|Enable 802.1X security|
|Authentication||TLS (this is the only available setting)|
|Enable 802.1X Support for Legacy Switches|
This section describes the components you need to configure 802.1X authentication, and the detailed steps you need to follow to configure the authentication. The instructions provided in this topic were done on a Microsoft Windows Server 2019 Datacenter. If you are performing these instructions from a different version of Microsoft Server, or another OS, you will have to consult your server documentation for any changes in procedures.
Preparing for 802.1X Configuration¶
The supported 802.1X configuration has the PCoIP Zero Client pre-populated with a proper certificate. It then connects and presents the certificate to the 802.1X switch and is authenticated. PCoIP Zero Clients will also connect under a different configuration of the switch which has the MAC address of authorized endpoints stored in it's configuration.
Using certificates to sign other certificates
If a certificate is used to sign another certificate, it must have the digitalSignature key usage field enabled.
Before you begin the configuration process, make sure you have these components:
- Tera2 PCoIP Zero Client with firmware 5.x or newer
- PCoIP Management Console 2 or newer
- Windows Server 2019 with AD DS (Active Directory Domain Services)
- Windows Server 2019 with AD CS (Active Directory Certificate Services)
- Windows Server 2019 with NPS (Network Policy and Access Services)
- A switch with 802.1X support configured
Configuring Devices for 802.1X Authentication¶
To configure 802.1X device authentication, complete the following steps:
- Create a 802.1X Client User.
- Export the Root CA Certificate.
- Create a Certificate Template for 802.1X Client Authentication.
- Issue the 802.1X Client Certificate.
- Export the 802.1X Client Certificate.
- Convert the Certificate Format from .pfx to .pem.
- Import the 802.1X Client Certificate into the Client User Account.
- Import the Certificates to the 802.1X Client Device.
The following sections assume you are using Windows Server 2019 Datacenter
The instructions in the following sections are based on Windows Server 2019 Datacenter. If you are using a newer version of Windows Server, the steps may vary slightly.
Create a 802.1X Client User¶
In the Windows server, create a 802.1X client user.
Create a 802.1X Client User
- Log in to the Windows server.
- Click Start > Windows Administrative Tools > Active Directory Users and Computers.
- Navigate to Roles > Active Directory Domain Services > Active Directory Users and Computers > <your_domain.local> > Users.
- Right-click Users, select New > User, and follow the wizard.
(Example: Create a user called pcoip_endpoint which would have a UPN name of pcoip_endpoint@<mydomain.local>)
Export the Root CA Certificate¶
In the Certificate Authority (CA) server, export the root CA certificate.
To export the root CA certificate:
- Log in to the Certificate Authority (CA) server.
- Open a Microsoft Management Console window (for example,enter mmc.exe in the Start menu search field).
- From the console window, select File > Add/Remove Snap-in.
- Add the Certificates snap-in, selecting Computer account and then Local computer.
- Click OK to close the Add or Remove Snap-ins dialog.
- From the console, select Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
- In the right panel, right-click the certificate, and select All Tasks > Export.
- Follow the wizard to export the certificate:
- Select Base-64 encoded X.509 (.CER) and click Next.
- Click Browse, specify a name and location for the certificate, and then click Save.
- Click Finish, and then click OK.
Create a Certificate Template for 802.1X Client Authentication¶
In the CA Server, create a certificate template for client authentication.
To create a certificate template for client authentication:
- From the CA Server, click Start > Administrative Tools > Certification Authority.
- Expand the tree for your CA.
- Right-click Certificate Templates, and then click Manage.
- Right-click the Computer template, and then click Duplicate Template.
Configure the template as follows:
From the Compatibility tab, select Windows Server 2003.
From the Extensions tab, ensure the Digital signature is included in the certificate Key Usage
From the General tab, enter a name for the template (for example, PCoIP Endpoint 802.1X) and change the validity period to match the organization’s security policy.
From the Request Handling tab, select Allow private key to be exported.
From the Subject Name tab, select Supply in the request and then click OK.
From the Security tab, select the user who will be requesting the certificate, and give Enroll permission to this user.
Click OK and close the Certificate Templates Console window.
From the Certification Authority window, right-click Certificate Templates, select New, and then click Certificate Template to Issue.
Select the certificate you just created (that is, PCoIP Endpoint 802.1X), and then click OK. The template will now appear in the Certificate Templates list.
Close the window.
