Chapter 9. Managing wifi connections


RHEL provides multiple utilities and applications to configure and connect to wifi networks, for example:

  • Use the nmcli utility to configure connections by using the command line.
  • Use the nmtui application to configure connections in a text-based user interface.
  • Use the GNOME Settings application to configure connections by using the GNOME application.
  • Use the network RHEL system role to automate the configuration of connections on one or multiple hosts.

9.1. Supported wifi security types

Depending on the security type a wifi network supports, you can transmitted data more or less securely.

Warning

Do not connect to wifi networks that do not use encryption or which support only the insecure WPA standard.

{PRODUCT} supports the following wifi security types:

  • None: Encryption is disabled, and data is transferred in plain text over the network.
  • Enhanced Open: With opportunistic wireless encryption (OWE), devices negotiate unique pairwise master keys (PMK) to encrypt connections in wireless networks without authentication.
  • LEAP: The Lightweight Extensible Authentication Protocol, which was developed by Cisco, is a proprietary version of the extensible authentication protocol (EAP).
  • WPA & WPA2 Personal: In personal mode, the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication methods use a pre-shared key.
  • WPA & WPA2 Enterprise: In enterprise mode, WPA and WPA2 use the EAP framework and authenticate users to a remote authentication dial-in user service (RADIUS) server.
  • WPA3 Personal: Wi-Fi Protected Access 3 (WPA3) Personal uses simultaneous authentication of equals (SAE) instead of pre-shared keys (PSK) to prevent dictionary attacks. WPA3 uses perfect forward secrecy (PFS).

9.2. Connecting to a wifi network by using nmcli

You can use the nmcli utility to connect to a wifi network. When you attempt to connect to a network for the first time, the utility automatically creates a NetworkManager connection profile for it. If the network requires additional settings, such as static IP addresses, you can then modify the profile after it has been automatically created.

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. If the wifi radio has been disabled in NetworkManager, enable this feature:

    # nmcli radio wifi on
  2. Optional: Display the available wifi networks:

    # nmcli device wifi list
    IN-USE  BSSID              SSID          MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
            00:53:00:2F:3B:08  Office        Infra  44    270 Mbit/s  57      ▂▄▆_  WPA2 WPA3
            00:53:00:15:03:BF  --            Infra  1     130 Mbit/s  48      ▂▄__  WPA2 WPA3

    The service set identifier (SSID) column contains the names of the networks. If the column shows --, the access point of this network does not broadcast an SSID.

  3. Connect to the wifi network:

    # nmcli device wifi connect Office --ask
    Password: wifi-password

    If you prefer to set the password in the command instead of entering it interactively, use the password <wifi_password> option in the command instead of --ask:

    # nmcli device wifi connect Office <wifi_password>

    Note that, if the network requires static IP addresses, NetworkManager fails to activate the connection at this point. You can configure the IP addresses in later steps.

  4. If the network requires static IP addresses:

    1. Configure the IPv4 address settings, for example:

      # nmcli connection modify Office ipv4.method manual ipv4.addresses 192.0.2.1/24 ipv4.gateway 192.0.2.254 ipv4.dns 192.0.2.200 ipv4.dns-search example.com
    2. Configure the IPv6 address settings, for example:

      # nmcli connection modify Office ipv6.method manual ipv6.addresses 2001:db8:1::1/64 ipv6.gateway 2001:db8:1::fffe ipv6.dns 2001:db8:1::ffbb ipv6.dns-search example.com
  5. Re-activate the connection:

    # nmcli connection up Office

Verification

  1. Display the active connections:

    # nmcli connection show --active
    NAME    ID                                    TYPE  DEVICE
    Office  2501eb7e-7b16-4dc6-97ef-7cc460139a58  wifi  wlp0s20f3

    If the output lists the wifi connection you have created, the connection is active.

