Configure 802.1x Port-based Network Access Control with Simple Certificate Enrollment Protocol

Updated

Introduction

This article describes how to configure 802.1x port-based PNAC on edge nodes managed by Edge Infrastructure Services (previously ZEDEDA Cloud). You will create a certificate enrollment profile to define how Edge Virtualization Engine (EVE-OS) obtains and renews device certificates via SCEP, attach that profile to a project, and mark the appropriate network adapters as 802.1x-eligible. Complete these steps before deploying edge nodes into enterprise network environments that require certificate-based port authentication.

Prerequisites

  • You have read the 802.1x Port-based Network Access Control Overview.
  • You have either the SysManager or SysAdmin role in your Edge Infrastructure Services (previously ZEDEDA Cloud) enterprise.
  • A SCEP-compatible Certificate Authority (CA) accessible either from the edge node directly or from Edge Infrastructure Services, with a known SCEP server URL and challenge password.
  • CA certificate bundle in PEM format (root CA and any required intermediate CAs for verification), used for 802.1X authentication and SCEP enrollment, ready for upload.
  • A project where you will add the 802.1x policy. If you have not yet created a project, create one before continuing.
  • Edge nodes running EVE-OS 14.5.0-LTS or greater.

Prepare Your Network Equipment

Before configuring Edge Infrastructure Services, your network switch and SCEP server must be ready to support EVE-OS enrollment and authentication. 

Configure the network switch

The switch connected to your edge node ports must be a managed switch with IEEE 802.1x support. Configure the following on each port that will connect to an EVE-OS edge node:

Enable 802.1x port authentication. Enable IEEE 802.1x on the switch port and configure a RADIUS server as the authentication backend. The RADIUS server must be set up to validate EAP-TLS client certificates.

Configure two VLANs. The switch requires two separate VLANs to support the bootstrapping flow:

  • Bootstrap VLAN (also called a guest or auth-fail VLAN): Provides limited network access. The device must be able to reach Edge Infrastructure Services and the SCEP server (or the controller's SCEP proxy) from this VLAN. The switch assigns this VLAN to the port by default when the device is not yet authenticated.
  • Authenticated VLAN: Provides full network access. The switch moves the port to this VLAN after a successful 802.1x authentication.

Configure vendor class identifier recognition. Configure the switch or DHCP server to recognize the LFEDGE-EVEvendor class identifier (DHCP Option 60) and allow the device to reach Edge Infrastructure Services from the bootstrap VLAN. This ensures EVE-OS can fetch its configuration and enroll a certificate before attempting 802.1x authentication. If vendor class identifier-based policy is not available on your switch, you can achieve the same result by allowing all traffic to the Edge Infrastructure Services IP address from the bootstrap VLAN.

Configure the SCEP server

The SCEP server must be reachable from EVE-OS. It can be reachable either directly from the bootstrap VLAN, or via the controller-provided SCEP proxy. Configure the following:

  • A CA certificate and private key for signing enrolled device certificates.
  • A challenge password (shared secret) that devices use to authenticate their enrollment requests.
  • The CA certificate used by the SCEP server must also be configured in the RADIUS server's EAP-TLS settings as a trusted CA for client certificate validation. This ensures the RADIUS server can verify the certificate presented by EVE-OS during 802.1x authentication.

Create a Certificate Enrollment Profile

A certificate enrollment profile defines the connection to your SCEP server and the certificate attributes EVE-OS will use when requesting device certificates. You create this profile once and then attach it to one or more projects.

