Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 33. Authenticating a RHEL client to the network by using the 802.1X standard with a certificate stored on the file system
Administrators frequently use port-based Network Access Control (NAC) based on the IEEE 802.1X standard to protect a network from unauthorized LAN and Wi-Fi clients. To enable a client to connect to such networks, you must configure 802.1X authentication on this clients.
33.1. Configuring 802.1X network authentication on an existing Ethernet connection by using nmcli
You can use the nmcli utility to configure an Ethernet connection with 802.1X network authentication on the command line.
Prerequisites
- The network supports 802.1X network authentication.
- The Ethernet connection profile exists in NetworkManager and has a valid IP configuration.
The following files required for TLS authentication exist on the client:
-
The client key stored is in the
/etc/pki/tls/private/client.keyfile, and the file is owned and only readable by therootuser. -
The client certificate is stored in the
/etc/pki/tls/certs/client.crtfile. -
The Certificate Authority (CA) certificate is stored in the
/etc/pki/tls/certs/ca.crtfile.
-
The client key stored is in the
-
The
wpa_supplicantpackage is installed.
Procedure
Set the Extensible Authentication Protocol (EAP) to
tlsand the paths to the client certificate and key file:# nmcli connection modify enp1s0 802-1x.eap tls 802-1x.client-cert /etc/pki/tls/certs/client.crt 802-1x.private-key /etc/pki/tls/certs/certs/client.keyNote that you must set the
802-1x.eap,802-1x.client-cert, and802-1x.private-keyparameters in a single command.Set the path to the CA certificate:
# nmcli connection modify enp1s0 802-1x.ca-cert /etc/pki/tls/certs/ca.crtSet the identity of the user used in the certificate:
# nmcli connection modify enp1s0 802-1x.identity user@example.comOptional: Store the password in the configuration:
# nmcli connection modify enp1s0 802-1x.private-key-password passwordImportantBy default, NetworkManager stores the password in clear text in the connection profile on the disk, but the file is readable only by the
rootuser. However, clear text passwords in a configuration file can be a security risk.To increase the security, set the
802-1x.password-flagsparameter to0x1. With this setting, on servers with the GNOME desktop environment or thenm-appletrunning, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.Activate the connection profile:
# nmcli connection up enp1s0
Verification
- Access resources on the network that require network authentication.
Additional resources
33.2. Configuring a static Ethernet connection with 802.1X network authentication by using nmstatectl
Use the nmstatectl utility to configure an Ethernet connection with 802.1X network authentication through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl automatically rolls back the changes to avoid leaving the system in an incorrect state.
The nmstate library only supports the TLS Extensible Authentication Protocol (EAP) method.
Prerequisites
- The network supports 802.1X network authentication.
- The managed node uses NetworkManager.
The following files required for TLS authentication exist on the client:
-
The client key stored is in the
/etc/pki/tls/private/client.keyfile, and the file is owned and only readable by therootuser. -
The client certificate is stored in the
/etc/pki/tls/certs/client.crtfile. -
The Certificate Authority (CA) certificate is stored in the
/etc/pki/tls/certs/ca.crtfile.
-
The client key stored is in the
Procedure
Create a YAML file, for example
~/create-ethernet-profile.yml, with the following content:--- interfaces: - name: enp1s0 type: ethernet state: up ipv4: enabled: true address: - ip: 192.0.2.1 prefix-length: 24 dhcp: false ipv6: enabled: true address: - ip: 2001:db8:1::1 prefix-length: 64 autoconf: false dhcp: false 802.1x: ca-cert: /etc/pki/tls/certs/ca.crt client-cert: /etc/pki/tls/certs/client.crt eap-methods: - tls identity: client.example.org private-key: /etc/pki/tls/private/client.key private-key-password: password routes: config: - destination: 0.0.0.0/0 next-hop-address: 192.0.2.254 next-hop-interface: enp1s0 - destination: ::/0 next-hop-address: 2001:db8:1::fffe next-hop-interface: enp1s0 dns-resolver: config: search: - example.com server: - 192.0.2.200 - 2001:db8:1::ffbbThese settings define an Ethernet connection profile for the
enp1s0device with the following settings:-
A static IPv4 address -
192.0.2.1with a/24subnet mask -
A static IPv6 address -
2001:db8:1::1with a/64subnet mask -
An IPv4 default gateway -
192.0.2.254 -
An IPv6 default gateway -
2001:db8:1::fffe -
An IPv4 DNS server -
192.0.2.200 -
An IPv6 DNS server -
2001:db8:1::ffbb -
A DNS search domain -
example.com -
802.1X network authentication using the
TLSEAP protocol
-
A static IPv4 address -
Apply the settings to the system:
# nmstatectl apply ~/create-ethernet-profile.yml
Verification
- Access resources on the network that require network authentication.
