Enable 802.1x on the management interface

This topic describes how to enable 802.1x support for the management interface. Configuration of the RADIUS server and the creation of possible certificates are not discussed

Before you begin

  • Make sure that you have serial access to the sensor as part of this configuration is performed via serial console
  • If the 802.1x is already configured, switch side and ports are already closed. Make sure that you have a network patch to reach the sensor through a direct network connection
  • If the authentication process is through transport layer security (TLS) certificates, confirm that you have ca.pem, client.pem, and client.key files, as well as the client.key unlock password
  • If the authentication process is through the protected extensible authentication protocol (PEAP), confirm that you have the identity and password

Procedure

  1. Log into the console, either directly or through secure shell (SSH).
  2. To go to privileged mode, enter this command: 
    enable-me
    You can now perform system changes.
  3. To create the directory /etc/wpa_supplicant_certs and change the directory permissions to 755, enter this command: 
    mkdir /etc/wpa_supplicant_certs
chmod 755 /etc/wpa_supplicant_certs
    Important:
    You must use this exact directory name. No other name is permitted.
  4. To create the file /etc/wpa_supplicant.conf, enter this command: 
    vi /etc/wpa_supplicant.conf
    Important:
    You must use this exact file name. No other name is permitted. If necessary, you should rename the file to this name.
  5. Examples of wpa_supplicant.conf are shown below:
    • Configuration for PEAP authentication: 
      ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=0
network={
    ssid="NOZOMI8021X"
    key_mgmt=IEEE8021X
    eap=PEAP
    identity="identity_for_this_guardian_here"
    password="somefancypassword_here"
}
    • Configuration for TLS authentication: 
      ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=0
network={
    ssid="NOZOMI8021X"
    key_mgmt=IEEE8021X
    eap=TLS
    identity="client"
    ca_cert="/etc/wpa_supplicant_certs/ca.pem"
    client_cert="/etc/wpa_supplicant_certs/client.pem"
    private_key="/etc/wpa_supplicant_certs/client.key"
    private_key_passwd="somefancypassword_private_key_here"
}
  6. For TLS authentication, use Ethernet to connect to the sensor and copy the required files to the expected location.
    Note:
    If the sensor is not reachable via SSH using the actual network, we suggest that you configure the mgmt interface with a temporary internet protocol (IP) address and connect the sensor with a direct Ethernet patch cable.
  7. Note:
    If you are using PEAP authentication, you can skip the next step.
    For TLS authentication, upload the certificate files to the sensor with an SSH client in the /etc/wpa_supplicant_certs/ folder. 
    scp ca.pem client.pem client.key admin@<sensor_ip>:/tmp/
  8. In the sensor serial console, with elevated privileges, move the files to the expected location: 
    mv /tmp/ca.pem /tmp/client.pem /tmp/client.key /etc/
wpa_supplicant_certs
  9. Note:
    If you are using PEAP authentication, you can skip the next step.
    In the sensor serial console, with elevated privileges, to change the certificate permission to 440, enter these commands: 
    cd /etc/wpa_supplicant_certs
chown root:wheel ca.pem client.pem client.key
chmod 440 ca.pem client.pem client.key
  10. In the sensor serial console, with elevated privileges, to change the /etc/rc.conf file, enter the details that follow: 
    wpa_supplicant_flags="-s -Dwired"
wpa_supplicant_program="/usr/local/sbin/wpa_supplicant"
  11. To change the ifconfig_mgmt entry in the /etc/rc.conf file, add the prefix WPA.
    Note:
    If the sensor was configured with a direct Ethernet patch cable, you can now configure the production-ready IP address and connect the sensor to the switch. For example, if the sensor IP address is 192.168.10.10, the entry will be similar to: 
    ifconfig_mgmt="WPA inet 192.168.10.10 netmask 255.255.255.0"
  12. To save all of the settings, enter this command: 
    n2os-save
  13. To reboot the system, enter this command: 
    shutdown -r now
  14. Wait for the system to reboot.
  15. Log in to the sensor.
  16. Enter the command: ps aux |grep wpa You should receive output similar to the following: 
    root 91591 0.0 0.0 26744 6960 - Ss 09:59
0:00.01 /usr/local/sbin/wpa_supplicant -s -Dwired -B -i mgmt -c /etc/
wpa_supplicant.conf -D wired -P /var/run/wpa_supplicant/mgmt.pid
  17. You can check the status of the wpa_supplicant with the wpa_cli -i mgmt status command. For example: 
    root@guardian:~# wpa_cli -i mgmt status
bssid=01:01:c1:02:02:02
freq=0
ssid=NOZOMI8021X
id=0
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
ip_address=192.168.1.2
address=FF:FF:FF:FF:FF:FF
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
tls_session_reused=0
eap_session_id=0dd52aaeaa2aa3aa4deaac6aaafc65edbfa58cdffecff6ff4[...]
uuid=8a31bd80-1111-22aa-ffff-abafa0a9afa6