Manualshelf

Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureWyse 3040 Thin Client
31323334353637383940
EAP-PEAP MSCHAPv2 authentication workow
When a Linux thin client is initially connected to the network, the thin client obtains Guest VLAN resources by default, that is TC should be
able to reach INI server to fetch the INI congurations required for 802.1x conguration.
Pre-requisites for EAP-PEAP (MSCHAPv2) 802.1x authentication:
Make sure that the INI le has the congurations for 802.1x, Active Directory server, and Domain and Import certs. If you are pushing a
CA certicate by using the Dell Wyse Device Manager (WDM), the Imports Certs INI is not required, but you must be sure that the CA
certicate name is correct in the 802.1x INI parameter. For more information, see Dell Wyse ThinLinux INI Guide.
If you are using CA certicate for 802.1x authentication, then use the ImportCerts INI parameter to import CA certicates into the
device. Ignoring CA certicate is considered as the default option, if the CA certicate name is not included in the 8021x INI
conguration.
Domain List INI parameter is required to display the available domains on the GDM login screen.
EAP-PEAP (MSCHAPv2) 802.1x authentication can be congured in two dierent modes:
User Authentication
Machine Authentication
EAP-PEAP MSCHAPv2 user authentication
To authenticate 802.1x by using an Active Directory username account:
1 Turn on your thin client device.
After the INI is downloaded to the thin client, you can access the domain that is congured in the INI from the domain drop-down list
on the GDM Login screen.
2 On the GDM login screen, select the domain, and then enter the user domain credentials.
3 Click Log in.
The 802-1 authentication automatically starts.
NOTE
: The GDM Authentication module performs the Network Manager conguration required for 802.1x PEAP
(MSCHAPv2) authentication by using the credentials entered and 802.1x congurations from INI. Then, it reinitializes the
network to do a direct 802.1x authentication with the switch.
If log in is successful, then the thin client gets IP address from the protected VLAN and you can start the local thin client session
(GNOME session). You can also start RDP, ICA, PCOIP sessions using the same domain credentials provided in the GDM login.
These credentials will be preexisting in the connection manager, and you need not renter the same again.
NOTE
:
If you set Is802DirectEnabled=yes, the direct authentication is enabled which will trigger the 802.1x authentication from the
GDM login screen. In this case the ActiveDirectoryServer parameter is not required.
If you set Is802DirectEnabled=no, the 802.1x authentication is triggered after the user logs in to the thin client. In this case
you need to include the ActiveDirectoryServer parameter in the INI.
If log in is unsuccessful, the 802.1x authentication fails and the thin client remains in the Guest VLAN.
4 When you log out or restart the device, thin client will again move to Guest VLAN by sending an EAPOL logo to switch and disabling
the 802.1x conguration at Network Connections applet.
The following is an example of the INI conguration for EAP-PEAP (MSCHAPv2) 802.1x User authentication.
For AD and Domain settings
DomainList=npac.local DisableDomain=no
For Imports Certcates
ImportCerts=no
38
Conguring thin client settings locally