Ethernet 802.1X configuration – Ubiquiti
In this topic, you will learn how to configure Ubiquiti switch ports to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.
Create a RADIUS profile
In this section, you will create a RADIUS profile for Portnox™ Cloud RADIUS servers. You can then apply this profile to Wi-Fi configurations and Ethernet port profiles.
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the following menu options: .
-
In the right-hand side pane, click on the RADIUS tab, and then click on the
Create New link to create a new RADIUS profile.
-
Configure the new RADIUS profile:
Optional: Create a RadSec profile
This is an optional task that modifies the previous task. Follow this task only if you want to connect to Portnox Cloud RADIUS servers using RadSec. Skip this task if you want to connect to Portnox Cloud RADIUS servers without RadSec.
-
Install OpenSSL on your personal computer.
OpenSSL is an open source library for converting certificates. You will need it to convert the certificate formats so that they are readable for Ubiquiti devices.
- Windows: Download the relevant installation package from the Shining Light Productions website. For example, Win64 OpenSSL Light for Windows 64-bit systems. Then, follow the installer steps to install the package.
- macOS: Install HomeBrew. Then, execute
the command in Terminal:
brew install openssl
- Ubuntu:
sudo apt install openssl libssl-dev
- RedHat:
orsudo dnf install openssl openssl-devel
sudo yum install openssl openssl-devel
-
Follow the steps in this section to download and install the self-onboarding certificate: Download and install the certificate.
Note: After you download the certificate, you do not need to install it. Take note of the location where you downloaded the certificate.
- Follow the steps in this section to download the Cloud RADIUS root CA certificate: Download the root CA certificate from Portnox Cloud.
-
Use OpenSSL to extract the private key and the client certificate from the self-onboarding certificate:
Type the following commands in the Windows command line window or the macOS/Linux Terminal window:
openssl pkcs12 -in self-onboarding-certificate.p12 -clcerts -nokeys -out clientCertificate.crt
openssl pkcs12 -in self-onboarding-certificate.p12 -nocerts -nodes -out privateKey.pem
When asked for an import password, press the Enter key (empty password).
Note: On Windows, you may need to first change the directory to the installation directory of OpenSSL: C:\Program Files\OpenSSL-Win64\bin.Note: We recommend that you open the extracted files in a text editor of your choice and remove all of the content before the -----BEGIN CERTIFICATE----- line. -
Use OpenSSL to convert the root CA certificate into the Base64-encoded X.509 format:
Type the following command in the Windows command line window or the macOS/Linux Terminal window:
openssl x509 -in rootCertificate.cer -inform der -out rootCertificate.crt -outform pem
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the following menu options: .
-
In the right-hand side pane, click on the RADIUS tab, and then click on the
Create New link to create a new RADIUS profile.
-
Configure the new RADIUS profile:
Create or edit a network configuration
In this section, you will create or edit a configuration for a network with 802.1X authentication and assign the RADIUS profile to this network.
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the following menu options: .
-
In the right-hand side pane, in the Global Switch Settings section, activate the
802.1X Control checkbox, in the RADIUS Profile field, select the
RADIUS profile that you just created, and optionally in the Fallback VLAN field, select a
network (if you have one) for devices that fail RADIUS authentication. Then, click on the Apply
Changes button.
Note: If you want this connection to use RadSec, select the RadSec profile that you created earlier.
In this example, we used a VORLON network for devices that successfully authenticate with RADIUS and a QUARANTINE network for devices that fail RADIUS authentication.
Create a port profile for 802.1X authentication
In this section, you will create a profile for Ethernet ports with 802.1X authentication. You can later assign this port profile to specific switch ports.
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the following menu options: .
-
In the right-hand side pane, in the Ethernet Ports tab (active by default), click on the
Create New link to create a new port profile.
-
In the New Ethernet Port Profile pane, enter the name for this port profile, then click on the
Manual option in the Advanced section to activate manual
configuration, and select the Auto option in the 802.1X Control field.
Then, configure other fields as required for your environment, and click on the Add
button.
Note: Options available in the 802.1X Control field are:
-
Force Authorized: Every client is treated as authenticated. Effectively, this means no authentication at all.
-
Force Unauthorized: Every client is treated as authenticated. Effectively, this means that no client can connect to this port.
-
MAC-Based: The switch fakes an 802.1X challenge for clients, allowing clients without 802.1X support to connect using MAC address bypass authentication.
-
Auto: The port requires clients to authenticate using the 802.1X protocol.
-
Create a port profile for MAC address bypass (MAB) authentication
In this section, you will create a profile for Ethernet ports with MAC address bypass (MAB) authentication. You can later assign this port profile to specific switch ports.
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the following menu options: .
-
In the right-hand side pane, in the Ethernet Ports tab (active by default), click on the
Create New link to create a new port profile.
-
In the New Ethernet Port Profile pane, enter the name for this port profile, then click on the
Manual option in the Advanced section to activate manual
configuration, and select the MAC-Based option in the 802.1X Control
field. Then, configure other fields as required for your environment, and click on the Add
button.
Assign a port profile to a switch port
In this section, you will assign a port profile to a specific port on your switch.
-
In the Ubiquiti web interface, go to the Network tab, and in the left-hand side menu, click
on the Ports menu option and in the top-left corner of the right-hand side pane, select the
switch that you want to configure. Then, click on the port that you want to configure.
Note: In the following screenshot, we already have port 1 connected to the router and port 2 configured for 802.1X access.Important: In this example, we used the USW-Lite-8-PoE switch. However, not all Ubiquiti devices support port-based 802.1X authentication. For example, the Dream Router does not support wired 802.1X authentication for its Ethernet ports. Make sure that your selected Ubiquiti device supports port-based 802.1X authentication. If unsure, consult Ubiquiti documentation or contact your Ubiquiti sales or support representative.
-
In the port configuration pane, scroll down to the Ethernet Port Profile field, and activate
the checkbox. Then, select the port profile that you created earlier.
Note: In this example, we selected the profile for 802.1X authentication but you can also assign the MAC address bypass profile to a port (if you created one).
- Configure other fields as required for your environment and click on the Apply Changes button.