In Solaris 11.4 beta there is finally 802.1x authentication for wired network connections.

While the man page describes, how you setup 802.1x with EAP-TLS with Solaris 11.4 beta, there is no example for EAP-MD5 (which was the only mechanism my old switches were able to support). So i would like to add an example for the EAP-MD5 variant with this blog entry.

Okay, there are obvious prerequisites: Before you can try this, you have to ensure that you have a RADIUS server running with a user working with EAP-MD5 (for example a Cleartext-Password entry in your user is mandatory). The user entry for authentication and authorization for my switch looks like this
dottest Cleartext-Password := "narf"
It's in the /etc/freeradius/3.0/users file on my RaspPi posing as my DevVLAN-DNS/Radius/Whatever-Server. But most probably you will have such a RADIUS server already running when you are interested in 802.1x. Of course you need a switch supporting 802.1X.

At first you have to install a package and enable the service:
# pkg install network-access-control
# svcadm enable network-access-control
Please keep in mind that you need to configure your package repositories to access the beta repository as described in the docs. Alternatively you can setup your own repository.

Okay, now we have to configure it. At first we configure the credentials the serer should use with our switch:
# nacadm add-net -p eap=md5,identity=dottest,password=narf net0
There is a difference between the way described in the man page and the way it is actually working. The manpage states that the value of the password property is a password file, but actually you have to enter the password here.
# nacadm show-net
NAME  KEY-MGMT EAP IDENTITY PASSWD CA-CERT  CERT          PRIV-KEY      KEY-PW
net0  dot1x md5   dottest narf ?            ?             ?             ?
There is a second difference between the man page and the current implementation. nacadm currently shows the password despite the statement of the man page that it doesn't. Now we attach the network configuration of the network access control subsystem to the interface.
# dladm set-linkprop -p authentication=network-foo net0
After a few moments the interface should work after the authentication is successful. We can check this by looking at the authentication-state property of a link with dladm
# dladm show-linkprop -p authentication-state
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     authentication-state r- succeeded succeeded    off       succeeded,
                                                                  failed,
                                                                  in-progress,
                                                                  off
And as the ping shows, the system is now able to access the network via this authenticated network connection.
# ping 192.168.99.1
PING 192.168.31.1 (192.168.99.1) 56(84) bytes of data.
64 bytes from 192.168.99.1: icmp_seq=1 ttl=64 time=0.493 ms
Please keep in mind, 11.4 is in beta, so the behaviour may change here.


No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA