Configuring 802.1x

EAP Settings

Different configurations are required based upon which database user credentials are being checked against.

Active Directory or Genians Local Directory (Internal Database)

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left panel
  3. Under Authentication Server
  4. Under EAP Authentication > Default EAP-PEAP, Select MSCHAPv2
  5. Click Update

Note

If EAP is disabled, NTLM Auth PAP will be used by default.

LDAP (or other legacy directory)

  1. Go to Preferences in the top panel
  2. Go to Service > RADIUS Server in the left panel
  3. Under Authentication Server
  4. Under EAP Authentication > Default EAP-PEAP, Select EAP-GTC
  5. Click Update

Note

The above LDAP authentication configuration requires the Genian NAC agent on the endpoint as native support for GTC is typically not available in supplicants by default.

EAP-TLS

When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates, both the client and the server use certificates to verify their identities to each other.

  1. Go to Preferences in the top panel

  2. Go to Service > RADIUS Server in the left panel

  3. Under Authentication Server

  4. Under EAP Authentication > EAP-TLS, Select On

    1. Click Upload button to the right of the CA Certificate to upload the certificate of the CA.
    2. Click + button on CA certificate window, Select the certification file of the CA.
    3. CACert Information allows you to check the information of the saved CACert.
  5. Click CreateServerCertificate button to the right of the Server Certificate

    1. Input the Common Name like nac.genians.com, The fully qualified domain name (FQDN) of your server or IP of the server. This must match exactly what you type in your web browser or you will receive a name mismatch error.
    2. Input the country code as Country like US, The two-letter ISO code for the country
    3. Input the name of organization as Organization like Genians Inc.
    4. Input the Email as Email like admin@genians.com, An email address used to contact your organization.
    5. Click Generate CSR
    6. Copy All text in the box to the right of the Certificate Signing Request
    7. Send a request to the CA server, issue a server certificate, open a BASE64 encoded file, and copy and paste the text in the box to the right of the Certificate
    8. Click Register
    9. ServerCert Information allows you to check the information of the saved ServerCert.
  6. Input Certificate Revocation List point as CRL distribution point, If you do not verify the CRL, you do not need to enter it.

  7. Input Online Certificate Status Protocol Responder URL as OCSP Responder URL, If you do not use OCSP, you do not need to enter it.

  8. Click Update

Note

To use EAP-TLS, the user must also obtain a certificate from the same CA server or trusted CA server that issued the certificate to the server.

Attention

Issuance, revocation and management of server certificates and user certificates are managed through an external CA server.