Document toolboxDocument toolbox

Authentication in IGEL OS 12

This article shows how to enable and configure network port authentication in IGEL OS.


Menu path: Network > LAN Interfaces > [Interface] > Authentication

 

Enable IEEE-802.1x authentication

☑ Network port authentication is enabled.

☐ Network port authentication is disabled. (Default)

 

If you enable authentication, further options become available:

EAP type

The type of the authentication procedure:

  • PEAP: Protected Extensible Authentication Protocol (Default)

  • TLS: Transport Layer Security with client certificate

  • TTLS: Tunneled Transport Layer Security

  • FAST: Flexible Authentication via Secure Tunneling

 

Anonymous identity

This identity is sent by authentication instead of the actual Identity. This prevents the disclosure of the actual identity of the user. The anonymous identity is relevant for any of the above-mentioned EAP Types, except for TLS.

 

Auth method

The following authentication methods are available:

  • MSCHAPV2: Microsoft Challenge Handshake Authentication Protocol (Default)

  • TLS: Transport Layer Security with client certificate

  • GTC: Generic Token Card

  • MD5: MD5-Challenge

  • PAP: Password Authentication Protocol

 

Validate server certificate

☑ The server’s certificate is checked cryptographically. (Default)

 

CA root certificate

The path to the CA root certificate file. This can be in PEM or DER format.

 

Identity

User name for RADIUS

 

Password

Password for network access

If you leave the Identity and Password fields empty, an entry mask for authentication purposes will be shown. However, this does not apply to the methods with a client certificate (TLS and PEAP-TLS) where these details are mandatory.

 

The following settings are relevant if you have selected TLS as EAP Type:

 

Manage certificates with SCEP (NDES)

☑ Client certificates will automatically be managed with SCEP. For more information, see SCEP Client (NDES) in IGEL OS 12.

☐ Client certificates will not be managed with SCEP. (Default)

 

Client certificate

Path to the file with the certificate for client authentication in the PEM (base64) or DER format.

If a private key in the PKCS#12 (PFX) format is used, leave this field empty.

 

Private key

Path to the file with the private key for the client certificate. The file can be in the PEM (base64), DER, or PKCS#12 (PFX) format. The Private key password may be required for access.

 

Identity

User name for network access

 

Private key password

Password for the Private key for the client certificate

The following setting is relevant if you have selected FAST as EAP Type:

 

Automatic PAC provisioning

Specifies how the PAC (Protected Access Credential) is delivered to the client. 
Possible options:

  • Disabled: PAC files have to be transferred to the device manually, e.g. via UMS file transfer.

  • Unauthenticated:  An anonymous tunnel will be used for PAC provisioning. 

  • Authenticated: An authenticated tunnel will be used for PAC provisioning.

  • Unrestricted: Both authenticated and unauthenticated PAC provisioning is allowed. PAC files are automatically created after the first successful authentication. (Default)

PAC files are stored in /wfs/eap_fast_pacs/.

PAC file names are automatically derived from the Identity, but are coded. In the case of the manual PAC provisioning, you can determine the PAC file names with the following script: /bin/gen_pac_filename.sh

In tests with hostapd, it has been necessary to disable TLS 1.2. To do that, enter the following command for System > Registry > network.interfaces.ethernet.device0.ieee8021x.phase1_directtls_disable_tlsv1_2=1

To add further device registry keys, go to System > Registry > network.interfaces.ethernet.device% and click Add Instance.