Administrator Guide
EAP Type — If you have enabled the Enable IEEEE 802.1x authentication check box, select the EAP Type option you want
(TLS, LEAP, PEAP or FAST).
• TLS — If you select the TLS option, click Properties to open and congure the Authentication Properties dialog box.
– Select the Validate Server Certicate check box because it is mandatory to validate your server certicate.
NOTE:
The CA certicate must be installed on the thin client. Also note that the server certicate text
eld supports a maximum of approximately 255 characters, and supports multiple server names.
– If you select the Connect to these servers check box, the box is enabled where you can enter the IP address of server.
– Click Browse to nd and select the Client Certicate le and Private Key le you want.
NOTE: Make sure you select PFX le only.
– From the Authenticate drop-down list, select either User Authentication or Machine Authentication based on your
choice.
The following kinds of server names are supported — all examples are based on Cert Common name
company.wyse.com
◦ *.wyse.com
◦ *wyse.com
◦ *.com
NOTE
:
Using only the FQDN, that is company.wyse.com does not work. You must use one of the options (note
that *.wyse.com is the most common option as multiple authentication servers may exist):
servername.wyse.com
• LEAP — If you select the LEAP option, click Properties to open and congure the Authentication Properties dialog box.
Be sure to use the correct username and password for authentication. The maximum length for the username or the
password is 31 characters.
• PEAP — If you select the PEAP option, click Properties to open and congure the Authentication Properties dialog box.
Be sure to select either EAP_GTC or EAP_MSCHAPv2, and then use the correct username, password and domain. Validate
Server Certicate is optional.
• FAST—If you select the FAST option, click Properties to open and congure the Authentication Properties dialog box. Be
sure to select either EAP_GTC or EAP_MSCHAPv2, and then use the correct username, password and domain. Validate
Server Certicate is optional.
From ThinOS Lite 2.3, EAP-FAST authentication is supported. During the initial connection, when there is a request for a
Tunnel PAC from the authenticator, the PAC is used to complete the authentication. Therefore, the rst time connection
always fails and the following connections succeed. Only automatic PAC provisioning is supported. The user/machine PAC
provisioning generated with Cisco EAP-FAST utility is not supported.
Conguring EAP-GTC and EAP-MSCHAPV2
• To congure EAP-GTC, enter the username only. The password or PIN is required when authenticating.
• To congure EAP-MSCHAPv2, enter the username, password and domain.
IMPORTANT
: The domain\username in the username box is supported, but you must leave the
domain box blank.
The CA certicate must be installed on the thin client and the server certicate is forced to be validated. When EAP-
MSCCHAPV2 is selected as EAP type in the Authentication Properties dialog box for PEAP or FAST authentication, an
option to hide the domain is available for selection. Username and Password boxes are available for use, but the Domain text
box is disabled.
34
Conguring the connectivity