dankworth

Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • in reply to: ThinLinux 802.1x auth and general maturity of the product #50296
    dankworth
    Participant
    • Total Post: 4
    • Newbie

    Hello,

    I’m afraid I don’t have any suggestions for you, just here for moral support. I’ve parked ThinLinux for now as I’ve got a hundred other problems and (for reasons I’ll not get into) we’ve no longer got support from Dell.

    The product feels very beta at the moment, and I’m not convinced many people have used it in anger for many types of deployment. The documentation is vague with glaring gaps.

    Best of luck, I’ll be back in touch if I succeed with my issues.

    Regards,
    Bob

    dankworth
    Participant
    • Total Post: 4
    • Newbie

    There’s an issue with the above configuration that I promoted as good. If the session is ever locked or the computer suspended, then it’s not possible to get back into it. The lock/authentication screen does nothing, presumably because 802.1x authorisation has already occurred. Will update if I get something solid.

    Regards,
    Bob

    dankworth
    Participant
    • Total Post: 4
    • Newbie

    Thanks for the fast response. I’ve been trying ThinLinux 2.2 for a few days, still struggling with the configuration.

    The following is partly to document what I’ve done for me and in case anyone can offer suggestions, but also in case anyone else is having similar issues; perhaps this will help someone out.

    First I tried 802.1x machine authentication. This is what the wlx2.ini file looks like:

    PasswordEncryptionCode=0
    Keyboard.layouts=gb
    SuspendSystem=0
    Display.LockScreenTimeout=30
    Enable802=yes Authentication=PEAP PromptPassword=no InnerAuthentication=MSCHAPv2 PeapVersion=Auto AuthMode=Machine Is802DirectEnabled=no MachinePassword=<password>

    This does work, albeit with a couple of big issues. It’s not possible to hardcode the machine name in INI configuration (like in ThinOS) so it dynamically uses the hostname with “$” appended at the end. So I’ve got to create user accounts with the computer name and the appended dollar sign for each thin client. That’s fine at least for 802.1x machine auth, but then when I try and join the thinclient to the domain (which I can only figure out how to attempt from the settings GUI so far), that obviously fails, as it’s attempting to add the computer account with exactly the same name as the user account that I had to create. (As should be the case, I get an error on the client in auth.log “Couldn’t create computer account … problem 6005 ENTRY_EXISTS”.)

    Rather than join the domain, the release notes and the INI guide suggest that it’s possible to merely authenticate against it (though it’s confusingly written, so I have no idea whether this is truly possible or just bad documentation). To attempt this the following lines are added to those above:

    AutoLogin=no
    DomainList=<fully qualified domain name>
    DisableDomain=no
    Domainjoin.name=<fully qualified domain name>
    Domainjoin.enable=true

    On boot with these settings, indeed the thinclient will not automatically log into the “thinuser” local user, and instead a GDM login screen is presented. However, attempts to log in do not work. Quite frustrating.

    So having had no luck with 802.1x machine authentication, I try 802.1x user authentication instead. Here’s the configuration for that (in full, just to avoid confusion).

    PasswordEncryptionCode=0
    Keyboard.layouts=gb
    SuspendSystem=0
    Display.LockScreenTimeout=30
    AutoLogin=no
    DomainList=<fully qualified domain name>
    Enable802=yes Authentication=PEAP PromptPassword=no InnerAuthentication=MSCHAPv2 PeapVersion=Auto Authmode=User Is802DirectEnabled=yes

    This seems to work!

    So in summary, I’ve managed to get 802.1x user auth to work in a satisfactory way, but 802.1x machine auth presents problems as described above.

    I will update this thread if I manage to get any resolution to the machine auth issues.

    Regards,
    Bob

Viewing 3 posts - 1 through 3 (of 3 total)