Printer FriendlyEmail Article Link

Spirent TestCenter: How to configure and test 802.1x authentication

Environment/Versions
 
  • Spirent TestCenter
  • All Versions
  • 802.1x
  • EAP
  • MD5
  • TLS
  • RADIUS Server

Answer


First of all, what is 802.1x?
 

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

  • For detailed information you can refer to:
    • https://en.wikipedia.org/wiki/IEEE_802.1X
    • https://www.ciscopress.com/articles/article.asp?p=29600&seqNum=2
 
What is needed?
 
The 802.1 defines three roles:
  1. Supplicant = The device that requires accessing the network.
  2. Authenticator = Typically is a managed switch that is physically or logically connected to the supplicant acting as a proxy between the supplicant and the authenticator server.
  3. Authentication server = Typically is a RADIUS server that provides authorization.

Test Configuration:
 

  • Authenticator side:
    • You may need to configure your authenticator device accordingly and enabling dot1x on the port connected to the Supplicant.
 
  • Authentication Server (RADIUS) side:
(You can follow the instructions in /etc/raddb/certs/README)
 
  1. Remove the test stuff, you can do this in two ways:
  • rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*   
  • make destroycerts 
 
  1. Modify .cnf files: 
    1. Go to:     /etc/raddb/certs/​​
    2. ​​Notice that .cnf files are the files used to create the certificates, ​​​​​​​so you may need to first edit each .cnf file accordingly
      1. Set root certificate (ca.cnf) input and output passwords as spirent/spirent
      2. Set server certificate (server.cnf) input and output passwords as spirent/spirent
      3. Set client certificate (client.cnf) input and output passwords as spirent /spirent​​commonName = spirent   and emailAddress = user@spirent.com
 
  1. Create the certificates:
  • Still under /etc/raddb/certs/​​, you can create the certs in two ways:​
    1. Do a   make all    then   make client
    2. Follow steps on /etc/raddb/certs/README
 
  1. Go to  /etc/raddb/eap.conf

 Under the tls section change the private_key_password to spirent
                tls {
                #
                #  These is used to simplify later configurations.
                #
                certdir = $ /certs
                cadir = $ /certs
                private_key_password = spirent
                private_key_file = $ /server.pem

  • this is the password to the server's private key, server.key
  1. Create a "my cert" ​directory on the PC where the STC application is running and copy client and ca certs to  my cert directory
  • user@spirent.com.pem
  • ca.pem                         <--- This is the root certificate
enlightened​You can name the PC directory as you want "my cert" is just an example
 
  1. Start the RADIUS server:
  • At the command prompt enter:  "radiusd -X"
  1. Check the RADIUS server is running

[root@radius8021x certs]# ps aux | grep radiusd
root      8643  0.0  0.0 103252   832 pts/1    S+   16:45   0:00 grep radiusd
radiusd  21533  0.0  0.3 101632  5948 ?        S    Mar01   0:04 radiusd -X   <------------------- the Radius server is running in debug mode

 

  • Suplicant (SPIRENT TESTE CENTER) side:
  1. Create a device and enable 802.1x under "Select Protocols" section from the wizard.
  1. Under 802.1x tab configure it as follows:
  • Set EAP Authentication Method as required: TLS / MDS / FAST ...
  • Username = user@@spirent.com
  • Password = spirent
  • Supplicant Certificate(s) = user@@spirent.com.pem
NOTE1 : Be aware that "Username" and "Supplicant Certificate(s)" fields are using wildcards which consist of wildcard character pairs, which the software substitutes with actual values to make each string unique, so you need to use two @ symbols to include the textual "@" symbol in the string, so that is the reason of double @
NOTE 2: The name of the certificate on the PC is ok on that way (only using one "@") the double symbol is just in STC side.
 
  1. Download the certificate by clicking on 'Download Certificates' and pointing to the directory on the PC containing the correct certificate (my cert)


 

  1. Hit APPLY​
 
  1. Start the device in order to start authentication
 

Product : 802.1X,Spirent TestCenter,Spirent TestCenter