  2. Ping a hostname or IP address:

    # *ping -c 3 example.com

Additional resources

  • nm-settings-nmcli(5) man page on your system

9.3. Connecting to a wifi network by using the GNOME settings application

You can use the GNOME settings application, also named gnome-control-center, to connect to a wifi network and configure the connection. When you connect to the network for the first time, GNOME creates a NetworkManager connection profile for it.

In GNOME settings, you can configure wifi connections for all wifi network security types that RHEL supports.

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. Press the Super key, type Wi-Fi, and press Enter.
  2. Click on the name of the wifi network you want to connect to.
  3. Enter the password for the network, and click Connect.
  4. If the network requires additional settings, such as static IP addresses or a security type other than WPA2 Personal:

    1. Click the gear icon next to the network’s name.
    2. Optional: Configure the network profile on the Details tab to not automatically connect.

      If you deactivate this feature, you must always manually connect to the network, for example, by using GNOME settings or the GNOME system menu.

    3. Configure IPv4 settings on the IPv4 tab, and IPv6 settings on the IPv6 tab.
    4. On the Security tab, select the authentication of the network, such as WPA3 Personal, and enter the password.

      Depending on the selected security, the application shows additional fields. Fill them accordingly. For details, ask the administrator of the wifi network.

    5. Click Apply.

Verification

  1. Open the system menu on the right side of the top bar, and verify that the wifi network is connected:

    gnome wifi connected

    If the network appears in the list, it is connected.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

9.4. Configuring a wifi connection by using nmtui

The nmtui application provides a text-based user interface for NetworkManager. You can use nmtui to connect to a wifi network.

Note

In nmtui:

  • Navigate by using the cursor keys.
  • Press a button by selecting it and hitting Enter.
  • Select and clear checkboxes by using Space.

Procedure

  1. If you do not know the network device name you want to use in the connection, display the available devices:

    # nmcli device status
    DEVICE     TYPE      STATE                   CONNECTION
    wlp2s0     wifi      unavailable             --
    ...
  2. Start nmtui:

    # nmtui
  3. Select Edit a connection, and press Enter.
  4. Press the Add button.
  5. Select Wi-Fi from the list of network types, and press Enter.
  6. Optional: Enter a name for the NetworkManager profile to be created.

    On hosts with multiple profiles, a meaningful name makes it easier to identify the purpose of a profile.

  7. Enter the network device name into the Device field.
  8. Enter the name of the Wi-Fi network, the Service Set Identifier (SSID), into the SSID field.
  9. Leave the Mode field set to its default, Client.
  10. Select the Security field, press Enter, and set the authentication type of the network from the list.

    Depending on the authentication type you have selected, nmtui displays different fields.

  11. Fill the authentication type-related fields.
  12. If the Wi-Fi network requires static IP addresses:

    1. Press the Automatic button next to the protocol, and select Manual from the displayed list.
    2. Press the Show button next to the protocol you want to configure to display additional fields, and fill them.
  13. Press the OK button to create and automatically activate the new connection.

    nmtui wi fi dynamic IP
  14. Press the Back button to return to the main menu.
  15. Select Quit, and press Enter to close the nmtui application.

Verification

  1. Display the active connections:

    # nmcli connection show --active
    NAME    ID                                    TYPE  DEVICE
    Office  2501eb7e-7b16-4dc6-97ef-7cc460139a58  wifi  wlp0s20f3

    If the output lists the wifi connection you have created, the connection is active.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

9.5. Configuring a wifi connection with 802.1X network authentication by using the network RHEL system role

Network Access Control (NAC) protects a network from unauthorized clients. You can specify the details that are required for the authentication in NetworkManager connection profiles to enable clients to access the network. By using Ansible and the network RHEL system role, you can automate this process and remotely configure connection profiles on the hosts defined in a playbook.

You can use an Ansible playbook to copy a private key, a certificate, and the CA certificate to the client, and then use the network RHEL system role to configure a connection profile with 802.1X network authentication.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The network supports 802.1X network authentication.
  • You installed the wpa_supplicant package on the managed node.
  • DHCP is available in the network of the managed node.
  • The following files required for TLS authentication exist on the control node:

    • The client key is stored in the /srv/data/client.key file.
    • The client certificate is stored in the /srv/data/client.crt file.
    • The CA certificate is stored in the /srv/data/ca.crt file.

