VI. Feature Setup
ExpiredUsing the DrayTek Vigor router Internal RADIUS Server
DrayTek Vigor routers with 3.8.1 firmware can use accounts configured in User Management for RADIUS and 802.1X authentication, both for internal services (Wired 802.1X and Wireless WPA2/802.1X) and for external devices such as access points or switches.
This can be useful in environments where a server is not available on site and gives a central point to administer accounts both for User Management and for computer / device authentication over wired and wireless networks.
The RADIUS service of the router is accessible over the LAN and the internet via the WAN interfaces once enabled and can be used across a LAN to LAN VPN tunnel. The internal RADIUS server is able to have up to four IPv4 / IPv6 subnets that are allowed to authenticate with it; each one can have a unique shared secret which the client authentication devices (such as access points) would use to perform authentication via the router.
It is also able to use a certificate for validation, which is necessary for some 802.1x clients such as Windows operating systems. To select the certificate to use, install a signed / validated certificate on the router by following this guide. The router will then supply that certificate to clients that are authenticating via RADIUS instead of the default self-signed certificate.
Each User Management profile now has options to select which service it can authenticate with:
- RADIUS
This option allows the user account to authenticate via RADIUS, from an external device such as an access point, switch or VPN endpoint. This requires configuration under [Applications] > [RADIUS] which is demonstrated in this article. - Local 802.1X
This option allows the user account to authenticate with the router's internal services, specifically [Wired 802.1X] and the [Wireless LAN] > [Security] options for 802.1X
Using the Vigor Router as a RADIUS Server
To enable the RADIUS server on the router, go to [Applications] > [RADIUS/TACACS+] and click on the Internal RADIUS tab:
- Enable the server
- Set the Authentication Port to 1812, which is the default port used for RADIUS authentication
- Under the RADIUS Client Access List, tick Enable for an index, enter the Shared Secret which is a password used by both the RADIUS server and client. Enter the Network Address of the network / IP subnet range that would be allowed to authenticate with it, for instance if the devices are all within the 192.168.1.x network, enter 192.168.1.0 with a subnet mask of 255.255.255.0. To enable client access from a single device, use a /32 subnet mask, i.e. to allow only 192.168.1.64, enter 192.168.1.64 as the IP address and 255.255.255.255 as the subnet mask.
- Add users to the Authentication List so that those accounts can be used for RADIUS authentication
Click OK to continue and the router will ask to restart:
Click OK to restart the router which will apply the changes.
To configure which accounts can authenticate via RADIUS / 802.1X, either configure the options available in the user profile settings of [User Management] > [User Profiles] or, if configuring multiple profiles, go to [System Maintenance] > [Internal Service User List]
On that page, select which profiles are allowed to authenticate:
Click OK on that page to save the changes.
With that configured, the router can be used for RADIUS authentication with access points and switches etc.
RADIUS Client Configuration Example - VigorAP
To use a VigorAP as a RADIUS client for WPA2/802.1X authentication, ensure that the IP address of the access point is included in the router's RADIUS Client Access List.
Go to [Wireless LAN] > [Security] and select the SSID that will be using 802.1X for authentication:
With the Mode set to WPA2/802.1X, click on the RADIUS Server text which will pop-up settings for the RADIUS authentication:
- Set the IP Address to the IP of the router
- Set the Port to 1812 if the RADIUS server is using the standard port
- Set the Shared Secret to match the configuration of the RADIUS Client Access List on the router
Click OK to save and apply the RADIUS settings, then click OK to save and apply the wireless settings.
Clients connecting to the access point will then be required to enter a username and password, which will be passed to the router by the access point and if the credentials are valid, the client will be allowed to connect to the wireless network.
Using Local 802.1X with Wired 802.1X
To use the local 802.1X of the router with [LAN] > [Wired 802.1X], create User Profiles that have Local 802.1X enabled and select Local 802.1X as the Authentication Type in the Wired 802.1X settings:
Using Local 802.1X with Wireless LAN WPA2/802.1X Security
To use the local 802.1X of the router with WPA2/802.1X, create User Profiles that have Local 802.1X enabled. Go to [Wireless LAN 2.4GHz] > [Security] or [Wireless LAN 5GHz] > [Security]:
Set the Mode to WPA2/802.1X Only and click on the link for 802.1X Settings:
Set the Authentication Type to Local 802.1X and if necessary, add user accounts to the Enable Local 802.1X list. Click OK to save and apply that setting.
How do you rate this article?
- First Published: 27/10/2015
- Last Updated: 22/04/2021