SCEP and 802.1X Configuration on SnapOS

Overview

This knowledge base article describes the process for configuring SCEP (Simple Certificate Enrollment Protocol) and IEEE 802.1X authentication on a zTC device. The procedure outlines certificate enrollment over an unsecured network and subsequent migration to a secured, certificate-based network using EAP-TLS.

Environment Details

SnapOS Firmware Version: 1.3.357
Hardware: zTC (N100 TC)
Switch Model: Netgear GS324TPv2

Prerequisites

Access to an external DHCP server on the unsecured network
A functional SCEP server capable of issuing device certificates
A network supporting 802.1X with EAP-TLS authentication
Required CA and client certificates issued via SCEP

Initial Network Connectivity (Unsecured Network)

Connect the zTC to the Unsecured (Red) network.
Verify that the device receives an IP address in the 10.50.x.x range from the external DHCP server
(example: 10.50.1.0).

At this stage, the device uses the unsecured network only to complete certificate enrollment.

Certificate Enrollment Using SCEP

Access the SCEP enrollment interface on the zTC.
Obtain the Challenge Code from the SCEP server while connected to the unsecured network.

Enter the challenge code and provide the required certificate information.

Submit the request and confirm that the enrollment completes successfully.

Upon successful enrollment, the issued certificates are stored on the zTC at:

/etc/scep

Enabling 802.1X Authentication

Navigate to the Network configuration page on the zTC.
Enable 802.1X authentication.
Add the required certificates obtained via SCEP:
- Client certificate
- Private key
- CA certificate
Apply the configuration changes.

Applying Network Changes

To ensure the 802.1X configuration is fully applied, perform one of the following actions:

Reboot the zTC device, or
Disable and re-enable eth0 from the Network configuration page.

Migration to Secured Network

After successful authentication:

The eth0 interface transitions from the Unsecured Red Network (10.50.1.0) to the Secured White Network
Example secured IP address: 172.31.2.92
Network security status will indicate 802.1X, EAP-TLS

At this point, the zTC is fully authenticated and operating on the secured network.

Result

The zTC successfully enrolls certificates using SCEP over an unsecured network and transitions to a secured, 802.1X-enabled network using EAP-TLS authentication.

End of Procedure

zWAN as a Solution

zTC as a Solution

Secure Endpoint Solutions

Zero Trust Network

Network Infrastructure

Network Storage

SCEP and 802.1X Configuration on SnapOS

SnapOS

SnapOS

Getting Started

Session Connections

Peripheral & Application Management

Security & Certificates

System Administration & Updates

Diagnostics & Recovery

Support & Resources

zMAN

Overview & Architecture

Installation & Setup

Onboarding

Analytics & Monitoring

Device Management & Dashboard

Firmware & Repository Management

Profiles & Settings Management

Support & Resources

zDM Integration & Provisioning

Solutions

Voice-Over-IP/Video Conferencing

Validation and Test Cases

Proof of Concept Test Cases

zTC

Diagnostics & Recovery

Getting Started

Peripheral & Application Management

Security & Certificates

Session Connections

Support & Resources

System Administration & Updates

zWAN

Deployment

Getting Started

Introduction

Configuration

Installation Guides

POC Evaluation

Director

Device Management

Edge Controllers

Analytics

System

Backup and Restore

Network

Analytics

Reporting

Alerting

User Management

Edge Controllers

z25

Troubleshooting

z40

Device Management

z50

Troubleshooting

Frequently Asked Questions

zAccess

Endpoint Sessions

Event Logs

Gateway Devices

Network Configuration

Policy Configuration

StorTrends

Best Practice Guides

Configuration Guides

SCEP and 802.1X Configuration on SnapOS

Overview

Environment Details

Prerequisites

Initial Network Connectivity (Unsecured Network)

Certificate Enrollment Using SCEP

Enabling 802.1X Authentication