Product documentation

Unicon documentation migration is in progress. You might find some broken links or experience minor issues in the documentation. We are working on resolving these issues.

X

IEEE 802.1X authentication

Configuring WPA supplicant

March 25, 2025
Contributed by: 
C

Note:

You can use the example files on the devices to configure the WPA supplicant: /setup/scep/wpa.conf.

  1. Create an individual wpa.conf configuration file.

    By default, the file contains the following information:

      ctrl_interface=/var/run/wpa_supplicant
  ctrl_interface_group=0
  ap_scan=0
  network={
      key_mgmt=IEEE8021X
      eapol_flags=0
      eap=TLS
      identity=`"<Common Name as specified in certificate>"`
      priority=6
      ca_cert="/setup/cacerts/scep/serverca.pem"
      client_cert="/setup/cacerts/scep/client.pem"
      private_key="/setup/cacerts/scep/client.key"
          }

    Add further entries according to your CA implementation.

    You can specify the certificate file and path in one of the following ways, for example if you access an external root certification authority. Note that only one file may be referenced via ca_cert. However, this file may contain several certificate entries.

      ca_cert="/setup/cacerts/<root_extern>.pem"
  ca_cert="/setup/cacerts/<subordinate_int>.pem"
  ca_cert=`/setup/cacerts/<radius>`.ssl"

    If the RADIUS certificate contains the NetBIOS name instead of the FQDN, you may use the following entry:

      ca_cert=`/setup/cacerts/<root>`.pem

    Important:

    The spelling and case-sensitivity of the certificate file names must be identical to the names of the transferred certificate files.

  2. If you want to use TPM 2.0 via WLAN, add the following engine parameters for the network:1 from eLux RP 6 2103

      network={
  ssid="WLAN-ABC"
  scan_ssid=1
  key_mgmt=WPA-EAP
  proto=WPA2
  eap=TLS
  engine=1            # Value must always be 1
  engine_id="tpm2tss"    # Private Key is taken from TPM 2.0 module
  dentity="__IDENTITY__"
  priority=6
  ca_cert="/setup/cacerts/scep/serverca.pem"
  client_cert="/setup/cacerts/scep/client.pem"
  private_key="/setup/cacerts/scep/client.key"    # Public part
        }

  3. To transfer the wpa.conf file to the devices, use the Scout feature Files configured for transfer. Use the following destination:

   
LAN setup/scep/
WLAN setup/wlan/

For further information, see Advanced device configuration > Files in the Scout guide.

Use of multiple WiFi networks

  • To use multiple SSIDs, set the network entry multiple times.

Example:

  ```
  ctrl_interface=/var/run/wpa_supplicant
  ctrl_interface_group=0
  ap_scan=1
  network=
  { ssid="" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="" priority=5 ca_cert="" ca_cert="" client_cert="" private_key="" }
  network=
  { ssid="" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="" priority=6 ca_cert="" ca_cert="" client_cert="" private_key="" }
  <!--NeedCopy--> ```

Use of variables

For identity and host name, you can alternatively set variables:

Spelling Description Other
%IDENTITY% Common name from certificate For compatibility reasons, the legacy spelling before eLux RP 6.9.100 (variable name in uppercase letters and 2 x 2 underscores is still supported). Example: IDENTITY
%HOSTNAME% Hostname from terminal.ini  

Variables may also be used for a part of a value. Prefixes and suffixes of a variable are pure strings that are passed through. Example: identity="host/%HOSTNAME%"

For further information on configuring 802.1X for WLANs, see WPA support in the Scout guide.

Configuring WPA supplicant
March 25, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-2025 Cloud Software Group, Inc. All rights reserved.