platIEEE8021X-IEEE8021XDaemonSessionPlugin
In
Figure 5. Access IEEE 802.1X Configuration view from Nav Tree or Nav Container View
NOTE: If platIEEE8021X (-rt, -wb) modules are installed on the supplicant device, you can also access a read-only view of the IEEE 802.1X settings and connection status in the Nav Tree under the station’s PlatformServices node, as shown here.
The IEEE 802.1X settings are configured in the
Figure 6. IEEE 802.1X Configuration view
About authentication methods
IEEE 802.1X uses Extensible Authentication Protocol (EAP) to provide security. The available EAP authentication methods are:
- EAP-TLS is certificate-based and mutual authentication of client-to-server and server-to-client. It relies on client-side and server-side certificates to perform authentication.
- Tunneled TLS provides for certificate-based, mutual authentication of the client and server through an encrypted channel (or tunnel); a means to derive dynamic, per-user, per-session WEP keys; and requires only server-side certificates.
- Protected EAP (PEAP) provides a method to transport secure authentication data using tunneling between PEAP clients and an authentication server.
802.1X properties for device’s primary adapter
| Name | Value | Description |
|---|---|---|
| Use 802.1X Security | Yes, No (default) | Enables/disables use of this feature. Indicates whether IEEE 802.1X is being used on the platform |
| Status | Disabled (default), Authorized, Unauthorized, Unknown, Unlicensed | Read only value, indicates current network connection status. |
| Authentication | TLS (default), Tunneled TLS, Protected EAP | Choose the EAP method required by the network. |
| Use Fast Reauthentication | Yes (default), No | By default, fast re-authentication is enabled for all EAP methods that support it. This variable can be used to disable fast re-authentication. Normally, disabling this is only necessary if your network infrastructure (RADIUS) does not support Fast Re-authentication. |
| Identity | string | Identity string for EAP. This is indicated during client certificate creation. It can be obtained from the local IT network administrator. |
| User Certificate | Select the client certificate alias for the EAP. The certificate should be in PEM format with a .pem file extension. The client certificate (with private key password if the certificate uses one) for each device, obtained
from the local IT network administrator, is required. This field is populated with certificates available in the platform’s
Certificate Manager User Key Store.
|
|
| CA Certificate | Select the Certificate Authority (CA) certificate alias to be used for the EAP. This certificate should be in PEM format with
a .pem file extension. This required cert is the CA certificate provided by the network administrator. This field is populated with
certificates available in the platform’s Certificate Manager User Trust Store.
|
Additional properties for the Tunneled TLS and Protected EAP authentication methods
| Name | Value | Description |
|---|---|---|
| Anonymous Identity | string | This is the string for EAP (to be used as the unencrypted identity with EAP types that support different tunnelled identity, e.g., EAP-TTLS) |
| Tunnel CA Certificate | This is used in inner authentication with TLS tunnel when using EAP-TTLS or EAP-PEAP. This CA certificate is required. There can be one or more trusted CA certificates. | |
| Inner Authentication | TLS (default), MSCHAPv2, EAP-MSCHAPv2 | The specified authentication scheme to be used “inside” the tunnel for schemes like PEAP and Tunneled TLS. |