Skip to main content

Netgear RADIUS Port Authentication 802.1x

·3 mins

It was difficult to get this set up initially. There are a few settings that all need to be enabled to actually get this working.

Setting up RADIUS items #

Go to Security > Management Security

Add RADIUS auth server #

Add RADIUS accounting server #

This is optional but provides useful information for users.

Change dot1x Auth List to RADIUS #

Update Port Authentication #

Go to Security > Port Authentication

Warning

Force all Port Controls to Authorized before proceeding otherwise you will likely lock yourself out

Enable Port Based Authentication #

Go to 802.1x Configuration and enable:

  1. Port-Based Authentication State
  2. VLAN Assignment Mode

Update Ports to use VLANs #

Guest VLAN ID - This field allows the user to configure Guest Vlan Id on the interface. The valid range is 0 - 4093. The default value is 0. Enter 0 to reset the Guest Vlan Id on the interface.

Guest VLAN Period - This input field allows the user to enter the guest Vlan period for the selected port. The guest Vlan period is the value, in seconds, of the timer used by the GuestVlan Authentication. The guest Vlan timeout must be a value in the range of 1 and 300. The default value is 90.

Unauthenticated VLAN ID - This input field allows the user to enter the Unauthenticated VLAN ID for the selected port. The valid range is (0 to 4093). The default value is 0. 3 attempts are allowed for an user to enter correct credentials. If wrong credentials are entered 3 times, then the client will be put in unauthenticated VLAN. Changing the value will not change the configuration until the Submit button is pressed. Enter 0 to clear the Unauthenticated VLAN Id on the interface.

Periodic Reauthentication - This select field allows the user to enable or disable reauthentication of the supplicant for the specified port. The selectable values are ‘Enable’ and ‘Disable’. If the value is ‘Enable’ reauthentication will occur. Otherwise, reauthentication will not be allowed. The default value is false. Changing the selection will not change the configuration until the Submit button is pressed.

The Guest VLAN ID is the default VLAN that will be used if the user can authenticate successfully into RADIUS. It will otherwise be Tunnel-Private-Group-ID if that is sent in the RADIUS server’s response, which is what Netgear’s VLAN Assignment Mode enables support for.

If the user is not using 802.1x on their client (e.g. unauthenticated), it will then put the user in the Unauthenticated VLAN ID.

Info

You should always enable Periodic Reauthentication

You want to keep the Port Control as Auto for whichever port is using 802.1x. If you have static VLANs assigned, this will otherwise override those controls now.

FreeRADIUS #

This is for pfSense but the settings should be similar between RADIUS servers

Configuration #

This will allow setting the VLAN for the user logging in

EAP #

Unfortunately, my Netgear GS724TPv2 only uses EAP of MD5 so it’s somewhat insecure. Ignore the disable weak EAP option here.

This will need to be MSCHAPV2 for Windows

Client #

Neal Fennimore
Author
Neal Fennimore
Software and cybersecurity engineer with experience in systems development, security, linux, cloud, IT + OT operations, and computer networking.
Vulnerability Scan Current NixOS System