cnWave offers feature where node should authenticate themselves during the Ignition procedure.
By default link authentication is disabled.
There are two secure authentication available to cnWave node.
Authentication mode can be configured from Network level which is applicable to entire network.
WPA-PSK:
Passphare is the pre-shared key
WPA2 protocol is currently supported.
For encryption, AES-GCMP-128 bit is supported.
802.1X
802.1x authentication on a sector from a POP node. This is a network level configuration and is common to entire sector.
RADIUS Server IP: IPv6 address of RADIUS server. In future release we will support IPv4 address as well.
RADIUS server port: UDP Port number where server is running , default is 1812.
RADIUS Server shared secret: shared secret.
For RADIUS authentication cnWave support EAP-TLS only where each node should have client certificate and private key. In addition , node should also have CA certificate to verify the RADIUS server. These files can be uploaded from the device GUI of each node.
Configuration to be done on Controller GUI for each node
Configuration to be done on Node GUI
Note : It is important for both the configuration to be done for a successful authentication.
RADIUS Server Configuration:
Any radius server can be used for authentication. The following configuration to be done.
Make sure RADIUS packets from IPv6 subnet i.e. lo IP subnet is accepted in radius configuration.
Configure EAP-TLS for radius server and set up server certificate, key. Note that server certificate is signed by CA uploaded in node configuration.
Set the the CA certificate which signed the client certificate installed on each node.
Make sure certificate is signed with SHA-256 or higher.
Both PSK and 802.1X require initial provisioning directly on the node.
I have been trying to get 802.1x working on cnWave but have not had any success. I have followed all the available documentation and guidelines but the link keeps trying to come up and going down again, the logs seem to indicate that it is not authenticating properly on our radius server. We are using freeradius and the client cert is signed by the same CA as our server cert. Would you be able to provide any further guidelines for using freeradius? For example, are there any non-standard configuration options required in the eap.conf file? Do you have any guidelines for generating the client cert? I need to get this to work as our PMP450 and ePMP networks all use radius and we do not want to deploy cnWave without proper integration with our backend authentication systems.
As @Anilkumarreddy suggests understanding what version of software you are running on the Radio’s, E2E and cnMaestro will be key and we can get those from the Tech Dumps. Have those available for the ticket would be ideal.