14.8 802.1x Authentication

14.8.1 How to Configure and Enable 802.1x Authentication on a Sun Ray Client

The 802.1x authentication feature in the Sun Ray Client firmware is based on an Open Source project called wpa_supplicant, which is described at http://hostap.epitest.fi/wpa_supplicant/. With the 802.1x authentication feature, Sun Ray Clients can be configured to provide proper credentials to successfully authenticate and gain access to the local area network under 802.1x access control. Sun Ray Clients support the Extensible Authentication Protocol Modes: MD5, TLS, MSCHAPV2, PEAP, TTLS, GTC, and OTP.

wpa_supplicant supports the implementation of the WPA supplicant protocol for wireless authentication, which includes the 802.1x port authentication protocol. As a result, the configuration of 802.1x depends on the mechanisms and configuration file format provided by wpa_supplicant.


Although the WPA supplicant protocol is primarily targeted for wireless authentication, Sun Ray Clients do not currently supported wireless operation.

wpa_supplicant uses a main configuration file to configure the 802.1x authentication, along with a few secondary files containing certificates and public/private key pairs. The main configuration file used with the Sun Ray Software is named wired.conf. In order for wpa_supplicant to access the configuration files, you need to copy them to the Sun Ray Client firmware's security configuration repository by using file copy entries in a remote configuration file. See Table 14.3, “Remote Configuration File Key Values” for details.

The wired.conf file must be present on a Sun Ray Client in order to start the wpa_supplicant component and to attempt 802.1x authentication. The presence or absence of this configuration file is the primary mechanism used to enable or disable wpa_supplicant. The 802.1x Configuration menu item in the Configuration GUI enables you to manage the wired.conf file, which uses only a reduced set of configuration values required for various authentication modes of 802.1x. The configuration options are further refined depending on the particular Extended Authentication Protocol (EAP) mode selected. See Table 14.1, “Configuration GUI Main Menu Items” for details.

Currently, private keys cannot be generated on the Sun Ray Client itself, so you must generate the private keys and corresponding certificates by other means and provide them through the remote configuration file.

If you create and modify the wired.conf file outside of the Configuration GUI, make sure the appropriate fields are provided and the file is formatted correctly. The file must have the single network definition of ssid="wired" included. If the wired.conf file does not follow the expected format, wpa_supplicant will fail to operate correctly. See the contents of the wired.conf file in the following example.

14.8.1 How to Configure and Enable 802.1x Authentication on a Sun Ray Client

This procedure describes how to configure and enable 802.1x authentication on a Sun Ray Client. The steps include examples to set up an 802.1x authentication using the EAP-TLS mode of operation.


The configuration files listed in the procedure must be available in the same location as the remote configuration file, which is usually the firmware server defined in the local configuration.

  1. Create the configuration files for wpa_supplicant, including the main configuration file, wired.conf, and the secondary files containing certificates and public/private keys.

    For the list of valid wired.conf values, see the 802.1x Configuration menu descriptions in Table 14.1, “Configuration GUI Main Menu Items”.

    Here are some examples of secondary files and the wired.conf file.

    someca_cert.pem - a Certificate Authority root certificate from "someca"

    -----END CERTIFICATE-----

    sunray_key.pem - a RSA key pair for the Sun Ray Client

    -----END RSA PRIVATE KEY-----

    sunray_cert.pem - a client certificate for the Sun Ray Client RSA key, signed by "someca"

    -----END CERTIFICATE-----

    wired.conf - wpa_supplicant configuration file for 802.1x/EAP-TLS

  2. Create a remote configuration file with the needed file assignment entries, which will be used to copy the wpa_supplicant configuration files to the Sun Ray Client.

    Here is an example of a remote configuration file:


    The /wpa/wired.conf=wired.conf entry is required.

  3. Download the remote configuration file to a Sun Ray Client by choosing Advanced > Download Configuration in the Configuration GUI.

    Once the wired.conf file is loaded, 802.1x authentication is automatically enabled if the key_mgmt key is set to IEEE8021X.

  4. (Optional) Make changes to the wired.conf file by choosing 802.1x Configuration in the Configuration GUI.

  5. Plug the Sun Ray Client into a port that provides 802.1x authentication and test the authentication.

    See Section 16.14, “(20) 802.1x Authentication Icon” for information about possible error codes or status messages.