Manualshelf

Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureWyse 3040 Thin Client
41424344454647484950
Set the same password for all machine/host name accounts to be created.
The INI parameter should contain a MachinePassword Field that can be used for authentication.
To authenticate 802.1x using Machine name (Host name):
1. Turn on your thin client device.
Once the INI is downloaded to the thin client and all the 802.1x parameters for machine PEAP authentication are retrieved
from the INI server, the authentication starts in the background.
The Authentication module performs the Network Manager configuration required for 802.1x PEAP MSCHAPv2
authentication by using the host name and password from INI and 802.1x configurations from INI.
If 802.1x authentication is successful, then thin client gets IP Address from protected VLAN.
If 802.1x authentication fails due to any wrong 802.1x configuration, then thin client remains in the Guest VLAN.
2. When you restart your thin client, the device moves to Guest VLAN by sending an EAPOL logoff to switch and disabling the
802.1x configuration at Network Connections applet.
The following is an example of the INI configuration for EAP-PEAP (MSCHAPv2) 802.1x machine authentication:
For AD and Domain settings
DomainList=npac.local DisableDomain=no
For Imports Certificates
ImportCerts=yes Certs=npac-ca-cert.cer
For 802.1x Configuration
Enable802=yes Authentication=PEAP InnerAuthentication=MSCHAPv2 PeapVersion=Auto
PromptPassword=no CACertificate=npac-ca-cert.cer Authmode=Machine
MachinePassword=tangocharlie
EAP TLS authentication workflow
When a Linux thin client is initially connected to the network, it should be able to obtain the Guest VLAN resources by default. It
should be able to reach AD, DNS, SCEP and the INI server to fetch the INI configurations required for Active Directory Domain
User Authentication, 802.1x, SCEP, and so on.
EAP-TLS 802.1x authentication can be configured in INI in two different modes:
Machine Authentication.
User Authentication.
EAP TLS Machine authentication
The following steps are involved with 802.1x authentication:
When the thin client restarts, it remains in the Guest VLAN and downloads the INI configuration from the INI server.
The INI file must have the configurations for 802.1x EAP-TLS with AuthMode set for Machine Authentication and SCEP.
After the INI is downloaded to the thin client, SCEP client enrolls the client certificate with Machine hostname and Domain
configured in the INI.
802.1x EAP-TLS machine authentication will then begin and the thin client will move to an Authorized VLAN
NOTE:
You can view the network progress icon on the taskbar.
If 802.1x authentication fails due to any wrong 802.1x configuration, the thin client will automatically fall back to the Guest
VLAN, with a notification message Failed to connect to trusted network. Please contact your system administrator,
in the right pane of the GNOME panel. The user receives the same notification in the case of an expired CA certificate.
Configuring thin client settings locally
49