How to configure 802.1x on Neat Devices (Beta)

Important Note: This newly introduced functionality is currently in the Beta / Preview phase and is not yet intended to be implemented in production environments. This feature should be limited to testing and evaluation purposes only.

Introduction – What is 802.1x?

802.1x is a standard network authentication protocol that enables port-based access control based on the user’s identity and its authentication by the organisation’s internal authenticator. This offers security within the network to protect organisations from unmanaged devices that find themselves in the workplace.

Requirements and Limitations:

Required Components for Configuration:

  • Neat devices must be on a local area network (LAN) (wired or wireless) and reachable by IP address for configuration, before moving devices to a wired 802.1x network environment.
  • 802.1x capable switch and network
  • Certificate Components for EAP-TLS :
  • Python 3 environment for customer-side script
    • Familiarity with Python and PIP is preferable
    • Install PIP – If you have Python version 3.4 or later, PIP is included by default
    • Download Python Pip installation of Neat 802.1x web-API client and unzip:

SHA256: 75deb626a659a744c5662d213ddf746b33cc374d692a33c5c205dbbd2d4eeeed

Current Limitations (at time of writing):

  • EAP-TLS support only

Please note: The following steps assume that you have preconfigured 802.1x on your network including owning a certificate authority

Important Note: The following process will need to be performed for each Neat device separately (e.g certificates will need to be requested, signed and uploaded separately for the Neat Bar and Neat Pad).

Step 1 – Setting up the devices

Accessing the device’s Web API can be done during the initial Out-of-Box (OOB) set-up, during the first installation/after a factory reset, or if they are already set up and running Zoom/Teams, by enabling Remote Access instead.

  1. Connect the devices to a LAN via ethernet or wifi that is NOT an 802.1x network. Please note that captive portals are not supported.
    • For an OOB configuration, confirm that the device is receiving an IP address by pressing the reset button on the back of the device. Please note: The device does not have to reach the internet – it only requires being reachable from a laptop/computer on the same network. The Web-API during OOB only applies up to choosing the platform to run (Teams/Zoom).
    • For devices already running Zoom/Teams room configuration, under Neat’s System settings navigate to System -> Remote access and enable. Please set a password, which is required for Steps 3 and 4. For more information on how to enable Remote access see the following article here.

Step 2 – Verifying Neat device connectivity

  1. From a laptop or computer on the same LAN, confirm that the Neat device is reachable:
    • Ping the IP address of the unit or
    • Ping via hostname (“Serial Number.local”) or FQDN

Tip: If the device is in OOB press and release the reset button on the back of the Neat device to see both the Serial number and the IP address.
If the Neat device is already running Zooms/Teams go to System Settings > System > Network > Information > IP address

Step 3 – Creating a Certificate Signing Request (CSR)

  1. Download the zip file above and unzip
  2. Run the following command on your terminal to PIP install the 802.1x client package:
    pip install path/to/neat_dot1x_client-2022.12.2-py3-none-any.whl.zip
  3. Once the PIP package is installed, the command-line client, now called neat-dot1x-cli, should be available for use. In order to generate the certificate signing request (CSR), the following parameters are required to access the device’s Web-API:
    • IP address or Hostname
    • Username
      • a) Device in OOB => Username: oob
      • b) Device running Teams/Zoom => Username: admin (Refer to Step 1) 
    • Password
      • a) Device in OOB => Password: Serial Number
      • b) Device running Teams/Zoom => Password: Refer to Step 1
    • Optional arguments are supported in a JSON format. This can take two different formats.
      • JSON string: replacing “SUBJECT_JSON“, where it can look like the example below;
        '{"country":"NO","state":"Oslo","locality":"Oslo","organizationName":"Neat","organizationalUnit":"IT","commonName":"my device","email":"support@neat.no"}'
      • JSON file: replacing “SUBJECT_JSON“, with the file path of JSON file which can look like the example below:
        {
        "C": "NO",
        "ST": "Oslo",
        "L": "Oslo",
        "O": "Neat",
        "OU": "RD"
        "CN": "802.1X device",
        "EMAIL": "neat@neat.no"
        }
      • Please note; The "key": "value" pairs seen in the examples above are optional and their order is arbitrary. If a "commonName" is not provided, by default the device will use the Serial number instead.
      • If no key/value pairs are provided, the device will default to the following:
        '{"country":"NO","organizationName":"Neatframe Ltd","organizationalUnit":"neat.no"}'
  4. Once you have decided on the arguments stated in point 3, run the following command substituting the arguments unique to the device and network:
    neat-dot1x-cli HOST_OR_IP USERNAME PASSWORD csr CSR_FILE.pem SUBJECT_JSON
    Please note: It could take up to 30 seconds for the device to generate the CSR
  5. Optional step: To verify if the certificate signing request has been successfully created run: cat CSR_FILE.PEM and check if it opens a PEM-formatted text file which you will then need to be signed by your certificate authority (CA)

