Skip to main content
Start a Conversation

Unsolved

C

Citrixftw

1 Rookie

 • 

1 Message

1496

October 14th, 2021 07:00

Thinclient - "Client Certificate" distribution to ThinOS / Wyse Management Studio for 802.1x - EAP-TLS

Hi,

Can someone explain how the "distribution proces" of "Client Certificates" works with ThinOS and Wyse Management Studio?

We would like to implement 802.1x EAP-TLS on ThinOS client fully automated.
Can we integrate with Microsoft AD Certificate Services?

I get we need to secure Wyse Device Manager, Add Root and Intermediates and send them down to the thinclients.

--

But how do we go about adding the "client" certificate on the thinclient to authenticate against 802.1x? (EAP-TLS) in an automated fashion?

--

Or is there just one client certificate in use for lets say 1000 thinclients, to authenticate via EAP-TLS  and does it get download via FTP/CCM?

 

 

 

 

 

 

DELL-Scott H

Moderator

 • 

878 Posts

October 14th, 2021 08:00

SCEP can be leveraged to deliver unique certificates to the device (and leverage NDES for SCEP).  The certificates can be leveragde for 802.1x

https://dl.dell.com/topicspdf/thinos_9_1_ag_en-us.pdf

Page 174 of the admin guide covers SCEP.   The SCEP policy can also be defined in WMS. 

RaZer0r

3 Posts

November 3rd, 2021 06:00

the way SCEP (and wyse's implementation) works is:

define config on WMS with SCEP settings, either with a fixed enrollment password or a variable one.
When using the variable one, you can define a username and password to retrieve the enrollment code automatically.

This only works with ntlm v1 authentication, so no kerberos or ntlmv2.

the client is the one connecting to the SCEP server to request a certificate and the SCEP server connects to your CA server to get it signed.

bencoremans

1 Rookie

 • 

1 Message

October 4th, 2024 11:48

@RaZer0r​ 

Thanks for the explanation! I wanted to ask if the claim about only supporting NTLM v1 for retrieving the enrollment code is still valid today. I’ve seen that Basic Authentication also works when configured properly, so I’m curious if there have been updates or improvements to Wyse devices that support additional authentication methods like NTLMv2.

Would appreciate any insights you or others might have on this!

Was this post helpful?

View All

No Events found!

Top