20 Chapter 2
used for authentication and accounting for various types of network access).
Cisco Secure Access Control Server (ACS) for Windows provides a
centralized identity networking solution and simplified user management
experience across all Cisco devices and security management applications.
Configuring for Transport Layer Security (TLS) Connections Over a LAN
The IEEE 802.1x standard allows a switch port to remain wired or enabled but not permit
traffic to traverse the switch until the identity of the client is confirmed. IEEE 802.1x is a
security feature. It defines the process of authenticating a wired or wireless client to allow
the client to communicate with the network. Wyse ThinOS supports IEEE 802.1x for thin
clients to be authenticated to access an Ethernet network. To enable this connection, you
must download certificates from a Certificate Authority (CA), and then install and configure
them for the thin client.
To configure the authentication options:
1. Open the Network Setup dialog box (click the desktop to open the menu, select
System Setup, and then click Network).
2. Click the Authentication tab.
3. Select either the Wire or Wireless Authentication Mode option (Wire is the default
4. Select the Enable IEEE802.1x Authentication check box.
5. In the EAP Type drop-down list, select an Extensible Authentication Protocol option
(either TLS, LEAP, or PEAP.
In Wire mode, only the TLS EAP type is available; in Wireless mode, the
TLS, LEAP, and PEAP EAP types are available.
6. Use the following guidelines to configure the EAP Type option you selected:
•TLS - If you select the TLS option, click Properties to open and configure the
Authentication Properties dialog box (you can use Browse to find and select the
Client Certificate file and Private Key file you want). Note that the CA certificate
must be installed in the device.
•LEAP - If you select the LEAP option, click Properties to open and configure the
Authentication Properties dialog box (be sure to use the correct Username and
Password for authentication). Note that the maximum length for the username or
the password is 64 characters.
•PEAP - If you select the PEAP option, click Properties to open and configure the
Authentication Properties dialog box (be sure to select either EAP_GTC or
EAP_MSCHAPv2, and then use the correct Username, Password, and Domain, if
necessary, for authentication). To configure EAP-GTC, enter the username only,
and the password or PIN will be asked when authenticating. To configure
EAP-MSCHAPv2, enter the username, password, and domain (domain\username
in the username box is supported, but you must leave the domain box blank). Note
that the CA certificate must be installed in the device (the server certificate is forced
to be validated).
7. In the Network Setup dialog box, select an Import From option (either USB Key -the
default - or File Server) to configure where a user can import a new certificate, click
Import, and then use the following guidelines to configure the option you selected:
·USB Key: Select a certificate and click OK to import it to local memory.
· File Server: Enter the path to the certificate, and then enter a username and