summaryrefslogtreecommitdiff
path: root/docs/_include/interface-eapol.txt
blob: fc3d9e34681bd1420629fdd4b8b2fd91b3f6743e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
**Overview**

IEEE 802.1X is a security standard that enforces access control at the data link layer. It blocks all traffic on a port until the connecting device proves 
its identity. The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` 
protocol transports credentials between the client (supplicant) and the network 
switch (authenticator). The switch forwards these credentials to a backend 
authentication server, typically RADIUS, which verifies them and authorizes 
the connection.

The VyOS router acts as the supplicant, authenticating with upstream network 
equipment such as ISP gateways or enterprise switches. Authentication uses 
X.509 certificates to validate the identities of both the router and the 
authentication server.

The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` protocol 
requires the supplicant (the router) to provide an identity string to the 
authentication server during the initial handshake. If no identity is 
configured, VyOS uses the Ethernet interface's MAC address as the identity 
string.

**Configuration**

Prerequisites: Before configuring 802.1X (:abbr:`EAPOL (Extensible 
Authentication Protocol over LAN)`) authentication, upload the required 
:abbr:`CA (Certificate Authority)` certificate, client certificate, and 
private key to the router and import them into the PKI system.

.. note:: The client certificate and private key must share the **same** PKI 
   name.

.. seealso:: For more information about managing certificates and keys, see 
   the :ref:`PKI <pki>` section.

.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
  {{ var5 }} {{ var6 }} eapol ca-certificate <name>

  **Configure the trusted** :abbr:`CA (Certificate Authority)` **certificate for 
  the interface.**
  
  The router uses this certificate to validate the authentication server’s 
  identity.

  ``<name>`` is the :abbr:`CA (Certificate Authority)` certificate name as 
  defined in the PKI system.

  .. note:: If you specify an intermediate :abbr:`CA (Certificate Authority)` 
     certificate, ensure the full certificate chain, including the root and all 
     higher-level intermediate :abbr:`CA (Certificate Authority)` certificates, is 
     available to the system.

  Example:

  .. code-block:: none

    set pki ca eapol-server-intermediate-ca <server intermediate CA contents>
    set pki ca eapol-server-root-ca <server root CA contents>
    set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-certificate eapol-server-intermediate-ca

.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
  {{ var5 }} {{ var6 }} eapol certificate <name>

  **Configure the client certificate for the interface.** 

  The router uses this certificate to prove its identity to the authentication 
  server.

  ``<name>`` is the client certificate name as defined in the PKI system.

  During authentication, all parent :abbr:`CA (Certificate Authority)` 
  certificates of the client certificate, such as intermediate and root :abbr:`CA 
  (Certificate Authority)` certificates, are automatically sent as part of the 
  EAP-TLS handshake.

  Example:

  .. code-block:: none

    set pki ca eapol-client-intermediate-ca <client intermediate CA contents>
    set pki ca eapol-client-root-ca <client root CA contents>
    set pki certificate eapol-client certificate <client certificate contents>
    set pki certificate eapol-client private key <client private key contents>
    set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol certificate eapol-client