The 802.1x authentication feature in the Sun Ray Client firmware is based on an Open Source project called wpa_supplicant, which is described at http://hostap.epitest.fi/wpa_supplicant/. With the 802.1x authentication feature, Sun Ray Clients can be configured to provide proper credentials to successfully authenticate and gain access to the local area network under 802.1x access control. Sun Ray Clients support the Extensible Authentication Protocol Modes: MD5, TLS, MSCHAPV2, PEAP, TTLS, GTC, and OTP.
wpa_supplicant supports the implementation of the WPA supplicant protocol for wireless authentication, which includes the 802.1x port authentication protocol. As a result, the configuration of 802.1x depends on the mechanisms and configuration file format provided by wpa_supplicant.
Although the WPA supplicant protocol is primarily targeted for wireless authentication, Sun Ray Clients do not currently supported wireless operation.
wpa_supplicant uses a main configuration file to configure the
802.1x authentication, along with a few secondary files containing
certificates and public/private key pairs. The main configuration
file used with the Sun Ray Software is named
wired.conf
. In order for wpa_supplicant to
access the configuration files, you need to copy them to the Sun
Ray Client firmware's Trivial File System by using file copy
entries in a remote configuration file. See
Table 14.3, “Remote Configuration File Key Values” for details.
The wired.conf
file must be present on a Sun
Ray Client in order to start the wpa_supplicant component and to
attempt 802.1x authentication. The presence or absence of this
configuration file is the primary mechanism used to enable or
disable wpa_supplicant. The 802.1x Configuration menu item in the
Configuraiton GUI enables you to manage the
wired.conf
file, which uses only a reduced
set of configuration values required for various authentication
modes of 802.1x. The configuration options are further refined
depending on the particular Extended Authentication Protocol (EAP)
mode selected. See Table 14.1, “Configuration GUI Main Menu Items”
for details.
Currently, private keys cannot be generated on the Sun Ray Client itself, so you must generate the private keys and corresponding certificates by other means and provide them through the remote configuration file.
If you create and modify the wired.conf
file
outside of the Configuration GUI, make sure the appropriate fields
are provided and the file is formatted correctly. The file must
have the single network definition of
ssid="wired"
included. If the
wired.conf
file does not follow the expected
format, wpa_supplicant will fail to operate correctly. See the
contents of the wired.conf
file in the
following example.
This procedure describes how to configure and enable 802.1x authentication on a Sun Ray Client. The steps include examples to set up an 802.1x authentication using the EAP-TLS mode of operation.
The configuration files listed in the procedure must be available in the same location as the remote configuration file, which is usually the firmware server defined in the local configuration.
Create the configuration files for wpa_supplicant, including
the main configuration file,
wired.conf
, and the secondary files
containing certificates and public/private keys.
For the list of valid wired.conf
values, see the 802.1x Configuration menu descriptions in
Table 14.1, “Configuration GUI Main Menu Items”.
Here are some examples of secondary files and the
wired.conf
file.
someca_cert.pem
- a Certificate
Authority root certificate from "someca"
-----BEGIN CERTIFICATE----- MIID3DCCA0WgAwIBAgIBADANBgkqhkiG9w0BAQUFADCB0zETMBEGCgmSJomT8ixk ARkWA2NvbTETMBEGCgmSJomT8ixkARkWA3N1bjEVMBMGCgmSJomT8ixkARkWBXNm .... CkS0he0fm5xVRd6D+nQQAbUkFy0MZO39QjXbopBxaY5Vm5hg2U+O0JJ5UHQXGGMk sxyGuzhrnu09oYF7Zje1BlO2fGhC/JrSJhKFQtgqNBQ= -----END CERTIFICATE-----
sunray_key.pem
- a RSA key pair for the
Sun Ray Client
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCvGwBJjv/Uzp81QAd9B9uqehZqmS9BVA9xcfJtNf6Feou3FnKE 8tHcCISAXFdujYZSqhzcInzn/ZWnKk2cRQl8//IupuMcwPi10QebBmXhxfrTTW5L .... FEmkooUWFa6mUpAcpQJBANCe64twQ3RjNfIc3n4LpCEPgw7y5pgk8xmKIDiSZ/+U XwJQ4gpzmsakaZWBEcdxrJWkK6chvcFcwcfAN7rkOBc= -----END RSA PRIVATE KEY-----
sunray_cert.pem
- a client certificate
for the Sun Ray Client RSA key, signed by "someca"
-----BEGIN CERTIFICATE----- MIIE+TCCBGKgAwIBAgIBCTANBgkqhkiG9w0BAQUFADCB0zETMBEGCgmSJomT8ixk ARkWA2NvbTETMBEGCgmSJomT8ixkARkWA3N1bjEVMBMGCgmSJomT8ixkARkWBXNm .... vv7TQOtlSlwPessnDJOFJ+oYoAMbc3f8bmvVOMvqQ98zZGdJ/VDK+siFJKeTpkoL ocRIJUFegNu4W0+pvgPY/ZBsbUchBA2rpdhwWnc= -----END CERTIFICATE-----
wired.conf
- wpa_supplicant
configuration file for 802.1x/EAP-TLS
network={ ssid="wired" key_mgmt=IEEE8021X eap=TLS ca_cert="/certs/someca.pem" identity="john.doe@oracle.com" private_key="/keys/sunray.pem" client_cert="/certs/sunray.pem" }
Create a remote configuration file with the needed file assignment entries, which will be used to copy the wpa_supplicant configuration files to the Sun Ray Client.
Here is an example of a remote configuration file:
/certs/someca.pem=someca_cert.pem /keys/sunray.pem=sunray_key.pem /certs/sunray.pem=sunray_cert.pem /wpa/wired.conf=wired.conf
The /wpa/wired.conf=wired.conf
entry is
required.
Download the remote configuration file to a Sun Ray Client by choosing Advanced->Download Configuration in the Configuration GUI.
Once the wired.conf
file is loaded,
802.1x authentication is automatically enabled if the
key_mgmt
key is set to
IEEE8021X
.
(Optional) Make changes to the
wired.conf
file by choosing 802.1x
Configuration in the Configuration GUI.
Plug the Sun Ray Client into a port that provides 802.1x authentication and test the authentication.
See Section 16.12, “(20) 802.1x Authentication Icon” for informaton about possible error codes or status messages.