802.1x authentication in Solaris 11.4 beta
In Solaris 11.4 beta there is finally 802.1x authentication for wired network connections.
While the man page describes, how you setup 802.1x with EAP-TLS with Solaris 11.4 beta, there is no example for EAP-MD5 (which was the only mechanism my old switches were able to support). So i would like to add an example for the EAP-MD5 variant with this blog entry.
Okay, there are obvious prerequisites: Before you can try this, you have to ensure that you have a RADIUS server running with a user working with EAP-MD5 (for example a Cleartext-Password entry in your user is mandatory). The user entry for authentication and authorization for my switch looks like this
It’s in the
/etc/freeradius/3.0/users file on my RaspPi posing as my DevVLAN-DNS/Radius/Whatever-Server. But most probably you will have such a RADIUS server already running when you are interested in 802.1x. Of course you need a switch supporting 802.1X.
At first you have to install a package and enable the service:
Please keep in mind that you need to configure your package repositories to access the beta repository as described in the docs. Alternatively you can setup your own repository.
Okay, now we have to configure it. At first we configure the credentials the serer should use with our switch:
There is a difference between the way described in the man page and the way it is actually working. The manpage states that the value of the password property is a password file, but actually you have to enter the password here.
There is a second difference between the man page and the current implementation. nacadm currently shows the password despite the statement of the man page that it doesn’t. Now we attach the network configuration of the network access control subsystem to the interface.
After a few moments the interface should work after the authentication is successful. We can check this by looking at the
authentication-state property of a link with
And as the ping shows, the system is now able to access the network via this authenticated network connection.
Please keep in mind, 11.4 is in beta, so the behaviour may change here.