Configuring 802.1x
==================

EAP Settings
------------

Different configurations are required based upon which database user
credentials are being checked against.

Active Directory or Genians Local Directory (Internal Database)
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left panel
#. Under **Authentication Server**
#. Under **EAP Authentication > Default EAP-PEAP**, Select **MSCHAPv2**
#. Click **Update**

.. note:: If EAP is disabled, NTLM Auth PAP will be used by default. 


LDAP (or other legacy directory)
''''''''''''''''''''''''''''''''

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left panel
#. Under **Authentication Server**
#. Under **EAP Authentication > Default EAP-PEAP**, Select **EAP-GTC**
#. Click **Update**

.. note:: The above LDAP authentication configuration requires the
 Genian NAC agent on the endpoint as native support for GTC is
 typically not available in supplicants by default.

EAP-TLS
'''''''

When you use EAP with a strong EAP type, such as TLS with smart cards or TLS
with certificates, both the client and the server use certificates to verify
their identities to each other.

#. Go to **Preferences** in the top panel
#. Go to **Service > RADIUS Server** in the left panel
#. Under **Authentication Server**
#. Under **EAP Authentication > EAP-TLS**, Select **On**

    #. Click **Upload** button to the right of the **CA Certificate** to upload
       the certificate of the CA.
    #. Click **+** button on CA certificate window, Select the certification
       file of the CA.
    #. **CACert Information** allows you to check the information of the saved
       CACert.

#. Click **CreateServerCertificate** button to the right of the **Server
   Certificate**

    #. Input the **Common Name** like ``nac.genians.com``, The fully qualified
       domain name (FQDN) of your server or IP of the server. This must match
       exactly what you type in your web browser or you will receive a name
       mismatch error.
    #. Input the country code as **Country** like ``US``, The two-letter ISO
       code for the country
    #. Input the name of organization as **Organization** like ``Genians Inc.``
    #. Input the Email as **Email** like ``admin@genians.com``,  An email
       address used to contact your organization.
    #. Click **Generate CSR**
    #. Copy All text in the box to the right of the **Certificate Signing
       Request**
    #. Send a request to the CA server, issue a server certificate, open a
       BASE64 encoded file, and copy and paste the text in the box to the right
       of the **Certificate**
    #. Click **Register**
    #. **ServerCert Information** allows you to check the information of the
       saved ServerCert.

#. Input Certificate Revocation List point as **CRL distribution point**, If
   you do not verify the CRL, you do not need to enter it.
#. Input Online Certificate Status Protocol Responder URL as **OCSP Responder
   URL**, If you do not use OCSP, you do not need to enter it.
#. Click **Update**

.. note:: To use EAP-TLS, the user must also obtain a certificate from the same
   CA server or trusted CA server that issued the certificate to the server.

.. attention:: Issuance, revocation and management of server certificates and
   user certificates are managed through an external CA server.


.. toctree::
    :maxdepth: 1

    radius-cisco