2.7. Configuring Connection Settings

This section describes various configurations of the 802.3 link settings and shows how to configure them by using NetworkManager.

2.7.2. Configuring 802.1X Security

802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). It is also called WPA Enterprise. Simply put, 802.1X security is a way of controlling access to a logical network from a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.
802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry. In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.
802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how security is achieved on the network.

Configuring Connection Settings 802.1X Security Using a GUI

You can configure 802.1X security for a wired or wireless connection type by opening the Network window (see Section 2.3.1, “Connecting to a Network Using a GUI”) and following the applicable procedure below. Press the Super key to enter the Activities Overview, type control network and then press Enter. The Network settings tool appears. Proceed to Procedure 2.11, “For a Wired Connection” or Procedure 2.12, “For a Wireless Connection”:

Procedure 2.11. For a Wired Connection

  1. Select a Wired network interface from the left-hand-side menu.
  2. Either click on Add Profile to add a new network connection profile for which you want to configure 802.1X security, or select an existing connection profile and click the gear wheel icon.
  3. Then select Security and set the symbolic power button to ON to enable settings configuration.

Procedure 2.12. For a Wireless Connection

  1. Select a Wireless network interface from the left-hand-side menu. If necessary, set the symbolic power button to ON and check that your hardware switch is on.
  2. Either select the connection name of a new connection, or click the gear wheel icon of an existing connection profile, for which you want to configure 802.1X security. In the case of a new connection, complete any authentication steps to complete the connection and then click the gear wheel icon.
  3. Select Security.
  4. From the drop-down menu select one of the following security methods: LEAP, Dynamic WEP (802.1X), or WPA & WPA2 Enterprise.
  5. See Section 2.7.2.1, “Configuring Transport Layer Security (TLS) Settings” for descriptions of which extensible authentication protocol (EAP) types correspond to your selection in the Security drop-down menu.

Configuring Connection Settings 802.1X Security Using the nmcli tool

To configure a wireless connection using the nmcli tool, follow the procedure below:
  1. Set the accepted authenticated key-mgmt (key management) protocol. It configures the keying mechanism for a secure wifi connection. See the nm-settings(5) man page for more details on properties.
  2. Configure the 802-1x authentication settings. For the Transport Layer Security (TLS) authentication, see Section 2.7.2.1, “Configuring Transport Layer Security (TLS) Settings” and Section 2.7.2.2, “Configuring TLS Settings” for descriptions of relevant properties:

Table 2.1. The 802-1x authentication settings

802-1x authentication setting Name  
802-1x.identity Identity  
802-1x.ca-cert CA certificate  
802-1x.client-cert User certificate  
802-1x.private-key Private key  
802-1x.private-key-password Private key password  
For example, to configure WPA2 Enterprise using the EAP-TLS authentication method, apply the following settings:
nmcli c add type wifi ifname wlan0 con-name 'My Wifi Network' \
        802-11-wireless.ssid 'My Wifi' \
        802-11-wireless-security.key-mgmt wpa-eap \
        802-1x.eap tls \
        802-1x.identity identity@example.com \
        802-1x.ca-cert /etc/pki/my-wifi/ca.crt \
        802-1x.client-cert /etc/pki/my-wifi/client.crt \
        802-1x.private-key /etc/pki/my-wifi/client.key \
        802-1x.private-key-password s3cr3t

Note

To configure a wired connection using the nmcli tool, follow the same procedure as for a wireless connection, except the 802-11-wireless.ssid and 802-11-wireless-security.key-mgmt settings.

2.7.2.1. Configuring Transport Layer Security (TLS) Settings

With Transport Layer Security, the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.
The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.
NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.
Selecting an Authentication Method
Select from one of following authentication methods:

2.7.2.2. Configuring TLS Settings

Identity
Provide the identity of this server.
User certificate
Click to browse for, and select, a personal X.509 certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
CA certificate
Click to browse for, and select, an X.509 certificate authority certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
Private key
Click to browse for, and select, a private key file encoded with Distinguished Encoding Rules (DER), Privacy Enhanced Mail (PEM), or the Personal Information Exchange Syntax Standard (PKCS #12).
Private key password
Enter the password for the private key in the Private key field. Select Show password to make the password visible as you type it.

2.7.2.3. Configuring FAST Settings

Anonymous Identity
Provide the identity of this server.
PAC provisioning
Select the check box to enable and then select from Anonymous, Authenticated, and Both.
PAC file
Click to browse for, and select, a protected access credential (PAC) file.
Inner authentication
GTC — Generic Token Card.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.

2.7.2.4. Configuring Tunneled TLS Settings

Anonymous identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
Inner authentication
PAP — Password Authentication Protocol.
MSCHAP — Challenge Handshake Authentication Protocol.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
CHAP — Challenge Handshake Authentication Protocol.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.

2.7.2.5. Configuring Protected EAP (PEAP) Settings

Anonymous Identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
PEAP version
The version of Protected EAP to use. Automatic, 0 or 1.
Inner authentication
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
MD5 — Message Digest 5, a cryptographic hash function.
GTC — Generic Token Card.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.

