Using the 802.1X authenticator, devices connected to the Ethernet ports of a LANCOM device can be authenticated using 802.1X. This increases security against unauthorized access to the network via Ethernet cables and ports.
In LANconfig you configure the 802.1X authenticator for Ethernet ports under in the section 802.1x authenticator.
You perform the configuration in the table 802.1x authenticator for ETH ports. Each interface is specified here and indicates the existing Ethernet ports.
- Authentication required
- Use this control to specify whether 802.1X authentication is required for this port.
- Mode
- Possible values:
- Single host
- Just one client can authenticate and then operate on this port. If a further client with its own MAC address is detected on this port, the port is reset to the unauthenticated state.
- Multiple hosts
- Several clients (with different MAC addresses) can operate on this port. Authentication only needs to be performed once. This mode can be used, for example, if a WLAN access point is operated on a port configured in this way and the payload data is not tunneled to a central controller. In this case, data packets from WLAN clients that have their own MAC addresses would also be seen on the Ethernet port configured in this way.
- Multiple authentications
- Several clients can each perform their own 802.1X authentication on this port.
- MAC-based auth. bypass
-
This specifies whether a failed attempt to start an 802.1X negotiation should be followed by a check of the client’s MAC address via RADIUS and a subsequent opening of the port. In this case, the MAC address is transmitted as a RADIUS user name and password in the format "aabbccddeeff". It must also be stored in the RADIUS server in this format. Important: The MAC address is easy to fake and does not protect against malicious attacks.Note: In the standard configuration, the 802.1X authenticator will try to start an 802.1X negotiation for 90 seconds before falling back to the MAC address check. This time can be set for each port by changing the command-line parameters (default: 3 attempts) and (default: 30 seconds). Alternatively, the mode for MAC Auth Bypass can be set to "Immediate". This mode immediately starts a MAC address check without waiting for a timeout.Possible values:
- No
- MAC address authentication is not possible.
- Yes
- MAC address authentication is possible.
- Immediately
- Authentication is immediately performed by MAC address.
- RADIUS server
-
Specifies which RADIUS server is used both for 802.1X and for MAC address validation.
To do this, reference one of the entries under or create a new entry there if necessary. Note: You configure the format of the MAC address transmitted to the RADIUS server for MAC authentication using the command-line option . The individual bytes of the MAC address are represented here as the variables %a to %f. In the default setting specified here, the bytes of the MAC address are output one after the other. In addition to these variables, any of the characters supported by the LCOS can be added. Another commonly used format for the MAC address "aabbcc-ddeeff" (with "-" as separator) can be configured as follows: "%a%b%c-%d%e%f"
In the table Authenticator settings per port you set the login information for the local network interfaces.
- Interface
- Each interface is specified here and indicates the available Ethernet and WLAN interfaces.
- Re-authentication required
- Here you activate regular re-authentication. If a new authentication starts, the user remains registered during the negotiation.
- Re-authentication interval
- The default value for re-authentication interval for regular re-authentication is 3,600 seconds.
- Enable dynamic re-keying
- Here you activate the regular generation and transmission of a dynamic WEP key.
- Re-keying interval
- The default value for the re-keying interval is 900 seconds.
