Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019

Administering Port-Based Authentication on Datalinks

The IEEE 802.1X feature restricts the use of IEEE 802 LAN service access points and secures communications between authenticated devices. In this release, support for port-based authentication is client-side only and limited to wired datalinks.

    A typical setup includes the following components:

  • Client system that requests access to a secured network

  • Network access point such as a switch that sends authentication requests and responses between the client and the authentication server

  • Authentication server that runs an authentication, authorization, and accounting (AAA) protocol such as Radius to authenticate the client

The credential information that is required for port-based authentication is grouped by network. Each network is identified by a network name.

To configure the credentials, you use the nacadm command. See the nacadm(8) man page.

After configuring credential information, you set the datalink's authentication property, which enables port-based authentication on that datalink.

You must configure at least one network to use IEEE 802.1X port-based authentication. If you configure multiple networks to use port-based authentication, each network must have the required credentials for the system to be authenticated. See How to Configure and Enable IEEE 802.1X Port-Based Authentication.

The IEEE 802.1X port-based authentication feature is managed through the network/network-access-control:default SMF service. This service is disabled until you install the network-access-control software package on the client system. The service is also automatically enabled whenever you enable authentication on a specific datalink.

The IEEE 802.1X port-based authentication process starts when the nacd daemon is running on the client system. If the authentication is successful, the system receives DHCP service from the DHCP server. If the authentication fails, the system boots with no network. The behavior resembles the case where DHCP fails and then times out. The nacd daemon logs authentication failures in the rsyslog file for easy tracking. See syslog(3C).

If your network is configured to use DHCP, and the DHCP server resides on a secured local area network (LAN) on which the system attempts to connect, the system must first authenticate through IEEE 802.1X and then connect to the secure LAN. From the LAN, the system can communicate with the DHCP server.

On link aggregations, if port authentication is enabled but fails, the link is treated as though the port is disabled and no traffic passes through the port.

Before performing DR on a system, you must reset the datalink's authentication property. After DR has completed, set the authentication property to re-enable IEEE 802.1X authentication on the datalink. See Example 1, Disabling IEEE 802.1X Port-Based Authentication on a Datalink and the dladm(8) man page.