10.3.9. Configuring Connection Settings

10.3.9.1. Configuring 802.1X Security

802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). Simply put, 802.1X security is a way of defining a logical network out of a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.

802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry. In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.

802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how WLAN security is achieved on the network.

You can configure 802.1X security for a wired or wireless connection type by opening the Network Connections window (see Section 10.2.2, “Configuring New and Editing Existing Connections”) and following the applicable procedure:

Procedure 10.15. For a wired connection...

Either click Add, select a new network connection for which you want to configure 802.1X security and then click Create, or select an existing connection and click Edit.
Then select the 802.1X Security tab and check the Use 802.1X security for this connection check box to enable settings configuration.
Proceed to Section 10.3.9.1.1, “Configuring TLS (Transport Layer Security) Settings”

Procedure 10.16. For a wireless connection...

Either click on Add, select a new network connection for which you want to configure 802.1X security and then click Create, or select an existing connection and click Edit.
Select the Wireless Security tab.
Then click the Security dropdown and choose one of the following security methods: LEAP, Dynamic WEP (802.1X), or WPA & WPA2 Enterprise.
See Section 10.3.9.1.1, “Configuring TLS (Transport Layer Security) Settings” for descriptions of which EAP types correspond to your selection in the Security dropdown.

10.3.9.1.1. Configuring TLS (Transport Layer Security) Settings

With Transport Layer Security, the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.

The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.

NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.

Identity: Identity string for EAP authentication methods, such as a user name or login name.
User certificate: Click to browse for, and select, a user's certificate.
CA certificate: Click to browse for, and select, a Certificate Authority's certificate.
Private key: Click to browse for, and select, a user's private key file. Note that the key must be password protected.
Private key password: Enter the user password corresponding to the user's private key.

10.3.9.1.2. Configuring Tunneled TLS Settings

Anonymous identity: This value is used as the unencrypted identity.
CA certificate: Click to browse for, and select, a Certificate Authority's certificate.
Inner authentication: PAP — Password Authentication Protocol.
MSCHAP — Challenge Handshake Authentication Protocol.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
CHAP — Challenge Handshake Authentication Protocol.
Username: Enter the user name to be used in the authentication process.
Password: Enter the password to be used in the authentication process.

10.3.9.1.3. Configuring Protected EAP (PEAP) Settings

Anonymous Identity: This value is used as the unencrypted identity.
CA certificate: Click to browse for, and select, a Certificate Authority's certificate.
PEAP version: The version of Protected EAP to use. Automatic, 0 or 1.
Inner authentication: MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
MD5 — Message Digest 5, a cryptographic hash function.
GTC — Generic Token Card.
Username: Enter the user name to be used in the authentication process.
Password: Enter the password to be used in the authentication process.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories