Best Practices For 802.1x Wired Environments in Wyse Management Suite

Affected Products:

• Wyse Management Suite

Affected Platforms:

• OptiPlex 3000 Thin Client
• OptiPlex 5400 All-in-One
• OptiPlex All-in-One 7410
• OptiPlex All-in-One 7420
• Latitude 3420
• Latitude 3440
• Latitude 5440
• Latitude 5450
• Wyse 5070 Thin Client
• Wyse 5470 All-in-One Thin Client
• Wyse 5470 Mobile Thin Client

Affected Operating Systems:

• Dell ThinOS

Deploying endpoints into an 802.1x wired environment can be challenging since certificates are often required to complete a successful EAP negotiation. This is further complicated when using ThinOS, since a reset to factory operation erases all data in the encrypted NVR participation including customer installed certificates. Below is a recommended strategy to enable auto deployment or configuration of ThinOS clients in an 802.1x wired environment.

Setup - Customer Environment Configuration

The listed devices should be configured to have the following behaviors:

• SWITCH - If using a Cisco or other switch, a secure and unsecure vLAN should be configured. If the client does not have the required certificates or configurations that are required to complete the EAP negotiation and attach to the secure vLAN, then the switch should attach route the client to an unsecure vLAN.
• WMS Server - Customers should ensure that their WMS servers can be accessed from both the secure and unsecure vLAN. If using an on-site instead of public cloud installation, the customer may opt to setup two WMS servers.

• DHCP and DNS configurations - On both the secure and unsecure vLAN, customers should enable the configurations that are required (DHCP options or DNS records) that allows ThinOS to attach to the WMS server and registration group.

Workflow - Factory default behavior

1. When a ThinOS client is turned on for the first time or after a factory reset, it boots up
2. 802.1x EAP negotiation fails (no configuration or certificates)
3. Switch routes ThinOS to an unsecure vLAN.
4. ThinOS completes DHCP and obtains WMS information from environment variables (DHCP options, DNS records).
5. ThinOS attached to the WMS server and registration group and retrieves 802.1x configurations and the certificates that are required to attach to the secure vLAN
6. ThinOS reboots
7. 802.1x EAP negotiation succeeds.
8. ThinOS completes DHCP and obtains WMS information from environment variables (DHCP options, DNS records).
9. ThinOS attached to the WMS server and registration group and retrieves complete client configurations and all required server certificates
10. The process is complete.
    
    Note: Simple Certificate Enrollment Protocol (SCEP) can be integrated into this process, but auto deployment requires the SCEP server to be present on both the secure and unsecure vLAN.

SCEP settings for ThinOS 9.x WMS Group Configuration

To configure Wyse Management Suite for SCEP when using ThinOS 9.x:

1. Set Enable Auto Enrollment to On.
2. Optionally, set Enable Auto Renew to On.
3. Set Select Install CA Certificate to On.
4. Populate a Country Name.
5. Populate a State.
6. Optionally, populate a Location.
7. Optionally, populate an Organization.
8. Optionally, populate an Organization Unit.
9. Optionally, populate an Email Address.
10. Select a Key Usage of Digital Signature and Key Encipherment.
11. Select the Key Length.
12. Optionally, populate a Sub Alt Name.
13. Populate a Common Name.
14. Populate a Request URL.
15. Select a CA Certificate Hash Type.
16. Populate the CA Certificate Hash.
17. Optionally, populate an Enrollment Password.
18. Populate the Administrator URL.
19. Optionally, set Ignore Server Certificate Check to On.
20. Populate the Admin User.
21. Populate the Admin User Password.
22. Populate the Admin User Domain.
    
    Note:

    • The image depicts $TN_Machine.local as an example Common Name. $TN is a system environment variable for ThinOS. $TN inserts the terminal name into the machine certification as an alternative $SN could also be used; this would add the Service Tag to the certificate name.
    • The Request URL should provide a path to the SCEP server in your environment.
    • The CA Certificate Hash value is found in the [SCEPSERVER]/CertSrv/MSCEP_admin/ page.
    • The Administrator URL is the [SCEPSERVER]/CertSrv/MSCEP_admin/ page.
    • The Admin User is the SCEP service account.

ThinOS 9.x 802.1x wired environment settings WMS Group Configuration

In WMS:

1. Select Advanced > Network Configuration > Ethernet Settings > 802.1X Authentication Settings > Add Row
2. Select the needed EAP type > EAP-TLS
3. Enter the correct Client Certificate Filename
4. Select Client Certificate Type User or Machine (issued to Machine usually)
   • Server Name is optional (Radius server name should be used)
   • Validate Server and Check Server options are required to be enabled for server name validation.
      
     Note:

     • Client Certificate Filename must include scep_cert_ and .crt
     • If details are entered incorrectly, login is not possible.