33.3. Configuring a static Ethernet connection with 802.1X network authentication by using the network RHEL system role
Network Access Control (NAC) protects a network from unauthorized clients. You can specify the details that are required for the authentication in NetworkManager connection profiles to enable clients to access the network. By using Ansible and the network RHEL system role, you can automate this process and remotely configure connection profiles on the hosts defined in a playbook.
You can use an Ansible playbook to copy a private key, a certificate, and the CA certificate to the client, and then use the network RHEL system role to configure a connection profile with 802.1X network authentication.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them. - The network supports 802.1X network authentication.
- The managed nodes use NetworkManager.
The following files required for the TLS authentication exist on the control node:
-
The client key is stored in the
/srv/data/client.keyfile. -
The client certificate is stored in the
/srv/data/client.crtfile. -
The Certificate Authority (CA) certificate is stored in the
/srv/data/ca.crtfile.
-
The client key is stored in the
Procedure
Store your sensitive variables in an encrypted file:
Create the vault:
$ ansible-vault create vault.yml New Vault password: <vault_password> Confirm New Vault password: <vault_password>
After the
ansible-vault createcommand opens an editor, enter the sensitive data in the<key>: <value>format:pwd: <password>- Save the changes, and close the editor. Ansible encrypts the data in the vault.
Create a playbook file, for example
~/playbook.yml, with the following content:--- - name: Configure an Ethernet connection with 802.1X authentication hosts: managed-node-01.example.com vars_files: - vault.yml tasks: - name: Copy client key for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.key" dest: "/etc/pki/tls/private/client.key" mode: 0600 - name: Copy client certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.crt" dest: "/etc/pki/tls/certs/client.crt" - name: Copy CA certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/ca.crt" dest: "/etc/pki/ca-trust/source/anchors/ca.crt" - name: Ethernet connection profile with static IP address settings and 802.1X ansible.builtin.include_role: name: rhel-system-roles.network vars: network_connections: - name: enp1s0 type: ethernet autoconnect: yes ip: address: - 192.0.2.1/24 - 2001:db8:1::1/64 gateway4: 192.0.2.254 gateway6: 2001:db8:1::fffe dns: - 192.0.2.200 - 2001:db8:1::ffbb dns_search: - example.com ieee802_1x: identity: <user_name> eap: tls private_key: "/etc/pki/tls/private/client.key" private_key_password: "{{ pwd }}" client_cert: "/etc/pki/tls/certs/client.crt" ca_cert: "/etc/pki/ca-trust/source/anchors/ca.crt" domain_suffix_match: example.com state: upThe settings specified in the example playbook include the following:
ieee802_1x- This variable contains the 802.1X-related settings.
eap: tls-
Configures the profile to use the certificate-based
TLSauthentication method for the Extensible Authentication Protocol (EAP).
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.network/README.mdfile on the control node.Validate the playbook syntax:
$ ansible-playbook --ask-vault-pass --syntax-check ~/playbook.ymlNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook --ask-vault-pass ~/playbook.yml
Verification
- Access resources on the network that require network authentication.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.network/README.mdfile -
/usr/share/doc/rhel-system-roles/network/directory - Ansible vault