Step 4 – Signing the Certificate

802.1x offers unprecedented visibility and secure, identity-based access control at the network edge. With EAP/TLS protocol each enterprise controls how they sign the certificate and typically own an internal Certificate Authority (CA) for this purpose.

  1. Take the CSR created in Step 3 and sign the certificate using your own internal CA

Important Note: The certificate file will need to be in PEM format.

Tip: To reduce the frequency of updating the Certificate of each device we recommend setting up an extended expiry date. The certificate is saved as an encrypted file, stored in the device’s memory, and can only be wiped with a Factory reset.

Step 5 – Uploading the Certificate

Once the CSR has been signed by the CA it can then be installed onto the device.

For a wired 802.1x network:

  1. At this stage, there are two new arguments required, ‘identity’ and ‘device certificate file path’ as well as the initial arguments defined in Step 3.
    • Identity is passed alongside the signed certificate when the device presents itself to the radius server. Please configure this in accordance with your network environment.
    • Certificate File Path will be uniquely defined by each user and needs to contain the device certificate in PEM format.
    • If a certificate chain is used it will need to be a list of PEM formatted certificates (all in the same file). For each following certificate in the chain, it must directly certify the one preceding it as is the standard protocol.
  2. Optional: The third optional argument is the Root server certificate. Please note that this is not a required argument and, unless specified by the user, the device will attempt to communicate with any radius server.
  3. Once you have decided on the arguments, listed in points 1 & 2, run these in your command-line client, neat-dot1x-cli. Please see the example command below where “SERVER_CA_CERT_FILE.pem” is an optional argument:
    neat-dot1x-cli HOST_OR_IP USERNAME PASSWORD init IDENTITY DEVICE_CERT_FILE.pem SERVER_CA_CERT_FILE.pem

For a wireless 802.1x network:

