802.1X is an IEEE standard for providing port-based layer-2 access control to authenticate users or devices wishing to access a LAN or WAN. After successful authentication, the authenticating device uses source MAC filtering to allow only authenticated devices to communicate over the network. AppNeta monitoring points can be authenticated using PEAP, TLS, or MD5 authentication protocols. Both physical and virtual monitoring points can be configured with 802.1X.

Be aware that by changing or disabling the 802.1X configuration on an active network connection port you run the risk of disconnecting monitoring point access unless the switch port you are connected to has a compatible configuration.

How it works

There are three entities involved in 802.1X authentication:

  • Supplicant - The supplicant is the device that wishes to use network resources (for example, an AppNeta monitoring point).
  • Authenticator - The authenticator is the device that provides the physical link between the supplicant and the network, relays supplicant credentials to the authentication server, and enforces the network access policy (for example, a layer-2 switch).
  • Authentication server - The authentication server is a trusted server that validates network access requests from the supplicant (for example, a RADIUS server).

At a high level, the sequence of events is:

  1. The supplicant initiates an access request to the authenticator.
  2. The authenticator sets up secure links to the supplicant and to the authentication server and coordinates authentication of the supplicant.
  3. If the authentication is successful, the supplicant accesses the network resources through the authenticator.

Diagram showing 802.1X workflow. 1) Supplicant makes request to authenticator. 2) Authenticator communicates request to authentication server. 3) If authentication is successful, supplicant can access network resources behind authenticator.

Prerequisites

The following are required for the monitoring point to access a network using 802.1X authentication:

  • A Layer-2 switch with 802.1X support configured to access an authentication server.
  • An authentication server.
  • A user name and password recognized by the authentication server
  • For PEAP and TLS authentication protocols, additional authentication information including certificates.

Restrictions

The following restrictions should be noted:

  • For a VLAN to work with 802.1X, its underlying physical interface must be configured as DHCP or static.
  • For a VLAN to work with 802.1X, its underlying physical interface must be configured with 802.1X.

Add a physical interface with 802.1X

Web admin

  1. Complete monitoring point setup.
  2. Log in to Web Admin.
  3. Navigate to Network Settings > Network Interfaces.
  4. Click Add Interface and select Ethernet.
  5. Update the configuration as appropriate.
  6. Check the 802.1x security checkbox.
  7. For EAP type, select one of the EAP authentication types:
    • PEAP - PEAP / EAP-MSCHAPv2 or PEAP / EAP-TLS
    • TLS - EAP-TLS
    • MD5 - EAP-MD5
  8. Specify remaining configuration information depending on the EAP type selected. Use to upload any certificate or key files required.
  9. Click Submit.
  10. Restart networking.
    • The interface is operational when networking restarts.

Admin API

  1. Complete monitoring point setup.
  2. Access the Admin API.
  3. If you are using an authentication protocol that uses certificate/key files, load the required files:
    1. Navigate to Interface > POST /interface/file/.
    2. Click Try it out.
    3. In the Parameters section, for each of the files you need to load, click Choose File and browse to the file.
    4. Click Execute.
      • The specified files are loaded onto the monitoring point
  4. Add the interface.
    1. Navigate to Interface > POST /interface/.
    2. Click Try it out.
    3. Copy the section of JSON text depending on the authentication protocol you are using:
    4. In the Parameters section, in the body field, paste the JSON text replacing the existing content.
    5. Edit the JSON text replacing variables (those enclosed in arrow brackets “< >”) as appropriate (no arrow brackets should remain) and removing those that are not required.
    6. Click Execute.
      • In the Response Body section, look for a Server response code of 200 to confirm that the interface was added successfully.
  5. Restart networking.
    • You will briefly lose connectivity to the Admin API.
    • The interface is available to use.

curl

  1. Complete monitoring point setup.
  2. In APM, navigate to > Manage Monitoring Points to determine the device hostname.
  3. If you are using an authentication protocol that uses certificate/key files, load the required files:

     curl -k -X POST --header 'Expect:' --header 'Content-Type: multipart/form-data' --header 'Accept: application/json' -F wpa_ca_cert=@<file name> -F wpa_client_cert=@<file name> -F wpa_private_key=@<file name> -F wpa_ca_cert2=@<file name> -F wpa_client_cert2=@<file name> -F wpa_private_key2=@<file name> https://admin:<password>@<hostname>/api/v1/interface/file/
    
  4. Add the interface.
    1. Copy the section of JSON text depending on the authentication protocol you are using:
    2. Edit the JSON text replacing variables (those enclosed in arrow brackets “< >”) as appropriate (no arrow brackets should remain) and removing those that are not required.
    3. Save the text to a file called 8021x-config.json.
    4. Create the interface.

       curl -k -X POST --header "Content-Type: application/json" --data-binary @8021x-config.json https://admin:<password>@<hostname>/api/v1/interface/
      