  1. Log into Edge Infrastructure Services.
  2. From the top navigation bar, click Your Profile > Enterprise > Settings.
  3. Scroll to the Certificate Enrollment Profiles section.
  4. Click Add Enrollment Profile
  5. In the Profile Name field, enter a descriptive name for the profile. The name should be unique across all enterprise SCEP profiles. This name appears in project policy settings, so choose a name that identifies the environment or CA it connects to.
  6. In the CA Certificate field, click Upload and select your CA certificate files. 
    • Upload the root and all intermediate CAs required for verification of SCEP server and port authenticator signatures.
    • This is needed for the device to authenticate the SCEP server as well as the 802.1x authenticator (switch / radius).
  7. In the SCEP Server field, enter the full URL of your SCEP server endpoint (for example, the default port 80  https://scep.example.com/scep or non-default port https://scep.example.com:8080/scep).
  8. In the Challenge Password field, enter the pre-shared challenge password configured on your SCEP server. This password authenticates the certificate enrollment request.
  9. Enable the Use Controller Proxy toggle if your SCEP server is not directly reachable from the bootstrap VLAN or the device. When enabled, Edge Infrastructure Services proxies SCEP requests from the device to the SCEP server.
  10. See ZEDEDA platform system variables for more information about custom configuration of the sections that follow.

Configure the distinguished name details

The Distinguished Name (DN) identifies the edge node in the certificate. Edge Infrastructure Services supports dynamic variable substitution so that each device receives a unique certificate.

  1. In the Name field under Distinguished Name (DN) Details, enter a value or a variable. To use the edge node's system-generated ID, enter $zri.system.edge-node.id. To use the edge node's name as configured in Edge Infrastructure Services, enter $zri.system.edge-node.name. To use the hardware serial number, enter $zri.system.edge-node.serial.
  2. Optionally, complete the Organization, Organizational Unit, Country, State, and Locality fields to match your organization's certificate policy requirements.

Configure the subject alternative name details

The Subject Alternative Name (SAN) allows the certificate to carry additional identifiers beyond the DN, such as a URI or email address that your PNAC backend uses for device identification. 

  1. In the URI field under Subject Alternative Name (SAN) Details, enter a URI value or variable. A common pattern is URN:Serial:$zri.system.edge-node.serial. You may use the same $zri variables available for the DN.
  2. Optionally, add an Email Address if your CA policy requires one.

Configure the key algorithm and renewal settings

  1. Under Key Algorithm, RSA Keys is the default.
  2. Select the RSA Keys size from the RSA Keys dropdown.
  3. Select the Hash Algorithm for Signing from the dropdown.
  4. Under Certificate Renewal Settings, set the renewal percentage. Edge Infrastructure Services will attempt to renew the certificate after this percentage of its validity period has elapsed. For example, entering 50 triggers renewal when 50% of the certificate's lifetime has passed. Coordinate this value with your CA administrator based on certificate validity length and expected device offline periods.
  5. Click Add to create the profile. The profile card appears in the Certificate Enrollment Profiles section on the Administration page, showing the profile name, SCEP server URL, distinguished name, country, state, and current status.

Enable 802.1x in the Project Edge Node Policy

With the certificate enrollment profile created, you attach it to a project by enabling the 802.1x policy in the project's Edge Node Policy. This activates certificate enrollment for all edge nodes in the project.

  1. Log into Edge Infrastructure Services.
  2. In the left panel, click Administration > Projects.
  3. Create a new project or select the project you want to configure.
  4. In the project wizard or project edit view, click the Policies tab.
  5. Click the Edge Node Policy row to expand it. The expanded section shows two groups of settings: general node toggles (Enforce Edge Node Attestation, Configuration Lock) and a section labeled 802.1x (Port-Based Network Access Control).
  6. Toggle Enable 802.1x to enable it. When enabled, two additional fields appear:
    • EAP Identity: An optional field for a custom EAP identity string. If left blank, EVE-OS derives the identity from the certificate (CN or SAN URI). You can enter a static value or leave it empty to use certificate-derived identity.
    • Certificate Enrollment Profile: A required dropdown listing all active profiles from the Administration page.
  7. In the Certificate Enrollment Profile dropdown, select the profile you previously created.
  8. Click Next and Add to save the project policies. Edge Infrastructure Services will now manage certificate enrollment for edge nodes in this project.

Onboard an Edge Node to the Project

If you are adding a new edge node to the project, follow the standard onboarding flow. During onboarding, you can also mark network adapters as 802.1x-eligible at this stage.

