IEEE 802.1X Authentication Settings
This section describes how to set IEEE 802.1X authentication.
For IEEE 802.1X, the RADIUS server requires user authentication from the supplicant (the machine) when connecting to a network. EAPOL (EAP over LAN) is used for communication between the supplicant and the authenticator (LAN switch) that performs access control of the terminal based on the authentication results. Authentication information is managed collectively with the RADIUS (Remote Authentication Dial In User Service) server, and then the supplicant is authenticated. Invalid access can be prevented because this authentication method permits only supplicants authenticated by the RADIUS server to connect to the network via an authenticator. The authenticator blocks communication from supplicants not authenticated by the RADIUS server.
The machine supports the following methods of authentications:
EAP-TLS (Extensible Authentication Protocol-Transport Level Security)
For the EAP-TLS method, authentication is performed by issuing a digital certificate bilaterally to both the client and the RADIUS server. The key pair and client certificate sent from the machine are verified using the CA certificate on the RADIUS server. The server certificate sent from the RADIUS server is verified using the CA certificate on the client (the machine). The CA certificate used to verify the server certificate must be registered. For information on installing the CA certificate file using the Remote UI, see
"Installing a CA Certificate File." For instructions on registering the installed CA certificate file, see
"Registering/Editing a CA Certificate File."Also, the settings for the user login name (to be authenticated by IEEE 802.1X authentication), as well as the settings for the key pair (in PKCS#12 format) and the client certificate, are necessary to use EAP-TLS with the machine. After installing the key pair file and client certificate file using the Remote UI (see
"Installing a Key Pair File and Server Certificate"), set the key pair and client certificate for EAP-TLS as the default key with the control panel of the machine.
EAP-TTLS (EAP-Tunneled TLS)
For the EAP-TTLS method, only the RADIUS server issues a digital certificate. The server certificate sent from the RADIUS server is verified using the CA certificate on the client. The CA certificate used to verify the server certificate must be registered. For information on installing the CA certificate file using the Remote UI, see
"Installing a CA Certificate File." For instructions on registering the installed CA certificate file, see
"Registering/Editing a CA Certificate File."Furthermore, the name of the user/login user to be authenticated with IEEE 802.1X authentication and the password need to be set to use EAP-TTLS with the machine.
The user can select two types of internal authentication protocol supported by EAP-TTLS: MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol Version 2), or PAP (Password Authentication Protocol). You cannot set both MS-CHAPv2 and PAP simultaneously.
PEAP (Protected EAP)
For the PEAP method, only the RADIUS server issues a digital certificate. The server certificate sent from the RADIUS server is verified using the CA certificate on the client. The CA certificate used to verify the server certificate must be registered. For information on installing the CA certificate file using the Remote UI, see
"Installing a CA Certificate File." For instructions on registering the installed CA certificate file, see
"Registering/Editing a CA Certificate File."Furthermore, the name of the user/login user to be authenticated with IEEE 802.1X authentication and the password need to be set to use PEAP with the machine.
The only internal authentication protocol supported by PEAP is MS-CHAPv2.
IMPORTANT |
You cannot set the EAP-TLS method and the EAP-TTLS/PEAP method at the same time. |