How to set up 802.1x using SCEP on Neat devices (Beta)
Last updated August 14, 2023
Important Note: This newly introduced functionality is currently in the Beta / Preview phase and is not yet intended to be implemented in production environments. This feature should be limited to testing and evaluation purposes only.
Important Note: Please confirm you are running the latest Neat Firmware found under Releases to use this feature.
Introduction – What is 802.1x?
802.1x is a standard network authentication protocol that enables port-based access control based on the user’s identity and its authentication by the organisation’s internal authenticator. This offers security within the network to protect organisations from unmanaged devices that find themselves in the workplace.
What is SCEP?
SCEP stands for Simple Certificate Enrollment Protocol and is a certificate management protocol that allows for automatic certification issuing in a scalable way. Unlike the traditional 802.1x process outlined in How to configure 802.1x on Neat devices, SCEP will replace the current need for explicit CSR (certificate signing request) interaction because the Neat device will send its CSR to the SCEP server for signing.
SCEP allows devices to easily enrol for a certificate by using a URL and a shared secret to communicate with a PKI.
Requirements and Limitations:
Required Components for Configuration:
- Neat devices must be on a local area network (LAN) (wired or wireless) and reachable by IP address for configuration, before moving devices to a wired 802.1x network environment.
- 802.1x capable switch and network
- Certificate Components for EAP-TLS
- SCEP Setup
- NDES SCEP or other PKI-supporting SCEP
- Python 3 environment for customer-side script
- Familiarity with Python and PIP is preferable
- Install PIP – If you have Python version 3.4 or later, PIP is included by default
- For the Latest version of neat-dot1x-cli please see the Releases or run
neat-dot1x-cli -V
on your Command terminal.
Current Limitations (at time of writing):
- EAP-TLS support only
Please note: The following steps assume that you have preconfigured 802.1x on your network including owning a certificate authority
Important Note: The following process will need to be performed for each Neat device separately (e.g SCEP CSR will need to be initiated separately for the Neat Bar and Neat Pad even if paired).
Step 1 – Setting up the devices
Accessing the device’s Web API can be done during the initial Out-of-Box (OOB) set-up, during the first installation/after a factory reset, or if they are already set up and running Zoom/Teams, by enabling Remote Access instead.
- Connect the devices to a LAN via ethernet or wifi that is NOT an 802.1x network. Please note that captive portals are not supported.
- For an OOB configuration, confirm that the device is receiving an IP address by pressing the reset button on the back of the device. Please note: The device does not have to reach the internet – it only requires being reachable from a laptop/computer on the same network. The Web-API during OOB only applies up to choosing the platform to run (Teams/Zoom).
- For devices already running Zoom/Teams room configuration, under Neat’s System settings navigate to System -> Remote access and enable. Please set a password, which is required for Step 5. For more information on how to enable Remote access see the following article here.
Step 2 – Verifying Neat device connectivity
- From a laptop or computer on the same LAN, confirm that the Neat device is reachable:
- Ping the IP address of the unit or
- Ping via hostname (“Serial Number.local”) or FQDN
Tip: If the device is in OOB press and release the reset button on the back of the Neat device to see both the Serial number and the IP address.
If the Neat device is already running Zooms/Teams go to System Settings > System > Network > Information > IP address
Step 3 – Pip Installation of Web-API
- Run the following command on your terminal to PIP install the 802.1x client package:
pip install neat_dot1x_client --upgrade --extra-index-url https://gitlab.com/api/v4/projects/41183007/packages/pypi/simple
- Optional step: Verify version matches the latest as stated above by running:
neat-dot1x-cli -V
- Optional step: Verify version matches the latest as stated above by running:
- Once the PIP package is installed, the command-line client, now called,
neat-dot1x-cli
should be available for use.
Please scroll to the bottom of the page for neat-dot1x-cli command documentation.
Step 4 – Configuring the SCEP JSON file
SCEP uses a URL and a shared secret with the certificate authority to communicate with a PKI.
In SCEP, the CSR is authenticated using a shared secret between the client and the CA. In order to generate the CSR for each Neat Device you will need to compose a JSON file with specific parameters.
Compulsory Parameters:
serverUrl
- Is the only required field that needs to be defined and consists of the URL address of the SCEP server.
Optional Parameters :
challengePassword
- This consists of the temporary/one-time password (provided by the administrator) to send with the CSR when requesting a certificate for each Neat device.
caFingerprint
- This corresponds to the CA certificate fingerprint required to confirm the authenticity of the CA response during enrollment.
profile
- If the SCEP server supports multiple CAs, the CA administrator must provide a string to identify the issuer to use.
csrTemplate
- The CSR template will allow you to specify parameters in compliance with your organisation’s model.
connectionType
- This parameter can take on the following arguments: “WIFI” or “ETHERNET”.
- If “WIFI” is used,
ssid
must be passed as well, and potentiallyhiddenSsid
(boolean) if needed.{
"connectionType": "WIFI",
"ssid": "Neat8021x",
"isHidden": True/False
}
- Please note: if you choose not to specify
connectionType
this will result in the update of the certificates but will not initialize a new connection.
Outlined below is an example JSON file for the neat-dot1x client to generate a CSR from each Neat device:
{ "serverUrl": "https://neat/scep", "challengePassword": "NeatIsTheBest", "caFingerprint": "2b232csfsfkdb8", "profile": "Oslo Radius CA", "csrTemplate": { "organizationName": "Neatframe Ltd", "organizationalUnit": "neat.no", "country": "NO", "locality": "Oslo", "commonName": "BarPro.Oslo.neat.no" }, "connectionType": "WIFI", "ssid": "Neat802.1x" }
Important: Please note that Neat currently doesn’t support Subject Alternative Name (SAN) in the JSON file and therefore the CSR file that will be created will not have SAN field but only the Common Name.
Once you have decided on the arguments, listed in Step 4, save this JSON file in order to run this in your command-line client, neat-dot1x-cli in Step 5.
Step 5 – Initiating SCEP CSR using web API
In order to generate the SCEP CSR, the following parameters are required to access the device’s Web-API:
- IP address or Hostname
- Username
- a) Device in OOB => Username: oob
- b) Device running Teams/Zoom => Username: admin (Refer to Step 1)
- Password
- a) Device in OOB => Password: Serial Number
- b) Device running Teams/Zoom => Password: Refer to Step 1
Once you have decided all the arguments stated above, run the following command substituting the arguments unique to the device and network:
neat-dot1x-cli Host_or_IP Username Password init_scep path/to/scep_config.json
Step 6 – (Wired) Moving devices to an 802.1x network
Finally, move the device to a wired 802.1x network and the device will begin to answer the challenges of the 802.1x authenticator. As soon as the identity of the device is known, all traffic from that endpoint is allowed and your device will now be connected to your network!
Additional Information:
The Python command documentation:
Tool version: neat-dot1x-cli -V
Help: neat-dot1x-cli -h
Positional arguments help for CSR parameters: neat-dot1x-cli X Y Z csr -h
Positional arguments help for SCEP CSR: neat-dot1x-cli X Y Z init_scep -h
Positional arguments help for Uploading cert (wired): neat-dot1x-cli X Y Z init -h
Positional arguments help for Uploading cert (wireless): neat-dot1x-cli X Y Z init_wifi -h