Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

U

user51

1 Message

10781

April 7th, 2016 15:00

WYSE Thin Clients + 802.1x

We are moving towards authenticated network access at the port level and will be using Microsoft's Network Policy Server (NPS) to authenticate WYSE thin clients across our enterprise. These devices are connected to Cisco 4500-series switches. 

We've tested the following configuration in a $MAC.ini configuration file:

IEEE8021X=yes network=wired eap=yes eapclient=eap-peap peapmschapun=mallory peapmschappwd=hackmenow

Our switchport configuration is pretty straightforward:

interface GigabitEthernet4/36
switchport access vlan 110
switchport mode access
switchport voice vlan 105
spanning-tree portfast
authentication control-direction in
authentication event fail action authorize vlan 168
authentication event no-response action authorize vlan 168
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 55
authentication timer reauthenticate 2700
authentication timer inactivity 300
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x max-req 1
end

Is anyone using NPS with a WYSE thin client? If so, do you have any tips or configuration samples?

Thanks.

CliffGoniea

1 Message

April 18th, 2016 12:00

User51,

I just completed getting this working in a test environment. Here are some details to the process I used.

BTW, this was using a Windows 2008 R2 domain controller, 2008 R2 Certificate Authority in Enterprise mode, 2008 R2 NPS, & Wyse ThinOS 8.

Create a template for use with your Winterms (performed once):

  • On your CA server (server manager, AD Certificate Services), Certificate Templates, create a duplicate of the Workstation Authentication template.
  • On the General tab, Give it a name (I used non-AD Workstation Authentication).
  • On the Request Handling tab, check Allow private key to be exported.
  • On the Security tab, make sure the user or group creating the certificate request has Enroll permissions.
  • On the Issuance Requirements tab, Check CA certificate manager approval.
  • On the Subject Name tab, select Supply in the request.

Make the template available for issuance (performed once):

  • On your CA server (server manager, AD Certificate Services), expand your CA server, then click on Certificate Templates.
  • Click Action, New -> Certiicate Template to Issue.
  • Find the template you just created and select it.

In AD Users and Computers:

  • Create a computer account for the winterm.
  • From an elevated command prompt, run: setspn -R

Create the certificate for the Winterm (performed for each winterm):

  • On a domain joined system, using the Certificates.msc in the MMC console, create a certificate request.
  • On the same system the request was created, submit it using certreq.exe. Specify the request file you just created and the CA server.
  • On the CA server, approve the certificate and then export it (I used the format). Copy it to the system where you performed the original request.
  • At an elevated command prompt, run: certreq -accept
  • Create the private key file: also at an elevated command prompt: certutil -p PASSWORD systemname.domain.com

Copy the .pfx file along with the public certificate for your CA server to the winterm.

In AD Users and Computers:

  • Select View, then ensure Advanced Features is selected.
  • Right-click the computer account you created earlier, select Name Mappings...
  • On the X.509 Certificates tab, click Add and select the
  • Click OK.

I think that was it. On the NPS, I just created a policy that gives access to Domain Computers. I have notes on that someplace to but what I outlined above was the hard-to-find, took me three weeks to piece together parts.

Good luck!

Cliff

Was this post helpful?

View All

No Events found!

Top