  1. Log into Edge Infrastructure Services.
  2. See Onboard Edge Nodes.
  3. Proceed to the Network Adapters section. The table lists the physical network adapters detected for the selected hardware model.
  4. For each adapter that connects to an 802.1x-protected switch port, enable the Enable 802.1x toggle in the adapter row. When enabled, a note appears confirming that port authentication requires 802.1x to be enabled at the project level, which you already did in the previous section.
  5. Set the Interface Usage for each adapter as appropriate (for example, Management).
  6. Complete any remaining adapter configuration fields.
  7. Click Save & Add to complete onboarding. Edge Infrastructure Services generates the installer image and initiates certificate enrollment for the edge node.

Enable 802.1x on a Network Adapter for an Existing Edge Node

If the edge node is already onboarded, you can enable 802.1x on its network adapters through the edge node's Adapters tab.

  1. Log into Edge Infrastructure Services.
  2. In the left panel, click Edge Nodes.
  3. Click the name of the edge node you want to configure to open its detail view.
  4. Click the Adapters tab. The Network Adapters table lists each physical adapter with its current interface usage, network assignment, and configuration details.
  5. Locate the adapter that connects to the 802.1x-protected switch port. In the expanded adapter row, locate the Enable 802.1x toggle. 
  6. Toggle Enable 802.1x to enable it for the adapter. Port authentication requires 802.1x to be enabled at the project level.
  7. Repeat for any additional adapters that connect to 802.1x-protected ports. All 802.1x-eligible adapters on a device share the same certificate.
  8. Click Save.

Verify the Configuration

After completing the previous steps, confirm the following:

Certificate enrollment status. On the Edge Nodes list page, the Certificate Status column shows the enrollment state for each node. You can also find the status on the Edge Node > Your_Edge_Node > Status tab in the Enrolled Certificates section. Expected values include:

  • Enrollment Failed: The enrollment request was submitted but the SCEP server returned a failure. Verify that the SCEP server URL, challenge password, and CA certificate in the enrollment profile are correct, and that the SCEP server is reachable from Edge Infrastructure Services.
  • Expired: The certificate's validity period has ended. Check whether automatic renewal is configured and review any errors in the certificate details for guidance on next steps.
  • Invalid Configuration: The certificate configuration is malformed or missing required fields, preventing enrollment or renewal from starting. Review the enrollment profile settings and correct any invalid values before retrying.
  • Pending: The SCEP server returned a pending status, meaning the certificate request requires manual approval by a CA administrator. Approve the request in your CA management console and the device will poll for the issued certificate.
  • Renewal Failed: The most recent renewal attempt failed, but the existing certificate may still be valid and usable. Review any errors in the certificate details and verify that the SCEP server is reachable and configured correctly.
  • Renewal Pending: A renewal request has been submitted for the current certificate and is awaiting completion. The existing certificate remains in use until the renewed certificate is issued.
  • Valid: The device has successfully obtained a certificate from the SCEP server and is authenticated to the network.

Troubleshooting tips:

  • If the Certificate Status column shows Enrollment Failed, open the enrollment profile in Administration and verify the SCEP server URL is reachable and the challenge password is correct.
  • If the Certificate Status column shows Valid, check the adapter details:
    • Navigate to Edge Nodes in the left panel.
    • Click the edge node of interest.
    • Click the Adapters tab. 
    • Expand the adapter port, such as eth0.
    • In the expanded adapter row, locate the More Details icon next to the Enable 802.1x toggle. 
  • If the Enable 802.1x toggle is greyed out on an adapter, confirm that the Enable 802.1x toggle is turned on in the project's Edge Node Policy for that project.
  • If the device appears stuck in a quarantine VLAN after certificate installation, confirm that your PNAC backend (RADIUS server) is receiving the re-authentication request and that the certificate's DN or SAN matches the policy configured on the PNAC backend.

Next Steps

This is a series of articles. You will likely follow them in this order:

  1. 802.1x Port-based Network Access Control Overview 
  2. Configure 802.1x Port-based Network Access Control with Simple Certificate Enrollment Protocol - You are here!
Was this article helpful?
0 out of 0 found this helpful