You are here: Defining Intel AMT Profiles > Defining Network Setups > Creating 802.1x Setups

Creating 802.1x Setups

The IEEE802.1x network protocol provides an authentication mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or preventing it if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP). You can include the 802.1x setups you define in the profile for wireless and wired connections. (The “EAP (GTC)” protocol can only be used in 802.1x wired setups.)

Note:
802.1x setups require integration with Active Directory (see Defining Active Directory Integration) and an Enterprise-root CA.

To create an 802.1x setup:

  1. From the WiFi Setup window or the Wired 802.1x Authentication section of the Network Configuration window, click Add. The 802.1x Setup window opens.

  2. In the Setup Name field, enter a name for this 802.1x setup. The setup name can be up to 32 characters, and must not contain ( / \ < > : ; * | ? ” ) characters.
  3. From the Protocol drop-down list, select the required protocol. The options in the Authentication section are enabled/disabled according to the protocol selected, as described in this table.
    ProtocolClient CertificateTrusted Root CertificateRoaming Identity
    EAP-TLSRequiredRequiredNot available
    EAP-TTLS (MS-CHAP v2)OptionalRequiredOptional
    EAP-PEAP (MS-CHAP v2)OptionalRequiredOptional
    EAP (GTC)Not availableNot availableNot available
    EAP-FAST (MS-CHAP v2)OptionalRequiredOptional
    EAP-FAST (GTC)OptionalRequiredOptional
    EAP-FAST (TLS) RequiredRequiredOptional
  4. From the Select the method for creating the certificate drop-down list, select the source for the certificate that will be installed in the Intel AMT device:
    • Request certificate from Microsoft CA – If you are using a Microsoft CA, continue from step 5.
    • Use certificate from a file – For information about this method and the necessary file format, see Using Predefined Files Instead of a CA Request. If you select this option, define the file locations and continue from step 6.
    • Do not use a certificate – Instead of using a certificate, authentication is done with a username and password. (This option is shown only if client certificates are optional for the Protocol selected in step 3.) Continue from step 6.
  5. If the certificate will be requested from a Microsoft CA, do these steps:
    1. From the Certificate Authority drop-down list, select the Enterprise CA that Intel SCS will use to request a certificate that the RADIUS server can authenticate.
    2. From the Client Certificate Template drop-down list, select the template that will be used to create the client certificate. The templates shown are templates where the Subject Name is supplied in the request and the usage is “Client Authentication”. For information how to create a template, see Defining Enterprise CA Templates.
    3. Define the Common Names that will be included in the Subject Name of the generated certificate. For more information, see Defining Common Names in the Certificate.
      Note:
      • To use this option, Intel SCS must have access to the CA during configuration (see Required Permissions on the CA).
      • If you are creating the profile on a computer that does not have access to the CA, the drop-down lists will not display the CA or the templates. If necessary, you can manually supply the CA name (in the format FQDN\CA Name) and the name of the template.
  6. (Optional) To enable roaming, select the Roaming Identity check box. The user will connect to the RADIUS server with an identity of Anonymous.
  7. If a trusted root certificate is required (see the table in step 3), select it from the list of trusted root certificates. If it does not appear in the list, click Edit List to define the location of the trusted root certificate (see Defining Trusted Root Certificates). This certificate will be used in the 802.1x setup to authenticate with a RADIUS server.
  8. From the RADIUS Server Verification section, select one of these:
    • Do not verify RADIUS server certificate subject name
    • Verify server’s FQDN – Enter the FQDN of the RADIUS server.
    • Verify server’s domain suffix – Enter the domain name suffix of the RADIUS server.
  9. Click OK. The 802.1x Setup window closes and the 802.1x setup is saved.

See Also:

Standalone or Enterprise CA