XII. Firewall/Security Features

Securing LAN ports on DrayTek Routers using 802.1X and User Management

Products:
Vigor 2765
Vigor 2832
Vigor 2862
Vigor 2865
Show all

Keywords:
802.1x
lan security
port security
radius
Show all

DrayTek routers that support Wired 802.1x can be configured to enforce RADIUS authentication before a device connected to the router's LAN port can communicate with the router and its connected network(s).

This can be useful if the router is installed in a location such as a teleworker's home, which should only allow devices with the correct credentials to access the network, so that unauthorised devices can't access private network resources.


Various Vigor router models can use accounts configured in User Management for RADIUS and 802.1X authentication, this article will demonstrate how to configure the router's User Management accounts to be used for 802.1X authentication on the router's LAN ports.

Please note that 802.1X on the router's LAN ports is for client devices only, it will not work correctly if a switch or access point is plugged into an 802.1X authenticated port; if that is required, disable 802.1X on that port and set up 802.1X on the connected switch or access point (requires 802.1X support on the LAN switch/AP). For setup with external devices such as access points or switches, refer to this guide.

It is also able to use a certificate for validation, which is necessary for some 802.1x clients such as Windows operating systems. To select the certificate to use, install a signed / validated certificate on the router by following this guide. The router will then supply that certificate to clients that are authenticating via RADIUS instead of the default self-signed certificate.


To use 802.1X on the router's LAN ports, it will first be necessary to configure a user account that is allowed to authenticate using 802.1X on the router. Go to [User Management] > [User Profile] to configure a user account on the router and click on the first available index number:

That will load the settings for that user profile, enable it, give it a suitable name then configure the Internal Services:

  • RADIUS does not need to be enabled
    This option allows the user account to authenticate via RADIUS, from an external device such as an access point, switch or VPN endpoint. This requires configuration under [Applications] > [RADIUS] which is demonstrated in this article.
  • Tick Local 802.1X
    This option allows the user account to authenticate with the router's internal services, specifically [Wired 802.1X] and the [Wireless LAN] > [Security] options for 802.1X

Click OK to save that profile.


To configure which existing accounts can authenticate via RADIUS / 802.1X, either configure the options available in the user profile settings of [User Management] > [User Profiles] or, if configuring multiple profiles, go to [System Maintenance] > [Internal Service User List]

On that page, select which profiles are allowed to authenticate:

Click OK on that page to save the changes.


To enable Wired 802.1X on the router, go to [LAN] > [Wired 802.1X]. On that page, tick Enable and select a LAN port that is not currently in use and select Local 802.1X as the Authentication Type in the Wired 802.1X settings

It is not recommended to enable 802.1X on all LAN ports immediately without testing the 802.1X configuration first and ensuring there is a server in place.

Click OK to apply that change and the router may need to restart to apply the changes.

The 802.1X port authentication should now be active and the connected PC will need some configuration to use 802.1X for authentication on a wired network.


To configure this on a Windows PC, it is necessary to enable Wired 802.1X as a Windows service, which is not enabled by default. If this service is not active, the Wired network properties will not show the Authentication tab necessary to configure 802.1X.

Go to the Start menu and select Run to show the Run dialog box. Or if the Run option is not present, simply press the Start button and type in "Services.msc" then press Enter. This will open the settings window for Windows Services:

Scroll down to Wired AutoConfig and double-click that item to open the properties for it. Set the Startup Type to Automatic, then click Start to start the service:

Click OK to close that and close the Windows Services window.


Connect the network cable of the PC to one of the router's LAN ports that has 802.1X enabled on it.

This should not connect immediately as some settings need to be changed before the client can authenticate with the RADIUS server and access the network.

Go to the Windows Control Panel, open the Network and Sharing Center and select Change adapter settings. This should then show the Network Connections window which lists network adapters on the computer. Right Click the Local Area Connection adapter and select Status:

This should show that it's Attempting to authenticate which indicates that 802.1X is in use on the connection and adapter. Click Properties to configure 802.1X:

In the Local Area Connection Properties, click on the Authentication tab, if this tab does not show, re-check that the Wired Autoconfig service has been started:

On the Authentication tab, set the network authentication method to Microsoft: Protected EAP (PEAP) and click Settings:


Untick Validate server certificate if the router is using its self-signed certificate, which is the router's default state. If a signed certificate has been loaded on to the router (as shown in this guide), this option could be left enabled.

Then click the Configure button:

Untick the option on there and click OK:

Click OK on the Protected EAP Properties window then click OK for the Local Area Connection Properties to save the changes to that network adapter.

The network adapter is now ready to connect using 802.1X.


Reconnecting the network cable at this stage should show a prompt similar to this:

Click on the prompt and Windows will then ask for the network credentials:

Click OK once those have been entered and Windows should then be able to authenticate :


How do you rate this article?

1 1 1 1 1 1 1 1 1 1