewall filter dynamic-filter-example. When User 2is authenticated, another term is added to the firewall filter, andso on.NoteThis figure also applies to QFX5100 switches.This is a conceptual model of the internal process—youcannot access or view the dynamic filter.NoteIf the firewall filter on the interface is modified afterthe user (or nonresponsive host) is authenticated, the modificationsare not reflected in the dynamic filter unless the user is reauthenticated.In this example, you configure a firewall filter to count therequests made by each endpoint authenticated on interface ge-0/0/2to the file server, which is located on subnet 192.0.2.16/28, andset policer definitions to rate-limit the traffic. Figure 5 shows the networktopology for this example.Configuration
Configuring Firewall Filters on Interfaces with Multiple Supplicants
CLI Quick Configuration
To quickly configure firewall filters formultiple supplicants on an 802.1X-enabled interface copy the followingcommands and paste them into the switch terminal window:set firewall familyethernet-switching filter filter1 term term2 from ip-destination-address192.0.2.16/28
set firewall family ethernet-switching filterfilter1 term term2 then policer p1
Step-by-Step Procedure
To configure firewall filters on an interface enabledfor multiple supplicants:- Set the policer definition:
user@switch# set filter filter1 term term1 from ip-destination-address 192.0.2.16/28
user@switch#set filter filter1 term term1 then countcounter1
user@switch#- Check the results with one user authenticated on the interface.In this case, User 1 is authenticated on ge-0/0/2:
- When a second user, User 2, is authenticated on thesame interface, ge-0/0/2, you can verify that the filter includesthe results for both of the users authenticated on the interface:
Meaning
The results displayed by the 100 times, while User 2 accessed the same file server Figure 1If the RADIUS server’s certificate wasn’t issued by a Certification Authority (CA) automatically trusted by Apple, you’ll be prompted to verify the server’s digital certificate, as Figure 2 shows. Ensure the certificate is for the correct domain and issued by the right CA. So you don’t have to do this every time, you may want to check the always trust option. If everything is valid, click Continue to trust it and connect.Figure 2
Creating network locations
Mac OS X includes a network location feature where you can apply network settings based upon the location. This is especially beneficial for laptops and if you’re going to create Login Window or System profiles for your 802.1X settings.You can read more about these profile types in the next section before proceeding. If you are setting up a simple User profile, you might not want to create network locations.If you need to, here’s how to create a network location:- Click Apple > System Preferences > Network.
- From the Location drop-down menu on the top, select Edit Location.
- Click the Add (+) button at the bottom of Locations, give it a descriptive name, and then click Done.
Make sure you manually change the network location when moving to another location.Creating 802.1X profiles
Though connecting to an 802.1X network like we already did can save the login credentials (if you choose to remember the network), creating an 802.1X profile can still provide additional functionality. The profiles can streamline or enhance the login procedure, depending upon the profile you create.Take a look at the profiles types:- User Profile:This is the simplest type and should be the default if you don’t know which to choose. You can have multiple user profiles on a computer and they aren’t tied to specific Network Locations. However, you cannot use this profile on domain networks that have a directory service, such as Open Directory or Active Directory.
- Login Window Profile:This profile doesn't apply to local Mac accounts. It only works with domain networks that have a directory service. Mac OS X uses the same credentials from when the user logs into his or her Mac account to authenticate both to the 802.1X network and to a directory service. You may have multiple Login Window profiles per Network Location, but they supersede any User profiles.
- System Profile: This profile also doesn't apply to local Mac accounts, only with domain networks. It enables connectivity to the network when no user is logged in to the computer, great when administrators always need network access to the computer. You can only have one instance of this profile type per location, and it supersedes any User and Login Window profiles.
Remember, if you’re using the EAP type TLS, you must first install the client security certificate to Mac OS X.If you’re creating a Login Window or System profile, you need to first verify you’re connected to the Open Directory or Active Directory server. In 10.5, use the Directory Utility: click Go > Utilities and open the Directory Utility. In 10.6, click System Preferences > Accounts > Login Options.To get started on creating a profile, bring up the 802.1X settings: click AirPort icon > Open Network Preferences. On the Network window, click the Advanced button, select the 802.1X tab.In 10.5, select the desired profile type using the Domain drop-down menu.In 10.6, click the Add (plus sign) button to choose the desired profile type, enter a name for the configuration, and hit Enter.If you have chosen a User profile (see Figure 3):- In 10.5, click the Add (plus sign) button, enter a name for the configuration, and hit Enter.
- Enter your User Name and Password, unless you’re using TLS.
- In 10.6, select Always prompt for passwordif you don’t want to save your login credentials.
- Select the network name, from the Wireless Networklist, or enter the SSID of a hidden network.
- Select the desired protocols from the Authentication list box.
- Click OK and then on the Network window, click Apply.
Figure 3
If you’ve selected a Login Window profile (see Figure 4):- Select the network name, from the Wireless Networklist, or enter the SSID of a hidden network.
- Select the desired protocols from the Authenticationlist box.
- Click the Enable 802.1XLogin button.
- Click OK and then on the Network window, click Apply.
Figure 4
If you ever want to disable this profile, go back to the 802.1X settings and click the Disable 802.1X Login button.If you're creating a System profile (see Figure 5):- Enter your User Name and Password, unless you’re using TLS.
- Select the network name, from the Wireless Network list, or enter the SSIDof a hidden network.
- Select the desired protocols from the Authenticationlist box.
- Click the Enable 802.1Xbutton.
- Click OK and then on the Network window, click Apply.
Figure 5
By default, you'll be prompted to login when connecting to the network, which will automatically save the login credentials. To save them beforehand, you can open the AirPort preferred network entry, enter your login credentials, click Remember this network, and click Add.
If you ever want to disable this profile, go back to the 802.1X settings and click the Disable 802.1X button.
We did it
Now you should understand how to quickly connect to 802.1X networks in Mac OS X and how to create profiles for them. Before I go, here are a few final tips:
- If you’re connecting to a simpler network without a central directory service, you probably don’t even need to create a profile—just connect like we first discussed.
- Keep Mac OS X updated, there have been updates specifically related to how it handles 802.1X authentication.
- The Profile type you use doesn’t change the actual RADIUS attributes and traffic; they are only specific to Mac OS X.
- If you run into problems, be sure to remove any previous preferred networks entries, 802.1X profiles, 802.1X certificates from Keychain (for TLS), and then start over.
Eric Geier founded NoWiresSecurity, which helps small businesses quickly and easily protect their Wi-Fi with enterprise-level security. He’s also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.
Get more help with wireless security; follow eSecurtyPlanet on Twitter @eSecurityP.