802.1x authentication in Solaris 11.4 beta

In Solaris 11.4 beta there is finally 802.1x authentication for wired network connections.

While the man page describes, how you setup 802.1x with EAP-TLS with Solaris 11.4 beta, there is no example for EAP-MD5 (which was the only mechanism my old switches were able to support). So i would like to add an example for the EAP-MD5 variant with this blog entry.

Okay, there are obvious prerequisites: Before you can try this, you have to ensure that you have a RADIUS server running with a user working with EAP-MD5 (for example a Cleartext-Password entry in your user is mandatory). The user entry for authentication and authorization for my switch looks like this

>dottest Cleartext-Password := "narf"

It’s in the /etc/freeradius/3.0/users file on my RaspPi posing as my DevVLAN-DNS/Radius/Whatever-Server. But most probably you will have such a RADIUS server already running when you are interested in 802.1x. Of course you need a switch supporting 802.1X.

At first you have to install a package and enable the service:

># pkg install network-access-control
# svcadm enable network-access-control

Please keep in mind that you need to configure your package repositories to access the beta repository as described in the docs. Alternatively you can setup your own repository.

Okay, now we have to configure it. At first we configure the credentials the serer should use with our switch:

># nacadm add-net -p eap=md5,identity=dottest,password=narf net0

There is a difference between the way described in the man page and the way it is actually working. The manpage states that the value of the password property is a password file, but actually you have to enter the password here.

># nacadm show-net
NAME  KEY-MGMT EAP IDENTITY PASSWD CA-CERT  CERT          PRIV-KEY      KEY-PW
net0  dot1x md5   dottest narf ?            ?             ?             ?

There is a second difference between the man page and the current implementation. nacadm currently shows the password despite the statement of the man page that it doesn’t. Now we attach the network configuration of the network access control subsystem to the interface.

># dladm set-linkprop -p authentication=network-foo net0

After a few moments the interface should work after the authentication is successful. We can check this by looking at the authentication-state property of a link with dladm

># dladm show-linkprop -p authentication-state
LINK     PROPERTY        PERM VALUE        EFFECTIVE    DEFAULT   POSSIBLE
net0     authentication-state r- succeeded succeeded    off       succeeded,
                                                                  failed,
                                                                  in-progress,
                                                                  off

And as the ping shows, the system is now able to access the network via this authenticated network connection.

># ping 192.168.99.1
PING 192.168.31.1 (192.168.99.1) 56(84) bytes of data.
64 bytes from 192.168.99.1: icmp_seq=1 ttl=64 time=0.493 ms

Please keep in mind, 11.4 is in beta, so the behaviour may change here.