Procedure

  1. Store your sensitive variables in an encrypted file:

    1. Create the vault:

      $ ansible-vault create vault.yml
      New Vault password: <vault_password>
      Confirm New Vault password: <vault_password>
    2. After the ansible-vault create command opens an editor, enter the sensitive data in the <key>: <value> format:

      pwd: <password>
    3. Save the changes, and close the editor. Ansible encrypts the data in the vault.
  2. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Configure a wifi connection with 802.1X authentication
      hosts: managed-node-01.example.com
      tasks:
        - name: Copy client key for 802.1X authentication
          ansible.builtin.copy:
            src: "/srv/data/client.key"
            dest: "/etc/pki/tls/private/client.key"
            mode: 0400
    
        - name: Copy client certificate for 802.1X authentication
          ansible.builtin.copy:
            src: "/srv/data/client.crt"
            dest: "/etc/pki/tls/certs/client.crt"
    
        - name: Copy CA certificate for 802.1X authentication
          ansible.builtin.copy:
            src: "/srv/data/ca.crt"
            dest: "/etc/pki/ca-trust/source/anchors/ca.crt"
    
        - name: Wifi connection profile with dynamic IP address settings and 802.1X
          ansible.builtin.import_role:
            name: rhel-system-roles.network
          vars:
            network_connections:
              - name: Wifi connection profile with dynamic IP address settings and 802.1X
                interface_name: wlp1s0
                state: up
                type: wireless
                autoconnect: yes
                ip:
                  dhcp4: true
                  auto6: true
                wireless:
                  ssid: "Example-wifi"
                  key_mgmt: "wpa-eap"
                ieee802_1x:
                  identity: <user_name>
                  eap: tls
                  private_key: "/etc/pki/tls/client.key"
                  private_key_password: "{{ pwd }}"
                  private_key_password_flags: none
                  client_cert: "/etc/pki/tls/client.pem"
                  ca_cert: "/etc/pki/tls/cacert.pem"
                  domain_suffix_match: "example.com"

    The settings specified in the example playbook include the following:

    ieee802_1x
    This variable contains the 802.1X-related settings.
    eap: tls
    Configures the profile to use the certificate-based TLS authentication method for the Extensible Authentication Protocol (EAP).

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.network/README.md file on the control node.

  3. Validate the playbook syntax:

    $ ansible-playbook --ask-vault-pass --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  4. Run the playbook:

    $ ansible-playbook --ask-vault-pass ~/playbook.yml

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • /usr/share/doc/rhel-system-roles/network/ directory

9.6. Manually setting the wireless regulatory domain

On RHEL, a udev rule executes the setregdomain utility to set the wireless regulatory domain. The utility then provides this information to the kernel.

By default, setregdomain attempts to determine the country code automatically. If this fails, the wireless regulatory domain setting might be wrong. To work around this problem, you can manually set the country code.

Important

Manually setting the regulatory domain disables the automatic detection. Therefore, if you later use the computer in a different country, the previously configured setting might no longer be correct. In this case, remove the /etc/sysconfig/regdomain file to switch back to automatic detection or use this procedure to manually update the regulatory domain setting again.

Procedure

  1. Optional: Display the current regulatory domain settings:

    # iw reg get
    global
    country US: DFS-FCC
    ...
  2. Create the /etc/sysconfig/regdomain file with the following content:

    COUNTRY=<country_code>

    Set the COUNTRY variable to an ISO 3166-1 alpha2 country code, such as DE for Germany or US for the United States of America.

  3. Set the regulatory domain:

    # setregdomain

Verification

  • Display the regulatory domain settings:

    # iw reg get
    global
    country DE: DFS-ETSI
    ...

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.