1

I am trying to set up an 802.1x authentication. I have Linux running in a PC which I wanted to use as an 802.1x authenticator and I am connecting a Windows PC to it which will be the supplicant.

I am looking for an open-source 802.1x authenticator code to run it in the Linux PC to authenticate the wired clients. Can you point me to an open-source 802.1x authenticator code for wired clients?

user3349687
  • 31
  • 1
  • 4

2 Answers2

1

Generally, the authenticator needs to be running on your Ethernet switches – that is, directly on the other end of the cable away from the supplicant – and it is very rare to use a Linux PC this way.

The only 802.1X authenticator for Linux that I've seen is hostapd using driver=wired. It seems it has built-in support for certain hardware switch chips, but it makes a very useless authenticator on a regular PC because it doesn't actually know how to open/close ports on a software-based bridge.

So you could use it, but then you would have to hack together your own handler that reacts to events from hostapd's control channel (and adds MAC-based nft or ebtables rules?) – otherwise it wouldn't provide any security.

hostapd also supports MACsec (802.1AE), which might be easier to enforce.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • I have tried setting up hostapd for the wired interfaces in Ubuntu. But the client connected to this PC are able to forward traffic regardless of the outcome of the 802.1x authentication. As you said, I should come up with specific handlers that react to the hostapd events. Can you point me to any references for this? – user3349687 Apr 27 '20 at 10:07
  • I can't think of any good examples. The general idea is to use nft "bridge" firewall rules (or the older ebtables) to block everything at MAC level (except for EAPOL in/out), then hook hostapd up such that it adds 'allow' rules based on authenticated device's MAC address or based on physical port... – u1686_grawity Apr 27 '20 at 10:13
  • Something like OpenVSwitch might be useful here as well -- it doesn't have 802.1X built-in either, as far as I could google out, but it might allow for easier port management. – u1686_grawity Apr 27 '20 at 10:13
  • Normally ports in the bridge start off disabled, then automatically go through a learning state, then only forward packets that are broadcast, or destined to learned MAC addresses on that port. Isn't there a way to disable that process from advancing until hostapd has authenticated the port? Or maybe you could just not attach the port to the bridge until hostapd gives the go-ahead? – psusi Mar 09 '21 at 20:30
  • @psusi: You probably could in various ways, e.g. by using bridge-level VLAN filtering - or by using ebtables or nft-bridge - or exactly as you suggest, by abusing the "userspace STP" interface that daemons such as mstpd use to set port states. (Though maybe that would prevent you from actually running STP on the same bridge.) But as far as I know, hostapd doesn't have any of those methods integrated. – u1686_grawity Mar 09 '21 at 20:43
0

I'm currently looking for a linux based NAC authenticator solution for a wired network as well. I just stumbled over a Red Hat guide that seems to offer at least a reasonable foundation for an implementation based on hostapd.

butjar
  • 1