Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.2. Configuring 802.1X Security

802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). It is also called WPA Enterprise. 802.1X security is a way of controlling access to a logical network from a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.
802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry.
In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.
802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how security is achieved on the network.

5.2.1. Configuring 802.1X Security for Wi-Fi with nmcli

Procedure
  1. Set the authenticated key-mgmt (key management) protocol. It configures the keying mechanism for a secure wifi connection. See the nm-settings(5) man page for more details on properties.
  2. Configure the 802-1x authentication settings. For the Transport Layer Security (TLS) authentication, see the section called “Configuring TLS Settings”.

Table 5.1. The 802-1x authentication settings

802-1x authentication setting Name  
802-1x.identity Identity  
802-1x.ca-cert CA certificate  
802-1x.client-cert User certificate  
802-1x.private-key Private key  
802-1x.private-key-password Private key password  
For example, to configure WPA2 Enterprise using the EAP-TLS authentication method, apply the following settings:
nmcli c add type wifi ifname wlan0 con-name 'My Wifi Network' \
      802-11-wireless.ssid 'My Wifi' \
      802-11-wireless-security.key-mgmt wpa-eap \
      802-1x.eap tls \
      802-1x.identity identity@example.com \
      802-1x.ca-cert /etc/pki/my-wifi/ca.crt \
      802-1x.client-cert /etc/pki/my-wifi/client.crt \
      802-1x.private-key /etc/pki/my-wifi/client.key \
      802-1x.private-key-password s3cr3t

5.2.2. Configuring 802.1X Security for Wired with nmcli

To configure a wired connection using the nmcli tool, follow the same procedure as for a wireless connection, except the 802-11-wireless.ssid and 802-11-wireless-security.key-mgmt settings.

5.2.3. Configuring 802.1X Security for Wi-Fi with a GUI

Procedure
  1. Select a Wireless network interface from the right-hand-side menu. If necessary, set the symbolic power button to ON and check that your hardware switch is on.
  2. Either select the connection name of a new connection, or click the gear wheel icon of an existing connection profile, for which you want to configure 802.1X security. In the case of a new connection, complete any authentication steps to complete the connection and then click the gear wheel icon.
  3. Select Security.
    The following configuration options are available:
    Security
    None — Do not encrypt the Wi-Fi connection.
    WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).
    WEP 128-bit Passphrase — An MD5 hash of the passphrase will be used to derive a WEP key.
    LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
    Dynamic WEP (802.1X) — WEP keys are changed dynamically. Use with the section called “Configuring TLS Settings”
    WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
    WPA & WPA2 Enterprise — WPA for use with a RADIUS authentication server to provide IEEE 802.1X network access control. Use with the section called “Configuring TLS Settings”
    Password
    Enter the password to be used in the authentication process.
  4. From the drop-down menu select one of the following security methods: LEAP, Dynamic WEP (802.1X), or WPA & WPA2 Enterprise.
See the section called “Configuring TLS Settings” for descriptions of which extensible authentication protocol (EAP) types correspond to your selection in the Security drop-down menu.

5.2.4. Configuring 802.1X Security for Wired with nm-connection-editor

Procedure
  1. Enter the nm-connection-editor in a terminal.
    ~]$ nm-connection-editor
    The Network Connections window appears.
  2. Select the ethernet connection you want to edit and click the gear wheel icon, see Section 3.4.6.2, “Configuring a Wired Connection with nm-connection-editor”.
  3. Select Security and set the symbolic power button to ON to enable settings configuration.
  4. Select from one of following authentication methods:

Configuring TLS Settings

With Transport Layer Security (TLS), the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.
The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.
NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.
To configure TLS settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
Identity
Provide the identity of this server.
User certificate
Click to browse for, and select, a personal X.509 certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
CA certificate
Click to browse for, and select, an X.509 certificate authority certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
Private key
Click to browse for, and select, a private key file encoded with Distinguished Encoding Rules (DER), Privacy Enhanced Mail (PEM), or the Personal Information Exchange Syntax Standard (PKCS #12).
Private key password
Enter the password for the private key in the Private key field. Select Show password to make the password visible as you type it.

Configuring FAST Settings

To configure FAST settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
Anonymous Identity
Provide the identity of this server.
PAC provisioning
Select the check box to enable and then select from Anonymous, Authenticated, and Both.
PAC file
Click to browse for, and select, a protected access credential (PAC) file.
Inner authentication
GTC — Generic Token Card.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.

Configuring Tunneled TLS Settings

To configure Tunneled TLS settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
Anonymous identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
Inner authentication
PAP — Password Authentication Protocol.
MSCHAP — Challenge Handshake Authentication Protocol.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
CHAP — Challenge Handshake Authentication Protocol.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.

Configuring Protected EAP (PEAP) Settings

To configure Protected EAP (PEAP) settings, follow the procedure described in Section 5.2.4, “Configuring 802.1X Security for Wired with nm-connection-editor”. The following configuration settings are available:
Anonymous Identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
PEAP version
The version of Protected EAP to use. Automatic, 0 or 1.
Inner authentication
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
MD5 — Message Digest 5, a cryptographic hash function.
GTC — Generic Token Card.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.