Chapter 9. Managing wifi connections
RHEL provides multiple utilities and applications to configure and connect to wifi networks, for example:
-
Use the
nmcli
utility to configure connections by using the command line. -
Use the
nmtui
application to configure connections in a text-based user interface. -
Use the
GNOME Settings
application to configure connections by using the GNOME application. -
Use the
network
RHEL system role to automate the configuration of connections on one or multiple hosts.
9.1. Supported wifi security types
Depending on the security type a wifi network supports, you can transmitted data more or less securely.
Do not connect to wifi networks that do not use encryption or which support only the insecure WPA standard.
{PRODUCT} supports the following wifi security types:
-
None
: Encryption is disabled, and data is transferred in plain text over the network. -
Enhanced Open
: With opportunistic wireless encryption (OWE), devices negotiate unique pairwise master keys (PMK) to encrypt connections in wireless networks without authentication. -
LEAP
: The Lightweight Extensible Authentication Protocol, which was developed by Cisco, is a proprietary version of the extensible authentication protocol (EAP). -
WPA & WPA2 Personal
: In personal mode, the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication methods use a pre-shared key. -
WPA & WPA2 Enterprise
: In enterprise mode, WPA and WPA2 use the EAP framework and authenticate users to a remote authentication dial-in user service (RADIUS) server. -
WPA3 Personal
: Wi-Fi Protected Access 3 (WPA3) Personal uses simultaneous authentication of equals (SAE) instead of pre-shared keys (PSK) to prevent dictionary attacks. WPA3 uses perfect forward secrecy (PFS).
9.2. Connecting to a wifi network by using nmcli
You can use the nmcli
utility to connect to a wifi network. When you attempt to connect to a network for the first time, the utility automatically creates a NetworkManager connection profile for it. If the network requires additional settings, such as static IP addresses, you can then modify the profile after it has been automatically created.
Prerequisites
- A wifi device is installed on the host.
- The wifi device is enabled, if it has a hardware switch.
Procedure
If the wifi radio has been disabled in NetworkManager, enable this feature:
# nmcli radio wifi on
Optional: Display the available wifi networks:
# nmcli device wifi list IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY 00:53:00:2F:3B:08 Office Infra 44 270 Mbit/s 57 ▂▄▆_ WPA2 WPA3 00:53:00:15:03:BF -- Infra 1 130 Mbit/s 48 ▂▄__ WPA2 WPA3
The service set identifier (
SSID
) column contains the names of the networks. If the column shows--
, the access point of this network does not broadcast an SSID.Connect to the wifi network:
# nmcli device wifi connect Office --ask Password: wifi-password
If you prefer to set the password in the command instead of entering it interactively, use the
password <wifi_password>
option in the command instead of--ask
:# nmcli device wifi connect Office <wifi_password>
Note that, if the network requires static IP addresses, NetworkManager fails to activate the connection at this point. You can configure the IP addresses in later steps.
If the network requires static IP addresses:
Configure the IPv4 address settings, for example:
# nmcli connection modify Office ipv4.method manual ipv4.addresses 192.0.2.1/24 ipv4.gateway 192.0.2.254 ipv4.dns 192.0.2.200 ipv4.dns-search example.com
Configure the IPv6 address settings, for example:
# nmcli connection modify Office ipv6.method manual ipv6.addresses 2001:db8:1::1/64 ipv6.gateway 2001:db8:1::fffe ipv6.dns 2001:db8:1::ffbb ipv6.dns-search example.com
Re-activate the connection:
# nmcli connection up Office
Verification
Display the active connections:
# nmcli connection show --active NAME ID TYPE DEVICE Office 2501eb7e-7b16-4dc6-97ef-7cc460139a58 wifi wlp0s20f3
If the output lists the wifi connection you have created, the connection is active.
Ping a hostname or IP address:
# *ping -c 3 example.com
Additional resources
-
nm-settings-nmcli(5)
man page on your system
9.3. Connecting to a wifi network by using the GNOME settings application
You can use the GNOME settings
application, also named gnome-control-center
, to connect to a wifi network and configure the connection. When you connect to the network for the first time, GNOME creates a NetworkManager connection profile for it.
In GNOME settings
, you can configure wifi connections for all wifi network security types that RHEL supports.
Prerequisites
- A wifi device is installed on the host.
- The wifi device is enabled, if it has a hardware switch.
Procedure
-
Press the Super key, type
Wi-Fi
, and press Enter. - Click on the name of the wifi network you want to connect to.
-
Enter the password for the network, and click
Connect
. If the network requires additional settings, such as static IP addresses or a security type other than WPA2 Personal:
- Click the gear icon next to the network’s name.
Optional: Configure the network profile on the
Details
tab to not automatically connect.If you deactivate this feature, you must always manually connect to the network, for example, by using
GNOME settings
or the GNOME system menu.-
Configure IPv4 settings on the
IPv4
tab, and IPv6 settings on theIPv6
tab. On the
Security
tab, select the authentication of the network, such asWPA3 Personal
, and enter the password.Depending on the selected security, the application shows additional fields. Fill them accordingly. For details, ask the administrator of the wifi network.
-
Click
Apply
.
Verification
Open the system menu on the right side of the top bar, and verify that the wifi network is connected:
If the network appears in the list, it is connected.
Ping a hostname or IP address:
# ping -c 3 example.com
9.4. Configuring a wifi connection by using nmtui
The nmtui
application provides a text-based user interface for NetworkManager. You can use nmtui
to connect to a wifi network.
In nmtui
:
- Navigate by using the cursor keys.
- Press a button by selecting it and hitting Enter.
