Ethernet ports - Engineering - CXG3.X200 - CXG3.X500 - CXG3.X300

The Network > Ethernet ports section contains the interface to disable unused Ethernet ports and upload certificates and private key for 802.1x authentication.

Disabling unused ports

The administrator can disable unused Ethernet ports to reduce the attack surface - an open unused port is a vulnerability. Ports with a ticked box are enabled and deselecting it before saving will disable it. Ports used for the cloud connection (depending on network mode) cannot be disabled.

The port selection takes effect after the device has been rebooted.

Activating port authentication

The gateway can act as supplicant (client device) in networks with IEEE 802.1x Port-based Network Access Control (PNAC). It supports the Extensible Authentication Protocol (EAP-TLS) authentication method.

IEEE 802.1x PNAC requires tree entities: a supplicant, an authenticator (for example, an Ethernet switch) that can allow or block network traffic between the client and the gateway, and an authentication server (typically a RADIUS server with EAP support) that validates the credentials.

To activate port authentication, certificates must be uploaded to the gateway. A format check of the certificates is done when uploaded, but the validity of the certificates is not verified by the gateway.

The supplicant is not allowed access through the authenticator (for example, an Ethernet switch) to the protected side of the network (Connect Gateway) until the supplicant's identity has been validated and authorized by the authentication server. The data required are:

• Identity
• CA and client certificates in PEM format (typically with CRT file extension)
• PKCS8 private encryption key (binary) encoded in PEM format
• Private key password when the encryption key is password protected

NOTICE

Breaking the connection to the device

It is recommended to configure 802.1X port from a connection on a different port to avoid disconnecting the established web access to the device. One possibility is to use a web tunnel via the WAN network to configure 802.1X on the LAN network.

• Logged in as administrator to the Connect Gateway; the gateway has at least one port connected to a local network.

1. In Port authentication, select Edit to open the input form.
   

2. Select the port which authentication should apply to.

3. Enter an identity (username), that is the owner of the private key.

4. The password must be provided if the private key file is password protected.

5. If desired, set the authentication timeout value in seconds by stepping the counter. The value can be left unchanged.

6. Upload a CA certificate (in PEM format).

7. Upload a client certificate (in PEM format).

8. Upload a client private key (in PEM format). If password protected, enter the password above.

9. Save to activate.

• Authentication is applied to the chosen port(s).

Remove port authentication with the Delete button in the right-hand pane.

Configuring the supplicant

A common client-end software for 802.1x authentication on Linux is wpa_supplicant. It is configured by command-line to correspond to the Connect Gateway settings, for example

nmcli c add type wired ifname eno1 con-name 'engineering' \

802-1x.eap tls \

802-1x.identity engineering \

802-1x.ca-cert /etc/pki/certs/ca.crt \

802-1x.client-cert /etc/pki/certs/engineering.crt \

802-1x.private-key /etc/pki/certs/engineering.pem \

802-1x.private-key-password pki_password

Authenticator and authentication server

The authenticator (typically an Ethernet switch or router) must support 802.1x port authentication. Port authentication is activated on the switch ports used by the supplicants.

The authentication server (Radius) is configured to use EAP with type set to TLS and the TLS configuration file includes file paths to the certificates and private key stored on the authentication server.