Implement and offer 802.1X supplicant for the wired interfaces.

  • 7
  • Idea
  • Updated 4 months ago
Introduce an 802.1X supplicant to HiveOS that would allow HiveAPs to authenticate against wired Ethernet ports on the switches that they connect to.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes

Posted 5 years ago

  • 7
Photo of Finn Håkon Borgi

Finn Håkon Borgi

  • 0 Posts
  • 0 Reply Likes
+1 from me... No 802.1x support on the wired interfaces is almost a show stopper for me. With AP's in public spaces in the building, security is easily breached if someone is to disconnect the AP and try to connect to the Ethernet-port. MAC-auth is helping a tiiiiny bit, but this is also easily bypassed.
Finn H
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Finn/Nick,

I see that this request never got addressed and Nick's recent post referencing this request brought it to my attention. I searched the enhancement request database to see if this had ever been filed, but I did not find record of such a request. We did just migrate processes for filing these requests, so it is possible I missed it in the old database.

Regardless, I have filed an enhancement request for introducing an 802.1X supplicant for HiveOS to allow for the backhaul uplink to the switch to be secured. If either of you have specific conditions or use cases that you would like to see fulfilled by this enhancement, feel free to include them here. If the request gets approved, it could qualify for inclusion in a future release, but that is ultimately a decision for the Product Management team.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Thanks very much, Brian.

This was actually something that I had brought up previously with our reseller / Aerohive on the very same point Finn makes.

I have forwarded you an email from this time last year. Hope that's okay.

Obviously until 802.1X-2010 with 802.1AE support at both ends, things are vulnerable to an in-line attack, but the main issue here is somebody merely unplugging an access point and plugging their own thing in.

Regards,

Nick
Photo of Simon Hogg

Simon Hogg

  • 13 Posts
  • 8 Reply Likes
I was just searching for exactly this feature.  Do you know if there is any update to this request?

Thanks,

Simon
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Dear Simon,

No update that I can give, sorry. The feature request died a death as far as I know. I asked about this first back in mid-2011 and a few times after intermittently via a reseller and Aerohive directly and never heard anything back.

An employee at Aerohive did however recently made contact out of the blue (great!) to ask about various feature requests. I will mention this and see if I can find out anything more.

Feel free to ask yourself via formal channels too!

I suspect that the hold up is the need for a sound business case for the feature, especially when much of the competition does not offer this either. It also needs careful consideration about how it should be implemented as you would need to get supplicant configured somehow before you could connect the AP to an 802.1X enabled port... otherwise, you do easily end up in a catch-22 situation that is tricky to manage.

Nick
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
BUMP
Time to get this implemented
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi gaasdal,

Gosh, this is an old thread from before I was an employee at Aerohive.

The good news is that this feature has already been implemented.

You will need one of our 802.11ac APs newer than the AP370/AP390 and the feature release branch of HiveOS.

Take a look at:

show cmds | inc supplicant

supplicant <string> 
supplicant <string> username <string> [ password <string> ] 
supplicant <string> password <string> 
supplicant <string> eap-type {md5|peap|tls|ttls} 
interface <ethx> supplicant <string> 
supplicant <string> ca-cert <string> 
supplicant <string> client-cert <string> private-key <string> [ private-key-password <string> ] 
show supplicant name [ <string> ] 
show supplicant cert-file [ <string> ] 
clear supplicant cert-file [ <string> ] 
save supplicant cert-file <location> 
save supplicant cert-file <url> [ admin <string> password <string> {basic|digest} ] [ proxy <string> [ proxy-admin <string> password <string> ] ]

In HMNG, you currently need to use supplemental CLI but this can be configured via the GUI in HM Classic.

Thanks,

Nick
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hi
This is very good news.
And I can confirm that it works, too.
At least with username / password / peap.
Haven't had time to test it with certicates yet.

Thank you!
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hi.
I need to wake up this thread again.
It seems that the 802.1x information I put in manually got overwritten when updating the AP's at a later point?

And also, where do I enter this information in the GUI in HM Classic?

I upgraded to v8.2 now, and it still doesn't seem that this is fully implementet? Why?

Thanks
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
How did you configure the supplicant?
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Nevermind, I found out that I could enter the credentials under Configuration -> Network Policies -> Additionional Settings -> Secure Port Settings.

But I would prefer to use certificates and EAP-TLS, though.

Could you please explain how to go forth to create a user certificate (from a Windows CA) for this purpose?

Thanks.
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
* BUMP * :)