Administrator Guide
Parameter Description
[eap={yes,no}]
[eaptype={None, EAP-LEAP, EAP-TLS, EAP-PEAP,EAP-
FAST}]
[leapun=<username for EAP-LEAP>]
[leappwd=<password for EAP-LEAP>]
[leappwdEnc=<password encrypted for EAP-LEAP>]
[tlsauthtype=<user or machine>]
[tlsclntcert=<client certicate lename for EAP-TLS>]
[tlsclntprikeypwd=<password for privatekey>]
[tlsclntprikeypwdEnc=<password encrypted for private key>]
[peapeap=<EAP-MSCHAPV2, EAP-GTC>]
[peapidentity=<identity/username for PEAP>]
[peapmschapun=<username for EAP-PEAP/EAP-
MSCHAPV2>]
[peapmschappwd=<password for EAP-PEAP/EAP-
MSCHAPV2>]
[peapmschappwdEnc=<password encrypted for EAP-PEAP/
EAP-MSCHAPV2>]
[peapmschapdm=<domain for EAP-PEAP/ EAP-
MSCHAPV2>]
[peapmschaphidedm={yes,no}]
[peapsinglesignon={yes, no}]
[peapgtcun=<username for EAP-PEAP/ EAP-GTC>]
[peapgtcpwd=<password for EAP-PEAP/ EAP-GTC>]
[peapgtcpwdEnc=<password for encrypted for EAP-PEAP/
EAP-GTC>]
[servervalidate={yes, no}]
[servercheck={yes, no}]
[servername={"servername for EAP-TLS, EAP-PEAP, EAP-
FAST"}]
[wpapskpwd=<passphrase for WPA-PSK>]
[wpapskpwdEnc=<passphrase encrypted for WPA-PSK>]
[wpa2pskpwd=<passphrase for WPA2-PSK>]
[wpa2pskpwdEnc=<passphrase encrypted for WPA2-PSK>]
[encryption=<TKIP|CCMP>]
If two entries exist in an INI
le, one each for wired and wireless, both will
take eect; for example IEEE8021X=yes network=wired EAP=yes
… IEEE8021X=yes network=wireless access=WPA-ENT …
All EAP credential information is stored whatever the eaptype setting.
All passwords here should be encrypted.
The wildcard server include three entries in INI le. If both the
servervalidate entry and severcheck entry are set to yes, the servername
entry is valid.
Server certicate validation is mandatory in EAP-TLS authentication. If
the eaptype entry is set to EAP-TLS, the servercheck entry must be set
to yes.
Server list must be included in double quotation marks. For example
IEEE8021X=yes Network=wireless access=WPA2-ENT eap=yes
servervalidate=yes servercheck=yes servername=";test.com;wireless98;
test.com" eaptype=eap-peap peapeap=eap-mschapv2
peapmschapun=administrator peapmschappwd=password
Additional option timeoutretry species the retry times when 8021x
authentication times out, which means that it is only validated when the
optional network type is wired. For example, timeoutretry=3 allows you to
retry thrice after 8021x authentication times out.
Additional option Prole species the type of ssid authentication to be
congured. When we support multiple ssid wireless settings, the
statement ieee8021x must be after the statement device=wireless, and
one additional prole parameter is needed to identify the type of ssid
authentication which is congured.
For example,#ThinIsInDevice=Wireless Mode=Infrastructure
SSID=ThinIsInIEEE8021X=yes network=wireless prole=ThinIsIn
access=WPA2-ENT eap=yes eaptype=EAP-PEAP peapeap=EAP-
MSCHAPV2 peapmschapdm=wyse#wtos_95Device=Wireless
Mode=Infrastructure SSID=wtos_95IEEE8021X=yes network=wireless
prole=wtos_95 access=WPA2-ENT eap=yes eaptype=EAP-PEAP
peapeap=EAP-MSCHAPV2. Example:IEEE8021X=yes network=wireless
access=wpa-ent eap=yes eaptype=eap-tls tlsclntcert=user.cer
tlsclntprikey=user.pfx tlsclntprikeypwd=12345678 Or IEEE8021X=yes
network=wireless access=wpa-ent eap=yes eaptype=eap-tls
tlsclntcert=user.cer tlsclntprikey=user.pfx tlsclntprikeypwd=12345678
leapun=user1 password=1234 peapmschapun=user1
peapmschappwd=12345 peapmschapdm=wyse.com
IEEE8021X=yes network=wired eap=yes eaptype=eap-tls
tlsclntcert=user.cer tlsclntprikey=user.pfx tlsclntprikeypwd=12345678
By default, peapidentity is same as peapmschapun.
If peapmschaphidedm is set to yes, the domain will use saved peap
MSCHAP domain name and the prompts dialog will not include the
domain eld when you perform ieee8021x authentication.
The following example describes wildcard server validation:
IEEE8021X=yes network=WIRED access=WPA2-ENT servervalidate=yes
eap=yes eaptype=EAP-PEAP servercheck=yes servername=w2k8-
ACS-64.sqawirelsess.com peapmschapdm=EAP-MSCHAPV2
peapgtcun=sqawirless2 peapmschappwd=123!@#qwe
The username of ieee8021x (fastmschapun, peapmschapun, peapgtcun,
leapun) can be congured as system variables like $mac, $sn etc.
By default, fastidentity is same as fastmschapun.
Creating and Using xen.ini Files
193