  5. Verify that your changes are pending.

     curl -k https://admin:<password>@<hostname>/api/v1/interface/?config_state=pending
    
  6. Restart networking. You will briefly lose connectivity to the Admin API.

     curl -k -X PUT --header "Content-Type: application/json" -d {} https://admin:<password>@<hostname>/api/v1/service/networking/action=restart
    

USB

  1. If you are using an authentication protocol that uses certificate/key files, copy the required files to the USB stick.
  2. Download the appropriate physical interface config file.
    • For DHCP, use this file.
    • For static IP, use this file.
    • The downloaded config file contains a number of 802.1X configuration examples.
  3. Edit the downloaded config file for your needs.
    • Uncomment sections to be used (if required).
    • Replace content in arrow brackets (no arrow brackets should remain).
  4. Copy the file onto a USB stick.
  5. Make sure the monitoring point is ready.
  6. Insert the USB stick into the monitoring point.
    • The monitoring point reads the configuration from the USB stick and indicates that it is doing so.
  7. Wait until the monitoring point is finished.
  8. Remove the USB stick.
    • The monitoring point configuration is updated.
    • Any problems updating the configuration are logged in the usb.log file on the USB stick.
  9. Verify that the interface acquired an IP address.
    1. In APM, navigate to > Manage Monitoring Points.
    2. Select the monitoring point you are interested in.
    3. On the right side panel, check Local Network Interfaces for an IP address on the interface.

Edit an 802.1X configuration

Web admin

  1. Log in to Web Admin.
  2. Navigate to Network Settings > Network Interfaces.
  3. For the interface you want to edit, select > Edit.
  4. Check the 802.1x security checkbox.
  5. For EAP type, select one of the EAP authentication types:
    • PEAP - PEAP / EAP-MSCHAPv2 or PEAP / EAP-TLS
    • TLS - EAP-TLS
    • MD5 - EAP-MD5
  6. Specify remaining configuration information depending on the EAP type selected. Use to upload any certificate or key files required.
  7. Click Submit.
  8. Restart networking.
    • The interface is reconfigured when networking restarts.

Admin API

  1. Access the Admin API.
  2. Read and copy the current configuration.
    1. Navigate to Interface > GET /interface/{interface_name}/.
    2. Click Try it out.
    3. In the Parameters section, in the interface_name field, enter the name of the interface you are editing.
    4. In the config_state field, select active.
    5. Click Execute.
      • The Response Code section should show “200”.
      • The 802.1X configuration is shown in the Response Body.
    6. Copy the contents of the Response Body within “families” starting with “{“ and ending with “}”.
  3. Paste and edit the current configuration.
    1. Navigate to Interface > POST /interface/.
    2. Click Try it out.
    3. In the Parameters section, in the body field, select the existing content and paste the copied content.
    4. Edit attribute values you wish to change.
      • For PEAP / EAP-MSCHAPv2, specify the following:
        • “wpa_phase1”: “peapver=0”
        • “wpa_phase2”: “auth=MSCHAPV2”
      • For PEAP / EAP-TLS, specify the following:
        • “wpa_phase1”: “peapver=0”
        • “wpa_phase2”: “auth=TLS”
    5. Click Execute.
      • The Response Code section should show “200”.
      • The 802.1X configuration is shown in the Response Body.
  4. Restart networking. You will briefly lose connectivity to the Admin API.
    • The 802.1X configuration changes take effect.

View an 802.1X configuration

Web admin

  1. Log in to Web Admin.
  2. Navigate to Network Settings > Network Interfaces.
  3. For the interface you want to view, select > Edit.
    • The 802.1x security section contains the 802.1X configuration.

Admin API

  1. Access the Admin API.
  2. Navigate to Interface > GET /interface/{interface_name}/.
  3. Click Try it out.
  4. In the Parameters section, in the interface_name field, enter the name of the interface you are viewing.
  5. In the config_state field, select active.
  6. Click Execute.
    • The Response Code section should show “200”.
    • The 802.1X configuration is shown in the Response Body.

Enable an 802.1X configuration

Web admin

  1. Log in to Web Admin.
  2. Navigate to Network Settings > Network Interfaces.
  3. For the interface you want to enable 802.1X on, select > Edit.
  4. Check the 802.1x security checkbox.
  5. Click Submit.
  6. Restart networking.
    • 802.1X is enabled on the selected interface.

Admin API

To enable an 802.1X configuration from the API, use Add a physical interface with 802.1X.

Disable an 802.1X configuration

Web admin

  1. Log in to Web Admin.
  2. Navigate to Network Settings > Network Interfaces.
  3. For the interface you want to disable 802.1X on, select > Edit.
  4. Uncheck the 802.1x security checkbox.
  5. Click Submit.
  6. Restart networking.
    • 802.1X is disabled on the selected interface.

Admin API

To disable an 802.1X configuration from the API, use Add a physical interface with 802.1X and remove all “wpa_” fields.