802.1X Authentication

802.1X authentication methods govern interactions between the supplicant (client) and the authentication server.

The most commonly used methods are Transport Layer Security (TLS); Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP.

TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by contrast with TLS, which requires client and server certificates. With TTLS, the client can use the RSA Data Security, Inc. MD5 Message-Digest Algorithm mode of user name/password authentication.

If you plan to use 802.1X authentication, refer to the documentation for your particular RADIUS server and 802.1X client on how to set up a PKI configuration.

Note

Note

If you do not configure the reauthentication timer in non-policy mode, or the reauthentication or idle timer for policy mode, Dot1x clients remain active and are not removed when switching between machine authentication and user authentication (by logging out of a VM, and then logging back into the VM) or when switching between two users using the same VM.