Chapter 32. Authenticating a RHEL client to the network by using the 802.1X standard with a certificate stored on the file system
Administrators frequently use port-based Network Access Control (NAC) based on the IEEE 802.1X standard to protect a network from unauthorized LAN and Wi-Fi clients. To enable a client to connect to such networks, you must configure 802.1X authentication on this clients.
32.1. Configuring 802.1X network authentication on an existing Ethernet connection by using nmcli
You can use the nmcli
utility to configure an Ethernet connection with 802.1X network authentication on the command line.
Prerequisites
- The network supports 802.1X network authentication.
- The Ethernet connection profile exists in NetworkManager and has a valid IP configuration.
The following files required for TLS authentication exist on the client:
-
The client key stored is in the
/etc/pki/tls/private/client.key
file, and the file is owned and only readable by theroot
user. -
The client certificate is stored in the
/etc/pki/tls/certs/client.crt
file. -
The Certificate Authority (CA) certificate is stored in the
/etc/pki/tls/certs/ca.crt
file.
-
The client key stored is in the
-
The
wpa_supplicant
package is installed.
Procedure
Set the Extensible Authentication Protocol (EAP) to
tls
and the paths to the client certificate and key file:# nmcli connection modify enp1s0 802-1x.eap tls 802-1x.client-cert /etc/pki/tls/certs/client.crt 802-1x.private-key /etc/pki/tls/certs/certs/client.key
Note that you must set the
802-1x.eap
,802-1x.client-cert
, and802-1x.private-key
parameters in a single command.Set the path to the CA certificate:
# nmcli connection modify enp1s0 802-1x.ca-cert /etc/pki/tls/certs/ca.crt
Set the identity of the user used in the certificate:
# nmcli connection modify enp1s0 802-1x.identity user@example.com
Optionally, store the password in the configuration:
# nmcli connection modify enp1s0 802-1x.private-key-password password
ImportantBy default, NetworkManager stores the password in clear text in the
/etc/sysconfig/network-scripts/keys-connection_name
file, that is readable only by theroot
user. However, clear text passwords in a configuration file can be a security risk.To increase the security, set the
802-1x.password-flags
parameter to0x1
. With this setting, on servers with the GNOME desktop environment or thenm-applet
running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.Activate the connection profile:
# nmcli connection up enp1s0
Verification
- Access resources on the network that require network authentication.
Additional resources
- Configuring an Ethernet connection
-
nm-settings(5)
man page -
nmcli(1)
man page
32.2. Configuring a static Ethernet connection with 802.1X network authentication by using nmstatectl
Use the nmstatectl
utility to configure an Ethernet connection with 802.1X network authentication through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl
automatically rolls back the changes to avoid leaving the system in an incorrect state.
The nmstate
library only supports the TLS
Extensible Authentication Protocol (EAP) method.
Prerequisites
- The network supports 802.1X network authentication.
- The managed node uses NetworkManager.
The following files required for TLS authentication exist on the client:
-
The client key stored is in the
/etc/pki/tls/private/client.key
file, and the file is owned and only readable by theroot
user. -
The client certificate is stored in the
/etc/pki/tls/certs/client.crt
file. -
The Certificate Authority (CA) certificate is stored in the
/etc/pki/tls/certs/ca.crt
file.
-
The client key stored is in the
Procedure
Create a YAML file, for example
~/create-ethernet-profile.yml
, with the following content:--- interfaces: - name: enp1s0 type: ethernet state: up ipv4: enabled: true address: - ip: 192.0.2.1 prefix-length: 24 dhcp: false ipv6: enabled: true address: - ip: 2001:db8:1::1 prefix-length: 64 autoconf: false dhcp: false 802.1x: ca-cert: /etc/pki/tls/certs/ca.crt client-cert: /etc/pki/tls/certs/client.crt eap-methods: - tls identity: client.example.org private-key: /etc/pki/tls/private/client.key private-key-password: password routes: config: - destination: 0.0.0.0/0 next-hop-address: 192.0.2.254 next-hop-interface: enp1s0 - destination: ::/0 next-hop-address: 2001:db8:1::fffe next-hop-interface: enp1s0 dns-resolver: config: search: - example.com server: - 192.0.2.200 - 2001:db8:1::ffbb
These settings define an Ethernet connection profile for the
enp1s0
device with the following settings:-
A static IPv4 address -
192.0.2.1
with a/24
subnet mask -
A static IPv6 address -
2001:db8:1::1
with a/64
subnet mask -
An IPv4 default gateway -
192.0.2.254
-
An IPv6 default gateway -
2001:db8:1::fffe
-
An IPv4 DNS server -
192.0.2.200
-
An IPv6 DNS server -
2001:db8:1::ffbb
-
A DNS search domain -
example.com
-
802.1X network authentication using the
TLS
EAP protocol
-
A static IPv4 address -
Apply the settings to the system:
# nmstatectl apply ~/create-ethernet-profile.yml
Verification
- Access resources on the network that require network authentication.
32.3. Configuring a static Ethernet connection with 802.1X network authentication by using the network
RHEL system role
You can remotely configure an Ethernet connection with 802.1X network authentication by using the network
RHEL system role.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - The network supports 802.1X network authentication.
- The managed nodes uses NetworkManager.
The following files required for TLS authentication exist on the control node:
-
The client key is stored in the
/srv/data/client.key
file. -
The client certificate is stored in the
/srv/data/client.crt
file. -
The Certificate Authority (CA) certificate is stored in the
/srv/data/ca.crt
file.
-
The client key is stored in the
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Configure an Ethernet connection with 802.1X authentication hosts: managed-node-01.example.com tasks: - name: Copy client key for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.key" dest: "/etc/pki/tls/private/client.key" mode: 0600 - name: Copy client certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/client.crt" dest: "/etc/pki/tls/certs/client.crt" - name: Copy CA certificate for 802.1X authentication ansible.builtin.copy: src: "/srv/data/ca.crt" dest: "/etc/pki/ca-trust/source/anchors/ca.crt" - name: Configure connection ansible.builtin.include_role: name: rhel-system-roles.network vars: network_connections: - name: enp1s0 type: ethernet autoconnect: yes ip: address: - 192.0.2.1/24 - 2001:db8:1::1/64 gateway4: 192.0.2.254 gateway6: 2001:db8:1::fffe dns: - 192.0.2.200 - 2001:db8:1::ffbb dns_search: - example.com ieee802_1x: identity: user_name eap: tls private_key: "/etc/pki/tls/private/client.key" private_key_password: "password" client_cert: "/etc/pki/tls/certs/client.crt" ca_cert: "/etc/pki/ca-trust/source/anchors/ca.crt" domain_suffix_match: example.com state: up
These settings define an Ethernet connection profile for the
enp1s0
device with the following settings:-
A static IPv4 address -
192.0.2.1
with a/24
subnet mask -
A static IPv6 address -
2001:db8:1::1
with a/64
subnet mask -
An IPv4 default gateway -
192.0.2.254
-
An IPv6 default gateway -
2001:db8:1::fffe
-
An IPv4 DNS server -
192.0.2.200
-
An IPv6 DNS server -
2001:db8:1::ffbb
-
A DNS search domain -
example.com
-
802.1X network authentication using the
TLS
Extensible Authentication Protocol (EAP)
-
A static IPv4 address -
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file -
/usr/share/doc/rhel-system-roles/network/
directory