Manualshelf

Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureWyse 3040 Thin Client
31323334353637383940
For 802.1x Conguration
Enable802=yes Authentication=PEAP InnerAuthentication=MSCHAPv2 PromptPassword=no AuthMode=User
Is802DirectEnabled=yes CACertificate=SCEP PeapVersion=Auto
EAP-PEAP MSCHAPv2 machine authentication
To enable EAP-PEAP (MSCHAPv2) machine authentication:
Your machine must have an account created in the Active Directory database with Hostname as the username eld.
Set the same password for all machine/host name accounts to be created.
The INI parameter should contain a MachinePassword Field that can be used for authentication.
To authenticate 802.1x using Machine name (Host name):
1 Turn on your thin client device.
Once the INI is downloaded to the thin client and all the 802.1x parameters for machine PEAP authentication are retrieved from the INI
server, the authentication starts in the background.
The Authentication module performs the Network Manager conguration required for 802.1x PEAP MSCHAPv2 authentication by
using the host name and password from INI and 802.1x congurations from INI.
If 802.1x authentication is successful, then thin client gets IP Address from protected VLAN.
If 802.1x authentication fails due to any wrong 802.1x conguration, then thin client remains in the Guest VLAN.
2 When you restart your thin client, the device moves to Guest VLAN by sending an EAPOL logo to switch and disabling the 802.1x
conguration at Network Connections applet.
The following is an example of the INI conguration for EAP-PEAP (MSCHAPv2) 802.1x machine authentication:
For AD and Domain settings
DomainList=npac.local DisableDomain=no
For Imports Certicates
ImportCerts=yes Certs=npac-ca-cert.cer
For 802.1x Conguration
Enable802=yes Authentication=PEAP InnerAuthentication=MSCHAPv2 PeapVersion=Auto
PromptPassword=no CACertificate=npac-ca-cert.cer Authmode=Machine MachinePassword=tangocharlie
EAP TLS authentication workow
When a Linux thin client is initially connected to the network, it should be able to obtain the Guest VLAN resources by default. It should be
able to reach AD, DNS, SCEP and the INI server to fetch the INI congurations required for Active Directory Domain User Authentication,
802.1x, SCEP, and so on.
EAP-TLS 802.1x authentication can be congured in INI in two dierent modes:
Machine Authentication.
User Authentication.
EAP TLS – Machine authentication
The following steps are involved with 802.1x authentication:
When the thin client restarts, it remains in the Guest VLAN and downloads the INI conguration from the INI server.
Conguring
thin client settings locally 39