Issue the 802.1X Client Certificate¶
From the CA Web Enrollment interface for the certificate server, issue the client certificate.
To issue the 802.1X client certificate:
Use Internet Explorer to log in to certificate server
Do not use any other browser except Internet Explorer to log into the certificate server or some options may not appear.
Using Internet Explorer on your local machine, go to your Certificate Authority URL using the format https://<server&tgt;/certsrv/ (for example, https://ca.domain.local/certsrv/).
Click Request a certificate and then click advanced certificate request.
Click Create and submit a request to this CA.
From the pop-up window, click Yes.
Fill out the Advanced Certificate Request form as follows:
In the Certificate Template section, select the certificate for clients (for example, PCoIP Endpoint 802.1X).
In the Identifying Information for Offline Template section, enter the account name in the Name field. The other fields are not required.
The other fields are not required.
Enter the same name as the universal principal name of the client user
The name you enter in the Name field must be the universal principal name (UPN) of the client user you created in Create a 802.1X Client User(for example, pcoip_endpoint@mydomainlocal)
In the Key Options section, check Mark keys as exportable.
In the Additional Options section, set the Request Format to PKCS10.
If desired, enter a name in the Friendly Name field.
From the Certificate Issued window, click the Install this certificate link.
(This will save the certificate in the Current User > Personal store.)
Export the 802.1X Client Certificate¶
From the machine on which you issued the certificate, export the client certificate.
To export the client certificate:
From the machine on which you issued the certificate, open a Microsoft Management Console window (for example, enter
mmc.exein the Start menu search field).
From the console window, select File > Add/Remove Snap-in.
Add the Certificates snap-in, selecting My user account.
Click Finish, and then click OK to close the Add or Remove Snap-ins dialog.
Select Certificates - Current User > Personal > Certificates.
In the right panel, right-click the certificate, and select All Tasks > Export.
Follow the Certificate Export wizard to export the certificate by clicking Next:
Click Yes, export the private key.
Select Personal Information Exchange - PKCS #12 (.PFX).
Enter a password for the certificate.
Click Browse, specify a name and location for the certificate, and then click Save.
Click Next, Finish, and then click OK.
Repeat Steps 5 to 7 again to export the PCoIP endpoint certificate, but this time without the private key (No, do not export the private key), selecting the DER encoded binary X.509 (.CER) format instead of the PKCS format.
.cerfile to a location where it can be accessed by the Domain Controller and imported into Active Directory.
Convert the Certificate Format from .pfx to .pem¶
Using OpenSSL, convert the certificate format from .pfx to .pem.
To convert the certificate format from .pfx to .pem:
Download and install Windows OpenSSL from https://www.slproweb.com/products/Win32OpenSSL.html. (The light version is sufficient.)
Copy the .pfx client certificate file you saved above to the C:\OpenSSL-Win32\bin directory.
Open a command prompt window (C:\OpenSSL-Win32\bin), and enter the following command to convert the certificate format from .pfx to .pem where <client_cert> is the name of the .pfx certificate file you saved to your local machine.
openssl.exe pkcs12 ‑in <client_cert>.pfx ‑out <client_cert>.pem ‑nodes
When prompted, enter the password for the certificate file.
At the command prompt, enter the following command to create an RSA private key file where
is the name of the .pem certificate file you created in the previous step.
openssl.exe rsa –in <client_cert>.pem –out < client_cert>_rsa.pem
Open both the original .pem file and the RSA .pem file you just created. The RSA .pem file contains only an RSA private key. Because the PCoIP Endpoint certificate requires its private key in RSA format, you need to replace its private key with this RSA private key.
Copy the entire contents of the RSA .pem file (everything from
-----BEGIN RSA PRIVATE KEY -----to
-----END RSA PRIVATE KEY-----), and paste it into the original .pem file, replacing its private key with this RSA private key.
RSA .pem file
In other words, make sure that all the text from
-----BEGIN PRIVATE KEY-----to
-----END PRIVATE KEY(including the dashes) in the original .pem file is replaced with the contents of
-----BEGIN RSA PRIVATE KEY -----to
-----END RSA PRIVATE KEY-----(including the dashes) from the RSA .pem file.
Save the original .pem file and close it. The certificate is now ready to be uploaded to the PCoIP Endpoint.
Import the 802.1X Client Certificate into the Client User Account¶
In the Windows Domain Controller, import the client certificate into the client user account.
