Authentication in IGEL OS 12
This article shows how to enable and configure network port authentication in IGEL OS.
Menu path: Network > LAN Interfaces > [Interface] > Authentication
Enable IEEE-802.1x authentication
☑ Network port authentication is enabled.
☐ Network port authentication is disabled. (Default)
If you enable authentication, further options become available:
EAP type
The type of the authentication procedure:
PEAP: Protected Extensible Authentication Protocol (Default)
TLS: Transport Layer Security with client certificate
TTLS: Tunneled Transport Layer Security
FAST: Flexible Authentication via Secure Tunneling
Anonymous identity
This identity is sent by authentication instead of the actual Identity. This prevents the disclosure of the actual identity of the user. The anonymous identity is relevant for any of the above-mentioned EAP Types, except for TLS.
Auth method
The following authentication methods are available:
MSCHAPV2: Microsoft Challenge Handshake Authentication Protocol (Default)
TLS: Transport Layer Security with client certificate
GTC: Generic Token Card
MD5: MD5-Challenge
PAP: Password Authentication Protocol
Validate server certificate
☑ The server’s certificate is checked cryptographically. (Default)
CA root certificate
The path to the CA root certificate file. This can be in PEM or DER format.
Identity
User name for RADIUS
Password
Password for network access
If you leave the Identity and Password fields empty, an entry mask for authentication purposes will be shown. However, this does not apply to the methods with a client certificate (TLS and PEAP-TLS) where these details are mandatory.
The following settings are relevant if you have selected TLS as EAP Type:
Manage certificates with SCEP (NDES)
☑ Client certificates will automatically be managed with SCEP. For more information, see SCEP Client (NDES) in IGEL OS 12 .
☐ Client certificates will not be managed with SCEP. (Default)
Client certificate
Path to the file with the certificate for client authentication in the PEM (base64) or DER format.
If a private key in the PKCS#12 (PFX) format is used, leave this field empty.
Private key
Path to the file with the private key for the client certificate. The file can be in the PEM (base64), DER, or PKCS#12 (PFX) format. The Private key password may be required for access.
Identity
User name for network access
Private key password
Password for the Private key for the client certificate
The following setting is relevant if you have selected FAST as EAP Type:
Automatic PAC provisioning
Specifies how the PAC (Protected Access Credential) is delivered to the client.
Possible options:
Disabled: PAC files have to be transferred to the device manually, e.g. via UMS file transfer.
Unauthenticated: An anonymous tunnel will be used for PAC provisioning.
Authenticated: An authenticated tunnel will be used for PAC provisioning.
Unrestricted: Both authenticated and unauthenticated PAC provisioning is allowed. PAC files are automatically created after the first successful authentication. (Default)
PAC files are stored in /wfs/eap_fast_pacs/
.
PAC file names are automatically derived from the Identity, but are coded. In the case of the manual PAC provisioning, you can determine the PAC file names with the following script: /bin/gen_pac_filename.sh
In tests with hostapd
, it has been necessary to disable TLS 1.2. To do that, enter the following command for System > Registry > network.interfaces.ethernet.device0.ieee8021x.phase1_direct: tls_disable_tlsv1_2=1
To add further device registry keys, go to System > Registry > network.interfaces.ethernet.device% and click Add Instance.