Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Configure and Enable IEEE 802.1X Port-Based Authentication

Before You Begin

You must be an administrator with the rights to install packages, start services, and administer the network. The root role has all of these rights. The System Administration, Service Configuration, and Network Management rights profiles provide these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

    Perform the required IEEE 802.1X setup tasks, which typically include the following:

  • Designating a host system to be used as the client (or supplicant) that requests access to a secured network.

  • Determining a network access point (a switch) to be used as the authenticator that passes the authentication requests and responses between the client and the authentication server.

  • Designating an authentication server that is running an AAA application such as Radius to authenticate the client.

  • Determining which method of network security the system that you are connecting to uses, for example, MD5 or TLS, and the corresponding credentials (ID and password) that are required.

  1. On the client system, install the network-access-control software package.
    client$ pkg install network-access-control
  2. (Optional) Verify that the appropriate service is running.
    client$ svcs network-access-control
    STATE  STIME FMRI 
    online Sep_07 svc:/network/network-access-control:default

    Note - To enable the service, type:
    client$ svcadm enable network-access-control

  3. On the client system, add a network to the specified datalink and configure its credentials.
    client$ nacadm add-net -p key-mgmt=DOT1X,eap=tls,\
       ca-cert=file-location,client-cert=cert-location,\
       private-key-file=key-location,private-key-passwd=key-file network-name
    key-mgmt=DOT1X

    Specifies an acceptable authenticated key management protocol. Currently, DOT1X is the only key management protocol that is supported.

    eap=tls

    Space-separated list of acceptable Extensible Authentication Protocol (EAP) methods. Use tls for Transport Layer Security (TLS).

    file-location

    Location of the TLS certificate authority (CA) certificate. The default location is /etc/certs/ca-certificates.crt.

    cert-location

    Location of the client certificate.

    key-location

    Location of the client private key.

    key-file

    File containing the client private key password.

    network-name

    Name that you assign to the given network.


    Note -  Do not use auto or automatic for network names. These names are reserved.

    For example, associate the certificate with the network name netsec0:

    $ nacadm add-net -p key-mgmt=DOT1X,eap=tls,client-cert=/etc/certs/localhost/nacd0.pem,\
       private-key-file=/etc/nacd/priv-key.pem,private-key-passwd=.admin/dot1x.pwd netsec0
  4. Set the authentication property to the network name that you added in Step 3.
    $ dladm set-linkprop -p authentication=netsec0 net0

    This step enables the IEEE 802.1X process on the net0 datalink.

  5. Verify the authentication-state of the datalink.
    $ dladm show-linkprop -p authentication-state
    LINK  AUTHENTICATION-STATE
    net0  succeeded
    net1  off
    net2  off

    Possible values for the AUTHENTICATION-STATE field are succeeded (default), off, failed, and in-process.

Example 1  Disabling IEEE 802.1X Port-Based Authentication on a Datalink

    You can disable IEEE 802.1X port-based authentication on a datalink in two ways.

  • Switching the authentication property off.

    $ dladm set-linkprop -p authentication=off net0
  • Resetting the authentication property.

    $ dladm reset-linkprop -p authentication net0
Example 2  Displaying Configuration Information for Networks That Use IEEE 802.1X Port-Based Authentication

This example shows how to display configuration information for a network that uses IEEE 802.1X port-based authentication.

$ nacadm show-net netsec0 
NAME    KEY-MGMT EAP IDENTITY CA-CERT                                          CERT                           PRIV-KEY 
netsec0 dot1x    tls id       /etc/certs/ca-certificates/CA/Swissign_Gold1.pem /etc/certs/localhost/nacd0.pem /etc/nacd/priv-key.pem