Section 13.2.1 – Westermo RedFox Series User Manual

Page 281

Advertising

Westermo OS Management Guide

Version 4.17.0-0

13.2.1

Authentication using IEEE 802.1X

WeOS units are able to act as IEEE 802.1X [

] authenticators. WeOS uses

the RADIUS[

] protocol with extensions for Extensible Authentication Protocol

(EAP[

]) to communicate to a backend authentication server.

WeOS neither includes a RADIUS server nor a local authentication server mech-
anism for 802.1X. Instead the 802.1X authentication server must be provided
externally.

As of WeOS v4.17.0, WeOS does not support Authenticator initiation as defined
by §8.4.2.1 in the IEEE 802.1X standard[

]. The 802.1X client (supplicant) must

initiate the authentication procedure to gain access

Fig. 13.5

illustrates the principles of a successful authentication with IEEE 802.1X.

In reality the protocol exchanges several messages between the supplicant, the
authenticator and the RADIUS backend server (see the standard documents for
details). The WeOS unit acts as an IEEE 802.1X authenticator, relaying the EAP
messages to the RADIUS server.

When configuring the 802.1X authenticator in WeOS, the RADIUS server (or group
of RADIUS servers) must be specified. The procedure is as follows:

1. RADIUS server settings (AAA): Enter the appropriate settings for your RA-

DIUS server(s): IP address, password, etc. See

chapter 21

on Authentication,

Authorisation and Accounting (AAA) for more information.

2. Define RADIUS server group (AAA): (Optional) The RADIUS servers can be

grouped together, simplifying configuration in some cases. See

chapter 21

on AAA for more information.

3. Define AAA instance(s) for 802.1X (AAA): To allow individual RADIUS servers

or server groups to be used as 802.1X authentication backends, they need
to be listed in an 802.1X AAA instance. See