To import the 802.1X client certificate into the client user account:
Log in to the Windows Domain Controller.
Click Start > Administrative Tools > Active Directory Users and Computers.
From the View menu, select Advanced Features.
Navigate to the user you created for the PCoIP Endpoint.
Right-click the user, and select Name Mappings.
In the X.509 Certificates section, click Add.
Locate and select the PCoIP Endpoint certificate you exported that does not contain the private key (This file was saved to a network location in step 9 of Export the 802.1X Client Certificate.)
Make sure both identity boxes are selected and click OK, and then click OK again.
Import the Certificates to the 802.1X Client Device¶
From the PCoIP endpoint’s AWI, import the certificates.
To import the certificates into a profile using the PCoIP Management Console, see the PCoIP® Management Console Administrators’ Guide.
To import the certificates to a device using the AWI:
From a browser, log into the AWI for the PCoIP Endpoint.
From the AWI, select Upload > Certificate.
Upload both the Root CA certificate and the certificate with the private key, using the Browse button to locate each certificate and the Upload button to upload them.
From the OSD or AWI, select Configuration > Network.
Select Enable 802.1X Security.
Click Choose beside the Client Certificate field.
Select the certificate with the private key, and then click Select.
Enter the identity name of the certificate. Typically, this is the universal principal name (UPN) that appears after Subject: (for example, firstname.lastname@example.org).
Windows server may be configured to use the certificate’s Subject, the Subject Alternative Name, or another field
For the identity name, your Windows server may be configured to use the certificate’s Subject, the Subject Alternative Name, or another field. Check with your administrator.
To enable greater 802.1X compatibility for older switches on the network, select Enable 802.1X Support for Legacy Switches. This setting is only available from the PCoIP endpoints AWI Network page.
Click Apply, and then click Reset.
Getting more information about 802.1X
For more information about 802.1X, see the following Knowledge Base articles, available from the Support Center:
- Do PCoIP Zero Clients and PCoIP Remote Workstation Cards support network authentication or 802.1X? (KB 1357)
- How to set up Windows Server 2008 R2 as an 802.1X Authentication Server (KB 1336)
- PCoIP Troubleshooting Steps: IEEE 802.1X Network Authentication (KB 1088)
To disable 802.1X authentication on your endpoint:
Disabling 802.1X requires the deselection of the Enable 802.1X Security option in the AWI Configuration > Network page. It is also recommended that you remove all 802.1X certificates from the endpoint certificate store.
Using the AWI browse to Configuration > Network.
De-select Enable 802.1X Security.
Browse to Upload > Certificate.
Select the Remove button beside all 802.1X certificates.
Click on the Apply button.
Authenticating a wired network connection for 802.1X is a similar process to wireless. The wired network user must connect to the secure network from their device and present a signed certificate or valid credentials to authenticate their identity.How to configure 802.1X network device authentication? ›
- Open a web browser.
- In the browser address field, type the IP address of the smart switch. ...
- Type the password in the Password field. ...
- Click the Login button. ...
- Select Security > Port Authentication > Advanced > Port Authentication.
Authenticating a wired network connection for 802.1X is a similar process to wireless. The wired network user must connect to the secure network from their device and present a signed certificate or valid credentials to authenticate their identity.How do I enable 802.1 authentication? ›
Right-click the appropriate network connection (Ethernet or Local Area Connection) and select Properties. In the Ethernet Properties dialog box select the Authentication tab and check 'Enable IEEE 802.1x authentication'.How to set up 802.1X authentication Windows 10? ›
Setting up WPA (802.1x authentication) for Windows 10
From the desktop, right-click on the wireless icon on the bottom right corner of your desktop. Select Open Network and Sharing Center. In the Network and Sharing Center, select Setup a new connection or network. Select Manually connect to a new network.
- Click the Windows button.
- Right-click Computervin the right-hand column.
- Click Properties.
- Note your domain name.
- On the Authentication Required dialog box, enter your domain into the Domain field and click OK.
- Reset Wi-Fi Connection. ...
- Turn on Airplane Mode and Turn It off. ...
- Fix the Android Wi-Fi Authentication Problem with DroidKit. ...
- Change from DHCP to Static. ...
- Restart the Router. ...
- Use WPS Push Button. ...
- Change Security Protocol. ...
- Check the Maximum Devices Supported.
