Difference between revisions of "IEEE 802.1X"
From Zenitel Wiki
(→Known issues) |
(→Known issues) |
||
| Line 36: | Line 36: | ||
* Unmount the station, connect it to a non-802.1x port and do a manual upgrade. | * Unmount the station, connect it to a non-802.1x port and do a manual upgrade. | ||
| − | The reason for this is that during upgrade of the IP-station, 802.1X will not be running. Thus if 802.1X reauthentication is enabled and is performed during upgrade, the IP-station will lose contact with the tftp server (dependent on the configuration when 802.1X authentication fails). If the IP-station loses contact with the tftp server, it will not be upgraded. The same is also valid when upgrading via [[VS-IMT]]. | + | The reason for this is that during upgrade of the IP-station, 802.1X will not be running. Thus if 802.1X reauthentication is enabled and is performed during upgrade, the IP-station will lose contact with the tftp server (dependent on the configuration when 802.1X authentication fails). If the IP-station loses contact with the tftp server, it will not be upgraded. The same is also valid when upgrading via [[IMT|VS-IMT]]. |
== Software requirement == | == Software requirement == | ||
Revision as of 10:08, 1 December 2016
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) ("port" meaning a single point of attachment to the LAN infrastructure). It provides an authentication mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or preventing it if authentication fails.
User interface
The 802.1X configuration is done from the IP-station web interface at Advanced Network --> 802.1X.
The different authentication methods are:
- MSCHAPV2
- MD5
- TTLS with PAP
- PEAP with MSCHAPV2
- TLS
- MSCHAPV2 and MD5 encrypts the password.
- TTLS with PAP and PEAP with MSCHAPV2 encrypts both username and password.
Dependent on the authentication method there are a few parameters to configure.
- 802.1X status: Enable or disable 802.1X
- Username: The username used to identify a station.
- Password: The password associated with the username.
- Fake username: The fake username sent outside of encrypted tunnel with TTLS with PAP and PEAP with MSCHAPV2. The user name is encrypted.
When TTLS with PAP or PEAP with MSCHAPV2 is selected a certificate must be uploaded to the station by clicking the Browse... button. The certificate must either be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER) format and the certificate must be named "certificate.pem".
- Click Save to save the current settings
- Click Reboot
The new 802.1X settings will only come into effect after a reboot.
Known issues
Software upgrade is not possible when a station is using 802.1X authentication.
In order to upgrade the station, one must either:
- Remove security on the switchport, upgrade and set security back on the switchport.
- Unmount the station, connect it to a non-802.1x port and do a manual upgrade.
The reason for this is that during upgrade of the IP-station, 802.1X will not be running. Thus if 802.1X reauthentication is enabled and is performed during upgrade, the IP-station will lose contact with the tftp server (dependent on the configuration when 802.1X authentication fails). If the IP-station loses contact with the tftp server, it will not be upgraded. The same is also valid when upgrading via VS-IMT.
Software requirement
- INCA station software 01.09.3.0 or later.