1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
**Overview**
IEEE 802.1X is a security standard that enforces access control at the data link layer. It blocks all traffic on a port until the connecting device proves
its identity. The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)`
protocol transports credentials between the client (supplicant) and the network
switch (authenticator). The switch forwards these credentials to a backend
authentication server, typically RADIUS, which verifies them and authorizes
the connection.
The VyOS router acts as the supplicant, authenticating with upstream network
equipment such as ISP gateways or enterprise switches. Authentication uses
X.509 certificates to validate the identities of both the router and the
authentication server.
The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` protocol
requires the supplicant (the router) to provide an identity string to the
authentication server during the initial handshake. If no identity is
configured, VyOS uses the Ethernet interface's MAC address as the identity
string.
**Configuration**
Prerequisites: Before configuring 802.1X (:abbr:`EAPOL (Extensible
Authentication Protocol over LAN)`) authentication, upload the required
:abbr:`CA (Certificate Authority)` certificate, client certificate, and
private key to the router and import them into the PKI system.
.. note:: The client certificate and private key must share the **same** PKI
name.
.. seealso:: For more information about managing certificates and keys, see
the :ref:`PKI <pki>` section.
.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
{{ var5 }} {{ var6 }} eapol ca-certificate <name>
**Configure the trusted** :abbr:`CA (Certificate Authority)` **certificate for
the interface.**
The router uses this certificate to validate the authentication server’s
identity.
``<name>`` is the :abbr:`CA (Certificate Authority)` certificate name as
defined in the PKI system.
.. note:: If you specify an intermediate :abbr:`CA (Certificate Authority)`
certificate, ensure the full certificate chain, including the root and all
higher-level intermediate :abbr:`CA (Certificate Authority)` certificates, is
available to the system.
Example:
.. code-block:: none
set pki ca eapol-server-intermediate-ca <server intermediate CA contents>
set pki ca eapol-server-root-ca <server root CA contents>
set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-certificate eapol-server-intermediate-ca
.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
{{ var5 }} {{ var6 }} eapol certificate <name>
**Configure the client certificate for the interface.**
The router uses this certificate to prove its identity to the authentication
server.
``<name>`` is the client certificate name as defined in the PKI system.
During authentication, all parent :abbr:`CA (Certificate Authority)`
certificates of the client certificate, such as intermediate and root :abbr:`CA
(Certificate Authority)` certificates, are automatically sent as part of the
EAP-TLS handshake.
Example:
.. code-block:: none
set pki ca eapol-client-intermediate-ca <client intermediate CA contents>
set pki ca eapol-client-root-ca <client root CA contents>
set pki certificate eapol-client certificate <client certificate contents>
set pki certificate eapol-client private key <client private key contents>
set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol certificate eapol-client
|