cnWave offers feature where node should authenticate themselves during the Ignition procedure.
By default link authentication is disabled.
There are two secure authentication available to cnWave node.
Authentication mode can be configured from Network level which is applicable to entire network.
Passphare is the pre-shared key
WPA2 protocol is currently supported.
For encryption, AES-GCMP-128 bit is supported.
802.1x authentication on a sector from a POP node. This is a network level configuration and is common to entire sector.
RADIUS Server IP: IPv6 address of RADIUS server. In future release we will support IPv4 address as well.
RADIUS server port: UDP Port number where server is running , default is 1812.
RADIUS Server shared secret: shared secret.
For RADIUS authentication cnWave support EAP-TLS only where each node should have client certificate and private key. In addition , node should also have CA certificate to verify the RADIUS server. These files can be uploaded from the device GUI of each node.
Configuration to be done on Controller GUI for each node
Configuration to be done on Node GUI
Note : It is important for both the configuration to be done for a successful authentication.
RADIUS Server Configuration:
Any radius server can be used for authentication. The following configuration to be done.
- Make sure RADIUS packets from IPv6 subnet i.e. lo IP subnet is accepted in radius configuration.
- Configure EAP-TLS for radius server and set up server certificate, key. Note that server certificate is signed by CA uploaded in node configuration.
- Set the the CA certificate which signed the client certificate installed on each node.
- Make sure certificate is signed with SHA-256 or higher.
Both PSK and 802.1X require initial provisioning directly on the node.