5.2. Configuring 802.1X Security
802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). It is also called WPA Enterprise. 802.1X security is a way of controlling access to a logical network from a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.
802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry.
In the past,
DHCP
servers were configured not to lease IP
addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.
802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how security is achieved on the network.
5.2.1. Configuring 802.1X Security for Wi-Fi with nmcli
Procedure
- Set the authenticated
key-mgmt
(key management) protocol. It configures the keying mechanism for a securewifi
connection. See the nm-settings(5) man page for more details on properties. - Configure the 802-1x authentication settings. For the Transport Layer Security (TLS) authentication, see the section called “Configuring TLS Settings”.
802-1x authentication setting | Name | |
---|---|---|
802-1x.identity | Identity | |
802-1x.ca-cert | CA certificate | |
802-1x.client-cert | User certificate | |
802-1x.private-key | Private key | |
802-1x.private-key-password | Private key password |
For example, to configure WPA2 Enterprise using the EAP-TLS authentication method, apply the following settings:
nmcli c add type wifi ifname wlo61s0 con-name 'My Wifi Network' \ 802-11-wireless.ssid 'My Wifi' \ 802-11-wireless-security.key-mgmt wpa-eap \ 802-1x.eap tls \ 802-1x.identity identity@example.com \ 802-1x.ca-cert /etc/pki/my-wifi/ca.crt \ 802-1x.client-cert /etc/pki/my-wifi/client.crt \ 802-1x.private-key /etc/pki/my-wifi/client.key \ 802-1x.private-key-password s3cr3t
5.2.2. Configuring 802.1X Security for Wired with nmcli
To configure a
wired
connection using the nmcli tool, follow the same procedure as for a wireless
connection, except the 802-11-wireless.ssid
and 802-11-wireless-security.key-mgmt
settings.
5.2.3. Configuring 802.1X Security for Wi-Fi with a GUI
Procedure
- Open the Network window (see Section 3.4.1, “Connecting to a Network Using the control-center GUI”).
- Select a Wireless network interface from the right-hand-side menu. If necessary, set the symbolic power button to ON and check that your hardware switch is on.
- Either select the connection name of a new connection, or click the gear wheel icon of an existing connection profile, for which you want to configure 802.1X security. In the case of a new connection, complete any authentication steps to complete the connection and then click the gear wheel icon.
- Select Security.The following configuration options are available:
- Security
- Password
- Enter the password to be used in the authentication process.
- From the drop-down menu select one of the following security methods:, , or .
See the section called “Configuring TLS Settings” for descriptions of which extensible authentication protocol (EAP) types correspond to your selection in the Security drop-down menu.
5.2.4. Configuring 802.1X Security for Wired with nm-connection-editor
Procedure
- Enter the nm-connection-editor in a terminal.
~]$ nm-connection-editor
TheNetwork Connections
window appears. - Select the ethernet connection you want to edit and click the gear wheel icon, see Section 3.4.6.2, “Configuring a Wired Connection with nm-connection-editor”.
- Select Security and set the symbolic power button to ON to enable settings configuration.
- Select from one of following authentication methods:
- Select TLS for Transport Layer Security and proceed to the section called “Configuring TLS Settings”;
- Select FAST for Flexible Authentication through Secure Tunneling and proceed to the section called “Configuring Tunneled TLS Settings”;
- Select Tunneled TLS for Tunneled Transport Layer Security, otherwise known as TTLS, or EAP-TTLS and proceed to the section called “Configuring Tunneled TLS Settings”;
- Select Protected EAP (PEAP) for Protected Extensible Authentication Protocol and proceed to the section called “Configuring Protected EAP (PEAP) Settings”.
Configuring TLS Settings
With Transport Layer Security (TLS), the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.
The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.
NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.
To configure TLS settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
- Identity
- Provide the identity of this server.
- User certificate
- Click to browse for, and select, a personal X.509 certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
- CA certificate
- Click to browse for, and select, an X.509 certificate authority certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
- Private key
- Click to browse for, and select, a private key file encoded with Distinguished Encoding Rules (DER), Privacy Enhanced Mail (PEM), or the Personal Information Exchange Syntax Standard (PKCS #12).
- Private key password
- Enter the password for the private key in the Private key field. Select Show password to make the password visible as you type it.
Configuring FAST Settings
To configure FAST settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
- Anonymous Identity
- Provide the identity of this server.
- PAC provisioning
- Select the check box to enable and then select from, , and .
- PAC file
- Click to browse for, and select, a protected access credential (PAC) file.
- Inner authentication
- Username
- Enter the user name to be used in the authentication process.
- Password
- Enter the password to be used in the authentication process.
Configuring Tunneled TLS Settings
To configure Tunneled TLS settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
- Anonymous identity
- This value is used as the unencrypted identity.
- CA certificate
- Click to browse for, and select, a Certificate Authority's certificate.
- Inner authentication
- Username
- Enter the user name to be used in the authentication process.
- Password
- Enter the password to be used in the authentication process.
Configuring Protected EAP (PEAP) Settings
To configure Protected EAP (PEAP) settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
- Anonymous Identity
- This value is used as the unencrypted identity.
- CA certificate
- Click to browse for, and select, a Certificate Authority's certificate.
- PEAP version
- The version of Protected EAP to use. Automatic, 0 or 1.
- Inner authentication
- Username
- Enter the user name to be used in the authentication process.
- Password
- Enter the password to be used in the authentication process.