XII. Firewall/Security Features

Securing LAN ports on DrayTek routers with 802.1X

Products:
Vigor 2765
Vigor 2832
Vigor 2862
Vigor 2865
Show all

Keywords:
802.1x
lan security
port security
radius
Show all

DrayTek routers that support Wired 802.1x can be configured to enforce RADIUS authentication before a device connected to the router's LAN port can communicate with the router and its connected network(s).

This can be useful if the router is installed in a location such as a teleworker's home, which should only allow devices with the correct credentials to access the network, so that unauthorised devices can't access private network resources.

This supports PEAP (Protected-Extensible Authentication Protocol) and EAP-TLS (EAP-Transport Layer Security) authentication and the RADIUS authentication server can be connected locally, over the internet or through a VPN tunnel. Please note that 802.1X on a router's LAN port will only allow a single device to connect and authenticate with that port, to connect more than one device, it would be necessary to turn off 802.1X on the router's LAN port and enforce 802.1X using a managed switch connected to that port instead.


This example will show how to configure a Vigor 2860's LAN ports for 802.1X using a Vigor AP-900 as the RADIUS server. Setup with a Windows Server or other RADIUS server would be similar in that the client would need to be configured to use Wired 802.1X.


Access the router's web interface and go to [Applications] > [RADIUS/TACACS+]. On there, go to the RADIUS Setup tab, tick Enable, enter the Server IP address of the RADIUS server that will be used, in this case the IP address is that of a Vigor AP-900 access point. The Destination Port can be left as the default normally but would need to be changed if your RADIUS server uses a different port.

The Shared Secret is the password for the RADIUS connection, this needs to be set on both the RADIUS server (Vigor AP-900) and the RADIUS client (Vigor 2860).

Click OK to save and apply the changes.


To enable Wired 802.1X, go to [LAN] > [Wired 802.1X]. On that page, tick Enable and select a LAN port that is not currently in use. It is not recommended to enable 802.1X on all LAN ports immediately without testing the 802.1X configuration first and ensuring there is a server in place.

Click OK to apply that change and the router may need to restart to apply the changes.


Access the Vigor AP-900's web interface and go to [RADIUS Server], tick Enable on that page.

Add any Username & Password settings to use with RADIUS authentication.

Add the IP address of the router and the Shared Secret / Secret Key (password) under the Authentication Client section so that the Vigor 2860 is allowed to use the Vigor AP-900's RADIUS server.

Click OK to apply the changes on the AP and the RADIUS authentication should now be active.


To configure this on a Windows PC, it is necessary to enable Wired 802.1X as a Windows service, which is not enabled by default. If this service is not active, the Wired network properties will not show the Authentication tab necessary to configure 802.1X.

Go to the Start menu and select Run to show the Run dialog box. Or if the Run option is not present, simply press the Start button and type in "Services.msc" then press Enter. This will open the settings window for Windows Services:

Scroll down to Wired AutoConfig and double-click that item to open the properties for it. Set the Startup Type to Automatic, then click Start to start the service:

Click OK to close that and close the Windows Services window.


Connect the network cable of the PC to one of the router's LAN ports that has 802.1X enabled on it.

This should not connect immediately as some settings need to be changed before the client can authenticate with the RADIUS server and access the network.

Go to the Windows Control Panel, open the Network and Sharing Center and select Change adapter settings. This should then show the Network Connections window which lists network adapters on the computer. Right Click the Local Area Connection adapter and select Status:

This should show that it's Attempting to authenticate which indicates that 802.1X is in use on the connection and adapter. Click Properties to configure 802.1X:

In the Local Area Connection Properties, click on the Authentication tab, if this tab does not show, re-check that the Wired Autoconfig service has been started:

On the Authentication tab, set the network authentication method to Microsoft: Protected EAP (PEAP) and click Settings:


Untick Validate server certificate because the Vigor AP-900's RADIUS server does not use certificates. If using a Windows Server, this option could be left enabled.

Then click the Configure button:

Untick the option on there and click OK:

Click OK on the Protected EAP Properties window then click OK for the Local Area Connection Properties to save the changes to that network adapter.

The network adapter is now ready to connect using 802.1X.


Reconnecting the network cable at this stage should show a prompt similar to this:

Click on the prompt and Windows will then ask for the network credentials:

Click OK once those have been entered and Windows should then be able to authenticate :


How do you rate this article?

1 1 1 1 1 1 1 1 1 1