Red Hat SummitChapter 12. Configuring RHEL as a WPA2 or WPA3 Personal access point
On a host with a wifi device, you can use NetworkManager to configure this host as an access point. Wi-Fi Protected Access 2 (WPA2) and Wi-Fi Protected Access 3 (WPA3) Personal provide secure authentication methods, and wireless clients can use a pre-shared key (PSK) to connect to the access point and use services on the RHEL host and in the network.
When you configure an access point, NetworkManager automatically:
-
Configures the
dnsmasqservice to provide DHCP and DNS services for clients - Enables IP forwarding
-
Adds
nftablesfirewall rules to masquerade traffic from the wifi device and configures IP forwarding
Prerequisites
- The wifi device supports running in access point mode.
- The wifi device is not in use.
- The host has internet access.
Procedure
List the wifi devices to identify the one that should provide the access point:
nmcli device status | grep wifi
# nmcli device status | grep wifi wlp0s20f3 wifi disconnected --Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that the device supports the access point mode:
nmcli -f WIFI-PROPERTIES.AP device show wlp0s20f3
# nmcli -f WIFI-PROPERTIES.AP device show wlp0s20f3 WIFI-PROPERTIES.AP: yesCopy to Clipboard Copied! Toggle word wrap Toggle overflow To use a wifi device as an access point, the device must support this feature.
Install the
dnsmasqandNetworkManager-wifipackages:dnf install dnsmasq NetworkManager-wifi
# dnf install dnsmasq NetworkManager-wifiCopy to Clipboard Copied! Toggle word wrap Toggle overflow NetworkManager uses the
dnsmasqservice to provide DHCP and DNS services to clients of the access point.Create the initial access point configuration:
nmcli device wifi hotspot ifname wlp0s20f3 con-name Example-Hotspot ssid Example-Hotspot password "password"
# nmcli device wifi hotspot ifname wlp0s20f3 con-name Example-Hotspot ssid Example-Hotspot password "password"Copy to Clipboard Copied! Toggle word wrap Toggle overflow This command creates a connection profile for an access point on the
wlp0s20f3device that provides WPA2 and WPA3 Personal authentication. The name of the wireless network, the Service Set Identifier (SSID), isExample-Hotspotand uses the pre-shared keypassword.Optional: Configure the access point to support only WPA3:
nmcli connection modify Example-Hotspot 802-11-wireless-security.key-mgmt sae
# nmcli connection modify Example-Hotspot 802-11-wireless-security.key-mgmt saeCopy to Clipboard Copied! Toggle word wrap Toggle overflow By default, NetworkManager uses the IP address
10.42.0.1for the wifi device and assigns IP addresses from the remaining10.42.0.0/24subnet to clients. To configure a different subnet and IP address, enter:nmcli connection modify Example-Hotspot ipv4.addresses 192.0.2.254/24
# nmcli connection modify Example-Hotspot ipv4.addresses 192.0.2.254/24Copy to Clipboard Copied! Toggle word wrap Toggle overflow The IP address you set, in this case
192.0.2.254, is the one that NetworkManager assigns to the wifi device. Clients will use this IP address as default gateway and DNS server.Activate the connection profile:
nmcli connection up Example-Hotspot
# nmcli connection up Example-HotspotCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
On the server:
Verify that NetworkManager started the
dnsmasqservice and that the service listens on port 67 (DHCP) and 53 (DNS):ss -tulpn | grep -E ":53|:67"
# ss -tulpn | grep -E ":53|:67" udp UNCONN 0 0 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=6)) udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=4)) tcp LISTEN 0 32 10.42.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=55905,fd=7))Copy to Clipboard Copied! Toggle word wrap Toggle overflow Display the
nftablesrule set to ensure that NetworkManager enabled forwarding and masquerading for traffic from the10.42.0.0/24subnet:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
On a client with a wifi adapter:
Display the list of available networks:
nmcli device wifi
# nmcli device wifi IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY 00:53:00:88:29:04 Example-Hotspot Infra 11 130 Mbit/s 62 ▂▄▆_ WPA3 ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Connect to the
Example-Hotspotwireless network. See Managing Wi-Fi connections. Ping a host on the remote network or the internet to verify that the connection works:
ping -c 3 www.redhat.com
# ping -c 3 www.redhat.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}