  1. At this stage, there are 3 new arguments required, ‘Wifi configuration JSON file path’, ‘Device certificate file path’ and ‘CA certificate file path’. This is alongside the initial mandatory arguments defined in Step 3.
    • The Wifi Configuration JSON file will need to include the SSID, isHidden, Wifi security type, and finally, credentials. See below an example JSON file for an EAP-TLS 802.1x network:
{
  "ssid": "Neat",
  "isHidden": false,
  "wifiSecurity": "EAP",
  "credentials": {
    "method": "TLS",
    "phase2Method": "NONE",
    "identity": "Neat-wifi",
    "anonymousIdentity": "",
    "password": "",
    "caCertificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUD+ph25MpPbnru/F9a1qfUkhGow8wDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCTk8xDzANBgNVBAgMBlJhZGl1czENMAsGA1UEBwwET3Ns\nbzENMAsGA1UECgwETmVhdDEpMCcGCSqGSIb3DQEJARYabmljb2xhaS5iZXJ0aGVs\nc2VuQG5lYXQubm8xEDAOBgNVBAMMB05lYXQgQ0EwHhcNMjIwNjI0MDk1ODIzWhcN\nMjMwNjI0MDk1ODIzWjB5MQswCQYDVQQGEwJOTzEPMA0GA1UECAwGUmFkaXVzMQ0w\nCwYDVQQHDARPc2xvMQ0wCwYDVQQKDAROZWF0MSkwJwYJKoZIhvcNAQkBFhpuaWNv\nbGFpLmJlcnRoZWxzZW5AbmVhdC5ubzEQMA4GA1UEAwwHTmVhdCBDQTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIxo9NCWQvfkSyD3lj0VLAsBLAQ43EIg\nygp2L5Az87xfVmAieZoRxuOeIYVqQkzPQJMptgAwApSjI/51zat8xMuP+7pCKhwS\nj+t0K+uJGp76GZecAq9qjBvMRUwsx5xW7hnsd27BcSkr1tN33L98DmpRNKQCODAQ\nwpF6FI978ZauXMx1QRMWPBaf37JUzB3oqxzjQqZLeVZqf8JKk5XE2FZ9gkzHrFrb\nI20+6a/l/Nxn2qd1HkjXy5iIccDBkORuIl0NNuP4C9pQTSrdyXjw/J/TGdfNGnpl\naVEbQhshUK5RFMsse6AxQrWdkqaudaZx+XgoM6ztFHWxhO2TIlg1mqECAwEAAaOC\nASUwggEhMB0GA1UdDgQWBBRJPOfYzjeoJkSNo6cC+QqmSPAlfDCBtgYDVR0jBIGu\nMIGrgBRJPOfYzjeoJkSNo6cC+QqmSPAlfKF9pHsweTELMAkGA1UEBhMCTk8xDzAN\nBgNVBAgMBlJhZGl1czENMAsGA1UEBwwET3NsbzENMAsGA1UECgwETmVhdDEpMCcG\nCSqGSIb3DQEJARYabmljb2xhaS5iZXJ0aGVsc2VuQG5lYXQubm8xEDAOBgNVBAMM\nB05lYXQgQ0GCFA/qYduTKT2567vxfWtan1JIRqMPMA8GA1UdEwEB/wQFMAMBAf8w\nNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9leGFtcGxl\nX2NhLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAezTjIENTb8sDU2dRKRNyQ6H2G3lG\nJr3+akgcEXSnDxJiIGFL8WbBJIyUFN19+U9G0YDaRb2EavmV7Oyos77v2nLkcW00\nDemCjif90PI2GcRHEAtapItc+pOngIUzse1JXcBiypFVKgo+cHHSDNQOEnLhGJZ/\nYhwHHPE+6md+DHjMSTURQvEly9gZO2N4kQOY4a5hEq4RozLqEh9eyalanI7gCl0O\nC/RfUKKmppJS167g2G/PW4ZB1uMGGR63qLqGQnPUhXch2GUMklwQcOo6WlywDs+K\nHeFrB6vNVyp8HeaR5rDv7ryzVQ/QUf+fKVT02LeoLtDS5CSsnOf2+P7onQ==\n-----END CERTIFICATE-----",
    "deviceCertificate": ""
  }
}
  • Device Certificate File Path can either be written directly in the JSON file, or passed as arguments to the python tool (replacing [DEVICE_CERT_PATH] with its file path). This will be uniquely defined by each user and needs to be in PEM format.
    • If a certificate chain is used it will need to be a list of PEM-formatted certificates (all in the same file). For each following certificate in the chain, it must directly certify the one preceding it as is the standard protocol.
  • CA certificate File Path can either be written directly in the JSON file (as shown in the example code above) or passed as arguments to the python tool (replacing [CA_CERT_PATH] with its file path).

2. Once you have decided on the arguments, listed in point 1, run these in your command-line client, neat-dot1x-cli. Please see the example command below:

neat-dot1x-cli HOST_OR_IP USERNAME PASSWORD init_wifi WIFI_CONFIG_JSON_PATH [DEVICE_CERT_PATH] [CA_CERT_PATH]

Step 6 – (Wired) Moving devices to an 802.1x network

Finally, move the device to a wired 802.1x network and the device will begin to answer the challenges of the 802.1x authenticator. As soon as the identity of the device is known, all traffic from that endpoint is allowed and your device will now be connected to your network!

Additional Information:

The python tool syntax:

Tool version: neat-dot1x-cli -V
Help: neat-dot1x-cli -h
Positional arguments help for CSR parameters: neat-dot1x-cli X Y Z csr -h
Positional arguments help for Uploading cert (wired): neat-dot1x-cli X Y Z init -h
Positional arguments help for Uploading cert (wireless): neat-dot1x-cli X Y Z init_wifi -h

If you have any questions or encounter issues with the steps above, please reach out to Neat Support at support@neat.no.