computers


802.1x Authentication

Available to: Students, Faculty & Staff

Service Summary

802.1x is an authentication framework for both wired and wireless network access. It enables Mason’s networks to automatically identify endpoint devices and place them into an appropriate network and security context. 802.1x authentication is required for access to the MASON-SECURE and eduroam wireless networks, where it also enables wireless encryption. 802.1x is the recommended method for connecting to campus wireless networks, as it is the simplest and most secure way to get online.

Everyone who accesses Mason’s networks must adhere to University Policy Number 1301: Responsible Use of Computing.

How to Get this Service

All devices have different configuration interfaces and options, so maintaining a universal step-by-step configuration guide is impractical. Please contact your device vendor for detailed step-by-step instructions.

Regardless of device type, the following parameters need to be set properly to use 802.1x on Mason’s networks. Some devices (Mac, iOS), will work with our network configuration without additional user configuration. If that’s the case, please skip to the Identity and Password section, below.

Specify 802.1x as the authentication method
802.1x configuration parameters are generally tied to a physical interface for wired network access or a specific wireless network for wireless access. When configuring your interface or wireless network, look for keywords “802.1x,” “802.1x EAP,” or “WPA2 Enterprise with 802.1x” to access and set the appropriate configuration options.

EAP method: PEAP
You will be asked to specify an “EAP method,” “outer authentication method,” “primary authentication method,” or “phase 1 authentication method.” To operate with Mason’s network authentication system, choose “Protected EAP” or “PEAP.”

Inner authentication method: MSCHAPV2
You will also be asked to specify an “inner authentication method,” “secondary authentication method,” or “phase 2 authentication method.” To operate with Mason’s network authentication system, choose “MSCHAPV2” or “MSCHAP-V2.”

Digital Certificates
Not all devices require this, but to verify Mason’s authentication system, you’ll need to trust its digital certificate. One way to do this is to accept and install the un-verified certificate when presented. The certificate is presented by our authentication system, ise.net.gmu.edu and signed by InCommon. The better way to do this is to trust the root certificate authority whence the certificate derives its trust. The root certificate authority used for all InCommon certificates is the AddTrust External CA Root. You will need to install the certificate and allow its use for 802.1x or EAP authentication. This is can be done in any number of ways depending on your device. Please see your device vendor’s documentation for details.

As of April 1st, 2015, the correct certificate can be downloaded from: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/853/74/addtrustexternalcaroot

Identity and Password: NetID and Password
The final critical pieces you need to authenticate are your identity or username and your password. Some systems will also offer an anonymous identity. The anonymous identity must either match the identity or username exactly or be left empty. Your identity is your Patriot Pass username with the qualifier @mesa.gmu.edu. For example, the user with Patriot Pass username “gmason” should use "gmason@mesa.gmu.edu" as the identity. The Password is your Patriot Pass password.

Some final words
The configuration and credentials are generally stored on your device, though some devices offer the option of requiring the password each time you connect to the network. Be sure to safeguard this information by using a login or unlock mechanism on your device. Patriot Pass passwords expire every 6 months. When you change your password through the Patriot Pass process, you will also need to update your password on all of your devices. Some devices have an easy modify option while others require that you “forget” the configuration and start over. Please see your device vendor’s documentation for details.

There is no charge for this service.

Availability

This service is available 24/7, excluding planned outages, normal maintenance windows, and unavoidable events. Maintenance windows are Sundays from 7 to 11 a.m. but may be extended to 2 p.m., if needed. If maintenance is required outside of these hours, it will be announced on the Planned Outages web page.

Getting Help

Assistance for all IT Services is available through the ITS Support Center:

Phone: 703-993-8870
Fax: 703-993-3347
E-mail: support@gmu.edu
Online: Submit a Request
Hours of Operation: Monday thru Thursday, 8:00 a.m. - 10:00 p.m. and Fridays, 8:00 a.m. - 5:00 p.m.
Walk-in Support
Fairfax Campus*:
Innovation Hall, Room 226
Monday thru Thursday, 8:00 a.m. - 7:00 p.m. and Fridays, 8:00 a.m. - 5:00 p.m.
(*closed Thursdays 3:00 p.m. - 4:00 p.m. for team meetings)

Last modified date: August 1, 2014