Menu path: Setup > Network > LAN Interfaces > [Interface] > Authentication

Here, you can enable and configure network port authentication.

Enable IEEE-802.1x authentication

☑ Network port authentication is enabled.

☐ Network port authentication is not enabled. (Default)

If you enable authentication, further options are available:

EAP type: Here, you can select the authentication procedure:

  • PEAP: Protected Extensible Authentication Protocol
  • TLS: Transport Layer Security with client certificate
  • TTLS: Tunneled Transport Layer Security
  • FAST: Flexible Authentication via Secure Tunneling

Anonymous identity: This identity is sent by authentication instead of the actual Identity. This prevents the disclosure of the actual identity of the user. The anonymous identity is relevant for any of the above-mentioned EAP types, except for "TLS".

Auth method: The following authentication methods are available:

  • MSCHAPV2: Microsoft Challenge Handshake Authentication Protocol
  • TLS: Transport Layer Security with client certificate
  • GTC: Generic Token Card
  • MD5: MD5-Challenge
  • PAP: Password Authentication Protocol

Validate server certificate

☑ The server’s certificate is checked cryptographically. (Default)

CA Root certificate: The path to the CA root certificate file. This can be in PEM or DER format.

Identity: User name for RADIUS

Password: Password for network access

If you leave the Identity and Password fields empty, an entry mask for authentication purposes will be shown. However, this does not apply to the methods with a client certificate (TLS and PEAP-TLS) where these details are mandatory.


The following settings are relevant if you have selected "TLS" as EAP type:

Manage certificates with SCEP (NDES)

☑ Client certificates will automatically be managed with SCEP.

☐ Client certificates will not be managed with SCEP. (Default)

Client certificate: Path to the file with the certificate for client authentication in the PEM (base64) or DER format.

If a private key in the PKCS#12 format is used, leave this field empty.

Private key: Path to the file with the private key for the client certificate. The file can be in the PEM (base64), DER, or PFX format. The Private key password may be required for access.

Identity: User name for network access

Private key password: Password for the Private key for the client certificate

The following setting is relevant if you have selected "FAST" as EAP type:

Automatic PAC provisioning: Specifies how the PAC (Protected Access Credential) is delivered to the client. 
Possible options:

  • "disabled": PAC files have to be transferred to the device manually, e.g. via UMS file transfer.
  • "unauthenticated":  An anonymous tunnel will be used for PAC provisioning. 
  • "authenticated": An authenticated tunnel will be used for PAC provisioning.
  • "unrestricted": Both authenticated and unauthenticated PAC provisioning is allowed. PAC files are automatically created after the first successful authentication.

PAC files are stored in /wfs/eap_fast_pacs/.

PAC file names are automatically derived from the Identity, but are coded. In the case of the manual PAC provisioning, you can determine the PAC file names with the following script: /bin/gen_pac_filename.sh

In tests with hostapd, it has been necessary to disable TLS 1.2. To do that, enter the following command for System > Registry > network.interfaces.ethernet.device%.ieee8021x.phase1_directtls_disable_tlsv1_2=1