- Select and clear checkboxes by using Space.
Procedure
If you do not know the network device name you want to use in the connection, display the available devices:
# nmcli device status DEVICE TYPE STATE CONNECTION wlp2s0 wifi unavailable -- ...
Start
nmtui
:# nmtui
-
Select
Edit a connection
, and press Enter. -
Press the
Add
button. -
Select
Wi-Fi
from the list of network types, and press Enter. Optional: Enter a name for the NetworkManager profile to be created.
On hosts with multiple profiles, a meaningful name makes it easier to identify the purpose of a profile.
-
Enter the network device name into the
Device
field. -
Enter the name of the Wi-Fi network, the Service Set Identifier (SSID), into the
SSID
field. -
Leave the
Mode
field set to its default,Client
. Select the
Security
field, press Enter, and set the authentication type of the network from the list.Depending on the authentication type you have selected,
nmtui
displays different fields.- Fill the authentication type-related fields.
If the Wi-Fi network requires static IP addresses:
-
Press the
Automatic
button next to the protocol, and selectManual
from the displayed list. -
Press the
Show
button next to the protocol you want to configure to display additional fields, and fill them.
-
Press the
Press the
OK
button to create and automatically activate the new connection.-
Press the
Back
button to return to the main menu. -
Select
Quit
, and press Enter to close thenmtui
application.
Verification
Display the active connections:
# nmcli connection show --active NAME ID TYPE DEVICE Office 2501eb7e-7b16-4dc6-97ef-7cc460139a58 wifi wlp0s20f3
If the output lists the wifi connection you have created, the connection is active.
Ping a hostname or IP address:
# ping -c 3 example.com
9.5. Configuring a wifi connection with 802.1X network authentication by using the network
RHEL system role
Network Access Control (NAC) protects a network from unauthorized clients. You can specify the details that are required for the authentication in NetworkManager connection profiles to enable clients to access the network. By using Ansible and the network
RHEL system role, you can automate this process and remotely configure connection profiles on the hosts defined in a playbook.
You can use an Ansible playbook to copy a private key, a certificate, and the CA certificate to the client, and then use the network
RHEL system role to configure a connection profile with 802.1X network authentication.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - The network supports 802.1X network authentication.
-
You installed the
wpa_supplicant
package on the managed node. - DHCP is available in the network of the managed node.
The following files required for TLS authentication exist on the control node:
-
The client key is stored in the
/srv/data/client.key
file. -
The client certificate is stored in the
/srv/data/client.crt
file. -
The CA certificate is stored in the
/srv/data/ca.crt
file.
-
The client key is stored in the
Procedure
Store your sensitive variables in an encrypted file:
Create the vault:
$ ansible-vault create vault.yml New Vault password: <vault_password> Confirm New Vault password: <vault_password>
After the
ansible-vault create
command opens an editor, enter the sensitive data in the<key>: <value>
format:pwd: <password>
- Save the changes, and close the editor. Ansible encrypts the data in the vault.
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Configure a wifi connection with 802.1X authentication hosts: managed-node-01.example.com tasks: - name: Copy client key for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.key" dest: "/etc/pki/tls/private/client.key" mode: 0400 - name: Copy client certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.crt" dest: "/etc/pki/tls/certs/client.crt" - name: Copy CA certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/ca.crt" dest: "/etc/pki/ca-trust/source/anchors/ca.crt" - name: Wifi connection profile with dynamic IP address settings and 802.1X ansible.builtin.import_role: name: rhel-system-roles.network vars: network_connections: - name: Wifi connection profile with dynamic IP address settings and 802.1X interface_name: wlp1s0 state: up type: wireless autoconnect: yes ip: dhcp4: true auto6: true wireless: ssid: "Example-wifi" key_mgmt: "wpa-eap" ieee802_1x: identity: <user_name> eap: tls private_key: "/etc/pki/tls/client.key" private_key_password: "{{ pwd }}" private_key_password_flags: none client_cert: "/etc/pki/tls/client.pem" ca_cert: "/etc/pki/tls/cacert.pem" domain_suffix_match: "example.com"
The settings specified in the example playbook include the following:
ieee802_1x
- This variable contains the 802.1X-related settings.
eap: tls
-
Configures the profile to use the certificate-based
TLS
authentication method for the Extensible Authentication Protocol (EAP).
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file on the control node.Validate the playbook syntax:
$ ansible-playbook --ask-vault-pass --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook --ask-vault-pass ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file -
/usr/share/doc/rhel-system-roles/network/
directory
9.6. Manually setting the wireless regulatory domain
On RHEL, a udev
rule executes the setregdomain
utility to set the wireless regulatory domain. The utility then provides this information to the kernel.
By default, setregdomain
attempts to determine the country code automatically. If this fails, the wireless regulatory domain setting might be wrong. To work around this problem, you can manually set the country code.
Manually setting the regulatory domain disables the automatic detection. Therefore, if you later use the computer in a different country, the previously configured setting might no longer be correct. In this case, remove the /etc/sysconfig/regdomain
file to switch back to automatic detection or use this procedure to manually update the regulatory domain setting again.
Procedure
Optional: Display the current regulatory domain settings:
# iw reg get global country US: DFS-FCC ...
Create the
/etc/sysconfig/regdomain
file with the following content:COUNTRY=<country_code>
Set the
COUNTRY
variable to an ISO 3166-1 alpha2 country code, such asDE
for Germany orUS
for the United States of America.Set the regulatory domain:
# setregdomain
Verification
Display the regulatory domain settings:
# iw reg get global country DE: DFS-ETSI ...
Additional resources