802.11 authentication is the first step in network attachment. 802.11 authentication requires a mobile device (station) to establish its identity with an Access Point (AP) or broadband wireless router. No data encryption or security is available at this stage.How do I authenticate a network connection in Windows 10? ›
Right-click on your Ethernet adapter and select Properties. On the Ethernet Properties window that opens, select the Authentication tab. Click on the Settings button next to Microsoft: Protected EAP (PEAP). In the Protected EAP Properties window, select Verify the server's identity by validating the certificate.What should my network authentication be set to? ›
When choosing from among WEP, WPA, WPA2 and WPA3 wireless security protocols, experts agree WPA3 is best for Wi-Fi security. As the most up-to-date wireless encryption protocol, WPA3 is the most secure choice.
The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture.How do I fix network authentication failed Windows 10? ›
- Forget the network. Head to WiFi settings on your device, find the network you're trying to connect to, and tap "forget."
- Check your password. ...
- Refresh your device. ...
- Change your network from DHCP to Static. ...
- Restart your router. ...
- Head back to factory settings.
Reasons for the Wi-Fi Authentication Error
Poor network connectivity. Incorrect password. Incorrect IP address. Too many devices are connected, and the router has reached its connection threshold.
Under Connections, right-click the name of the connection, and then click Properties. In the General tab, un-tick the Allow connections only from computers running Remote Desktop with Network Level Authentication check box. (For maximum compatibility ensure that Security Layers are set to Negotiate).What are the three main security standards for 802.11 wireless networks? ›
This article presents a tutorial/discussion of three commonly-used IEEE 802.11 wireless network security standards: WEP, WPA and WPA2.What is the default authentication method according to the 802.11 standard? ›
The original 802.11 standard offered only two choices to authenticate a client: Open Authentication and WEP. Open Authentication offers open access to a WLAN. The only requirement is that a client must use an 802.11 authentication request before it attempts to associate with an AP. No other credentials are needed.What is the difference between Wi-Fi authentication and authorization? ›
What's the difference between authentication and authorization? Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource.How do I get the authentication tab in Ethernet properties? ›
- Click Start, type 'services. msc', press enter. The Services windows will be open.
- Double-click on the Wired AutoConfig service.
- Click on 'Start' to start the service.
- Click the General tab. Verify that the service has not been disabled in the Startup Type box.
In the details pane on the main Windows Defender Firewall with Advanced Security page, click Windows Defender Firewall Properties. On the IPsec Settings tab, click Customize. In the Authentication Method section, select the type of authentication that you want to use from among the following: Default.Why am I getting authentication problems connecting to WIFI? ›
Reasons for the Wi-Fi Authentication Error
Incorrect password. Incorrect IP address. Too many devices are connected, and the router has reached its connection threshold. A glitch on your phone's or network's hardware.
- Open the Google Play app .
- At the top right, tap the profile icon.
- Tap Settings Authentication. Require authentication for purchases.
- Choose a setting.
- Follow the on-screen instructions.
Open Device Manager. Double-click Network adapters. Right-click the network adapter you want, and then click Properties. On the Advanced tab, Look for energy-saving options and make the appropriate changes you want.Which option is available to configure authorization? ›
You can configure the <authorization> element at the server level in the ApplicationHost. config file, or at the site or application level in the appropriate Web. config file. You can set default authorization rules for the entire server by configuring authorization rules at the server level.What are the two methods for network authentication on a Windows domain? ›
Active Directory authentication is a process that supports two standards: Kerberos and Lightweight Directory Access Protocol (LDAP).What are three different authentication sources used by Windows 10? ›
- Windows 10 Local Account. Signing in with a local account is still possible in Windows 10. ...
- Microsoft Account. ...
- Windows Server Active Directory Join. ...
- Azure Active Directory Join. ...
- Azure Active Directory Device Registration. ...
- Hybrid Azure Active Directory Join. ...
- Web Sign-In.
- Select the Start button > Settings > Network & Internet > Status. Open Network & Internet Status settings.
- Under Change your network settings, select Network troubleshooter.
- Follow the steps in the troubleshooter, and see if that fixes the problem.
Authentication failed means there is a temporary block due to too many failed attempts.What causes authentication failure? ›
Authentication error occurs when the “deal” between the Wi-Fi router and device fails due to certain reasons. First, the device sends the password of the network and the "connect" request in an encrypted format to the Wi-Fi router. Then, the router decrypts the password and compares the password saved on it.