platIEEE8021X-IEEE8021XDaemonSessionPlugin

In Niagara 4.8 and later, the IEEE 802.1X Configuration view is the main view for configuring a JACE-8000 or Edge device for communications on a 802.1X protected network. This view is available from the platIEEE8021X module.

Figure 5. Access IEEE 802.1X Configuration view from Nav Tree or Nav Container View

NOTE: If platIEEE8021X (-rt, -wb) modules are installed on the supplicant device, you can also access a read-only view of the IEEE 802.1X settings and connection status in the Nav Tree under the station’s PlatformServices node, as shown here.

The IEEE 802.1X settings are configured in the Workbench environment on the platform’s primary adapter via the IEEE 802.1X Configuration view. You can access the view from the platform’s Nav Container View or from a node in the Nav tree.

Figure 6. IEEE 802.1X Configuration view

About authentication methods

IEEE 802.1X uses Extensible Authentication Protocol (EAP) to provide security. The available EAP authentication methods are:

EAP-TLS is certificate-based and mutual authentication of client-to-server and server-to-client. It relies on client-side and server-side certificates to perform authentication.
Tunneled TLS provides for certificate-based, mutual authentication of the client and server through an encrypted channel (or tunnel); a means to derive dynamic, per-user, per-session WEP keys; and requires only server-side certificates.
Protected EAP (PEAP) provides a method to transport secure authentication data using tunneling between PEAP clients and an authentication server.

802.1X properties for device’s primary adapter

Name	Value	Description
Use 802.1X Security	Yes, No (default)	Enables/disables use of this feature. Indicates whether IEEE 802.1X is being used on the platform
Status	Disabled (default), Authorized, Unauthorized, Unknown, Unlicensed	Read only value, indicates current network connection status.
Authentication	TLS (default), Tunneled TLS, Protected EAP	Choose the EAP method required by the network.
Use Fast Reauthentication	Yes (default), No	By default, fast re-authentication is enabled for all EAP methods that support it. This variable can be used to disable fast re-authentication. Normally, disabling this is only necessary if your network infrastructure (RADIUS) does not support Fast Re-authentication.
Identity	string	Identity string for EAP. This is indicated during client certificate creation. It can be obtained from the local IT network administrator.
User Certificate		Select the client certificate alias for the EAP. The certificate should be in PEM format with a `.pem` file extension. The client certificate (with private key password if the certificate uses one) for each device, obtained from the local IT network administrator, is required. This field is populated with certificates available in the platform’s Certificate Manager User Key Store.
CA Certificate		Select the Certificate Authority (CA) certificate alias to be used for the EAP. This certificate should be in PEM format with a `.pem` file extension. This required cert is the CA certificate provided by the network administrator. This field is populated with certificates available in the platform’s Certificate Manager User Trust Store.

Additional properties for the Tunneled TLS and Protected EAP authentication methods

Name	Value	Description
Anonymous Identity	string	This is the string for EAP (to be used as the unencrypted identity with EAP types that support different tunnelled identity, e.g., EAP-TTLS)
Tunnel CA Certificate		This is used in inner authentication with TLS tunnel when using EAP-TTLS or EAP-PEAP. This CA certificate is required. There can be one or more trusted CA certificates.
Inner Authentication	TLS (default), MSCHAPv2, EAP-MSCHAPv2	The specified authentication scheme to be used “inside” the tunnel for schemes like PEAP and Tunneled TLS.