ThinLinux 802.1x auth and general maturity of the product

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #49685
    dankworth
    Participant
    • Total Post: 4
    • Newbie

    Hello,

    First of all, thanks for the existence of this site. I’ve just been getting up to speed with Wyse ThinOS and ThinLinux for the purposes of an enterprise trial, and it’s one of the few sources of information out there. Also, the Configuration Generator is very useful! I could have saved myself a bit of time with the ThinOS configuration if I had discovered it sooner (though I wouldn’t have learned as much through trial and error).

    Anyway, my question is really regarding the ThinLinux 2.1 product. I’m having no luck getting it to be configured over INI for 802.1x (for either machine or user EAP-PEAP/MS-CHAP).

    Everything just works with ThinOS. I have been able to configure user mode (where the user signs into the network first, and then those credentials are cached for logging into VMware View), and machine mode (where the client jumps onto the network) and then the user is faced with the VMware View login. Both use cases are fine.

    However, with ThinLinux, things just seem to be broken. If I set up user auth, then the system presents a GDM logon screen at startup. I can enter credentials, I can see the switch contact FreeRADIUS, I can see the switch put the client in the right VLAN, and I can then see the client getting IP address over DHCP and then make broadcast announcements about its presence. But the client just stays at the GDM login screen and never lets the user into the desktop.

    For machine authentication, the machine goes straight into the desktop (AutoLogin=yes) but it will never make an 802.1x request to FreeRADIUS. I have looked in the logs and it appears that there’s an error with encoding when it tries to update the NetworkManager settings. Despite me having the CA cert, machine password all correct, I think there might just be a bug in the client software.

    I guess my queries are:

    • Has anyone had any success with 802.1x auth in either user or machine mode?
    • Is it just the case that ThinLinux 2.x isn’t mature enough yet, and that these features will come later?
    • Does anyone have any example configurations or suggestions about what to do?
    • If it turns out that the solution just isn’t capable yet, what’s the best way to make some enquiries with Dell about the roadmap for ThinLinux? I’ve spoken to a couple of people that our sales contact put me in touch with, but I think their expertise was more in ThinOS and I’ve not really got someone I can talk to about ThinLinux.

    Perhaps I should call it a day and concentrate on ThinOS, but the local web browser is a big selling point of us. I’m only looking for what I expect should be available as standard; 802.1x auth, with active directory integration, and VM presentation over VMware View.

    Sorry for the long post, but I’m not ready to give up yet and I would like to see the offering improve rather than give up.

    Regards,
    Bob

    #49688
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    Dell has just launched Thin Linux version 2.2.
    Worth a try.

    CG

    #49743
    dankworth
    Participant
    • Total Post: 4
    • Newbie

    Thanks for the fast response. I’ve been trying ThinLinux 2.2 for a few days, still struggling with the configuration.

    The following is partly to document what I’ve done for me and in case anyone can offer suggestions, but also in case anyone else is having similar issues; perhaps this will help someone out.

    First I tried 802.1x machine authentication. This is what the wlx2.ini file looks like:

    PasswordEncryptionCode=0
    Keyboard.layouts=gb
    SuspendSystem=0
    Display.LockScreenTimeout=30
    Enable802=yes Authentication=PEAP PromptPassword=no InnerAuthentication=MSCHAPv2 PeapVersion=Auto AuthMode=Machine Is802DirectEnabled=no MachinePassword=<password>

    This does work, albeit with a couple of big issues. It’s not possible to hardcode the machine name in INI configuration (like in ThinOS) so it dynamically uses the hostname with “$” appended at the end. So I’ve got to create user accounts with the computer name and the appended dollar sign for each thin client. That’s fine at least for 802.1x machine auth, but then when I try and join the thinclient to the domain (which I can only figure out how to attempt from the settings GUI so far), that obviously fails, as it’s attempting to add the computer account with exactly the same name as the user account that I had to create. (As should be the case, I get an error on the client in auth.log “Couldn’t create computer account … problem 6005 ENTRY_EXISTS”.)

    Rather than join the domain, the release notes and the INI guide suggest that it’s possible to merely authenticate against it (though it’s confusingly written, so I have no idea whether this is truly possible or just bad documentation). To attempt this the following lines are added to those above:

    AutoLogin=no
    DomainList=<fully qualified domain name>
    DisableDomain=no
    Domainjoin.name=<fully qualified domain name>
    Domainjoin.enable=true

    On boot with these settings, indeed the thinclient will not automatically log into the “thinuser” local user, and instead a GDM login screen is presented. However, attempts to log in do not work. Quite frustrating.

    So having had no luck with 802.1x machine authentication, I try 802.1x user authentication instead. Here’s the configuration for that (in full, just to avoid confusion).

    PasswordEncryptionCode=0
    Keyboard.layouts=gb
    SuspendSystem=0
    Display.LockScreenTimeout=30
    AutoLogin=no
    DomainList=<fully qualified domain name>
    Enable802=yes Authentication=PEAP PromptPassword=no InnerAuthentication=MSCHAPv2 PeapVersion=Auto Authmode=User Is802DirectEnabled=yes

    This seems to work!

    So in summary, I’ve managed to get 802.1x user auth to work in a satisfactory way, but 802.1x machine auth presents problems as described above.

    I will update this thread if I manage to get any resolution to the machine auth issues.

    Regards,
    Bob

    #49753
    dankworth
    Participant
    • Total Post: 4
    • Newbie

    There’s an issue with the above configuration that I promoted as good. If the session is ever locked or the computer suspended, then it’s not possible to get back into it. The lock/authentication screen does nothing, presumably because 802.1x authorisation has already occurred. Will update if I get something solid.

    Regards,
    Bob

    #50280
    mtnbikeninja
    Participant
    • Total Post: 30
    • Frequent Flyer
    • ★★★

    We’re also having a heck of a time trying to get 802.1x machine authentication working on ThinLinux 2.2 using WYSE 5070s.  We don’t have an on-premise WMS server, we’re using WMS public cloud so the ini parameters are configured the advanced section of the group policy assigned to the thin clients.  Here they are.

    PasswordEncryptionCode=0

    SCEPCLIENTCERTSETTINGS=CertName=SCEPCERT URL=http://XXXX/certsrv/mscep/mscep.dll CADN=XXXX.local AutoEnroll=Yes \
    ChallengePassword=122FFC832B81E662111A1502E291E69D

    Enable802=yes Authentication=TLS PromptPassword=no CACertificate=SCEPCERT UserCertificate=SCEPCERT PrivateKey=SCEPCERT AuthMode=machine PrivateKeyPassword=bG9jYWxfa2=

    So, once the thin client boots up, the SCEP cert is enrolled.  The network security settings are enabled using TLS and the UserCertificate, PrivateKey, and PrivateKeyPassword is auto-populated but the CACertificate is blank.  Due to this, the thin client is not being connected to our secure network.

    Talking to Dell Support about this is become frustrating.  They seem clueless about SCEP and 802.1x and how it all works.

    Any advice would be greatly appreciated.

    #50296
    dankworth
    Participant
    • Total Post: 4
    • Newbie

    Hello,

    I’m afraid I don’t have any suggestions for you, just here for moral support. I’ve parked ThinLinux for now as I’ve got a hundred other problems and (for reasons I’ll not get into) we’ve no longer got support from Dell.

    The product feels very beta at the moment, and I’m not convinced many people have used it in anger for many types of deployment. The documentation is vague with glaring gaps.

    Best of luck, I’ll be back in touch if I succeed with my issues.

    Regards,
    Bob

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.