Network Automation FreeRadius Basic Setup for EAP-TLS

Building on our previous post, we will now configure FreeRadius on our secured Ubuntu server to finalize the 802.1x setup. We will also include the essential configurations for Cisco switches.

Installing FreeRadius

sudo apt install freeradius freeradius-utils -y

sudo systemctl status freeradius

After confirming the installation is successful and the service is running smoothly, we will stop the service to allow starting it later in debugging mode once the configuration is complete. To verify the service is running, check for the status “Processing requests” in the output of “sudo systemctl status freeradius”.

sudo systemctl stop freeradius

Configuring FreeRadius Clients

First, we will configure our client devices to ensure FreeRadius permits communication between them.

sudo nano /etc/freeradius/3.0/clients.conf

Add the following lines to the end of the file. Be sure to update the subnet range to correspond with your switch management network. If you manage multiple subnets that cannot be aggregated into a single CIDR block, add additional client entries, changing the name (e.g., “building1”) for each new site.

client building1 {
    ipaddr = 192.168.1.0/24
    secret = testing123
}

Generating Certificates

Next, we will configure the CSR to submit to our internal CA for the server certificate. If you don’t have an internal CA set up yet, stay tuned—our next post will cover this topic in detail. When generating the CSR and creating the private key, be sure to set a password. This password will be needed later when configuring EAP.

sudo mkdir /certs
sudo openssl req -new -newkey rsa:2048 -nodes -keyout /certs/server.key -out /certs/server.csr

Below are my sample answers to the questions asked during the CSR creation process.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Test
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test2
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:rsyslog_test
Email Address []:test@domain.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:testing123
An optional company name []:

After generating the server certificate, copy both the server.cer and rootCA.cer files to the /certs directory on the Ubuntu Server. When exporting these certificates, ensure you use the Base64 format instead of DER.

Configuring EAP

Once the certificates are created and stored in the directory, we will proceed with configuring EAP on the FreeRadius server.

sudo nano /etc/freeradius/3.0/mods-enabled/eap

At the start of the file be sure that “default_eap_type = ” is set to tls.

default_eap_type = tls

In the file, locate the section labeled “tls-config tls-common.” Set “private_key_password =” to your password. Next, configure the paths to your certificates. Refer to the example settings below if you are following along. Note that the settings might not be in this exact order, and there may be comments throughout the file. Scroll through and make the necessary changes. The line “client_cert_attr = yes” will not be present and needs to be added. Insert it immediately after the “private_key_file” entry. This setting will be used later to assign a VLAN to any client presenting a certificate signed by our CA.

        tls-config tls-common {
                private_key_password = WISD
                private_key_file = /certs/server.key
                client_cert_attr = yes
                certificate_file = /certs/server.cer
                ca_file = /certs/RootCA.cer

Configure vlan assignment

sudo nano /etc/freeradius/3.0/mods-config/files/authorize

The following configuration assigns VLAN 20 to all devices that successfully authenticate using EAP-TLS.

DEFAULT Auth-Type := EAP
    Tunnel-Type := VLAN,
    Tunnel-Medium-Type := IEEE-802,
    Tunnel-Private-Group-Id := "20"

Please paste the above after the below lines.

# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

# Sample defaults for all framed connections.
#
#DEFAULT        Service-Type == Framed-User
#       Framed-IP-Address = 255.255.255.254,
#       Framed-MTU = 576,
#       Service-Type = Framed-User,
#       Fall-Through = Yes

Switch Configuration – Cisco

The following switch configuration is for a Cisco 9200L. We also have a working configuration for a 9300X, which I will provide after the 9200L config. In this setup, be sure to update the server address to the IPv4 address of your Ubuntu Server. Additionally, adjust the voice VLAN and the unauthenticated VLAN as needed; we used VLAN 999 for unauthenticated devices. Lastly, ensure the shared secret key matches the one configured in the FreeRadius client setup.

Cisco 9200L/9300X Config

aaa group server radius 8021x
 server name 8021x
aaa authentication dot1x default group 8021x
aaa authorization network default group 8021x
dot1x system-auth-control
radius server 8021x
 address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
 key testing123

interface range GigabitEthernet1/0/1-48
 switchport mode access
 switchport voice vlan 10
 load-interval 60
 authentication event server dead action authorize vlan 999
 authentication event no-response action authorize vlan 999
 authentication event server alive action reinitialize
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication periodic
 authentication violation replace
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 storm-control broadcast level 5.00
 storm-control multicast level 5.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root

Testing

With the server and switch configured, we will now start FreeRadius in debugging mode.

sudo freeradius -X

The previous command will start FreeRadius, and once it completes, you should see a screen displaying “Ready to process requests.” Next, connect a device configured for 802.1x to your switch. If your device isn’t set up for 802.1x yet, don’t worry—we will be posting a tutorial soon. In the meantime, a quick Google search will help you get started.

Once the device is connected, the communication debug information will appear on the screen. Finally, you should see the messages “Sent Access-Accept…..” and “Finished request”.

On the switch, we can verify authentication using two commands: one to confirm successful authentication and another to check the VLAN assignment. Our test port was Gi1/0/21.

show authentication history
show interface status | include 1/0/21

The results indicate that the device was successfully authenticated using “dot1x” and assigned to the “Data” domain with an Authenticated status. The show interfaces status command confirms the device is in the authenticated VLAN “20” rather than the unauthenticated VLAN “999”.

Test#show authentication history
Interface                MAC Address    Method  Domain  Status Uptime
----------------------------------------------------------------------
Gi1/0/21                 3814.288c.ef76 dot1x   DATA    Auth    221

Session count = 1

Test#show interfaces status | inc 1/0/21
Gi1/0/21                        connected    20         a-full a-1000 10/100/1000BaseTX
Test#

End Testing and Start FreeRadius

Press “CTRL + C” to exit debugging mode, then run the following command to start FreeRadius. FreeRadius will also start automatically whenever the server is rebooted or powered on.

sudo systemctl start freeradius

Conclusion

Implementing 802.1X alongside the existing Rsyslog setup with Ansible automation significantly simplifies network management while maintaining a reasonable level of security. Ideally, if all devices could be authenticated using EAP-TLS, our networks would be much more secure. However, given the rapid influx of new endpoints, achieving this across the board seems unlikely. If you need additional guidance on certificates and switch configurations, stay tuned—we are currently preparing detailed posts on both topics and will publish them soon.