2.7.3. Configuring Wi-Fi Security

Security
None — Do not encrypt the Wi-Fi connection.
WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).
WEP 128-bit Passphrase — An MD5 hash of the passphrase will be used to derive a WEP key.
LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
Dynamic WEP (802.1X) — WEP keys are changed dynamically. Use with Section 2.7.2.1, “Configuring Transport Layer Security (TLS) Settings”
WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
WPA & WPA2 Enterprise — WPA for use with a RADIUS authentication server to provide IEEE 802.1X network access control. Use with Section 2.7.2.1, “Configuring Transport Layer Security (TLS) Settings”
Password
Enter the password to be used in the authentication process.

2.7.4. Using MACsec with wpa_supplicant and NetworkManager

Media Access Control Security (MACsec, IEEE 802.1AE) encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. MACsec can protect not only IP but also Address Resolution Protocol (ARP), Neighbor Discovery (ND), or DHCP. While IPsec operates on the network layer (layer 3) and SSL or TLS on the transport layer (layer 4), MACsec operates in the data link layer (layer 2). Combine MACsec with security protocols for other networking layers to take advantage of different security features that these standards provide.
To enable MACsec with a switch that performs authentication using a pre-shared Connectivity Association Key/CAK Name (CAK/CKN) pair, perform the following steps:
  1. Create a CAK/CKN pair. For example, the following command generates a 16-byte key in hexadecimal notation:
    ~]$ dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"'
  2. Create the wpa_supplicant.conf configuration file and add the following lines to it:
    ctrl_interface=/var/run/wpa_supplicant
    eapol_version=3
    ap_scan=0
    fast_reauth=1
    
    network={
            key_mgmt=NONE
            eapol_flags=0
            macsec_policy=1
    
            mka_cak=0011... # 16 bytes hexadecimal
            mka_ckn=2233... # 32 bytes hexadecimal
    }
    Use the values from the previous step to complete the mka_cak and mka_ckn lines in the wpa_supplicant.conf configuration file.
    See the wpa_supplicant.conf(5) man page for more information.
  3. Assuming you are using eth0 to connect to your network, start wpa_supplicant using the following command:
    ~]# wpa_supplicant -i eth0 -Dmacsec_linux -c wpa_supplicant.conf
Instead of creating and editing the wpa_supplicant.conf file, Red Hat recommends using the nmcli command to configure wpa_supplicant equivalently as in the previous steps. The following example assumes that you already have a 16-byte hexadecimal CAK ($MKA_CAK) and a 32-byte hexadecimal CKN ($MKA_CKN):
~]# nmcli connection add type macsec \
      con-name test-macsec+ ifname macsec0 \
      connection.autoconnect no \
      macsec.parent eth0 macsec.mode psk \
      macsec.mka-cak $MKA_CAK \
      macsec.mka-cak-flags 0 \
      macsec.mka-ckn $MKA_CKN

~]# nmcli connection up test-macsec+
After this step, the macsec0 device should be configured and used for networking.
For more details, see the What’s new in MACsec: setting up MACsec using wpa_supplicant and (optionally) NetworkManager article. In addition, see the MACsec: a different solution to encrypt network traffic article for more information about the architecture of a MACsec network, use case scenarios, and configuration examples.

2.7.5. Configuring PPP (Point-to-Point) Settings

Authentication Methods
In most cases, the provider’s PPP servers supports all the allowed authentication methods. If a connection fails, the user should disable support for some methods, depending on the PPP server configuration.
Use point-to-point encryption (MPPE)
Microsoft Point-To-Point Encryption protocol (RFC 3078).
Allow BSD data compression
PPP BSD Compression Protocol (RFC 1977).
Allow Deflate data compression
PPP Deflate Protocol (RFC 1979).
Use TCP header compression
Compressing TCP/IP Headers for Low-Speed Serial Links (RFC 1144).
Send PPP echo packets
LCP Echo-Request and Echo-Reply Codes for loopback tests (RFC 1661).

Note

Since the PPP support in NetworkManager is optional, to configure PPP settings, make sure that the NetworkManager-ppp package is already installed.

2.7.6. Configuring IPv4 Settings

The IPv4 Settings tab allows you to configure the method used to connect to a network, to enter IP address, route, and DNS information as required. The IPv4 Settings tab is available when you create and modify one of the following connection types: wired, wireless, mobile broadband, VPN or DSL. If you need to configure IPv6 addresses, see Section 2.7.7, “Configuring IPv6 Settings”. If you need to configure static routes, click the Routes button and proceed to Section 2.7.8, “Configuring Routes”.
If you are using DHCP to obtain a dynamic IP address from a DHCP server, you can simply set Method to Automatic (DHCP).

Setting the Method

Available IPv4 Methods by Connection Type

When you click the Method drop-down menu, depending on the type of connection you are configuring, you are able to select one of the following IPv4 connection methods. All of the methods are listed here according to which connection type, or types, they are associated with:
Method
Automatic (DHCP) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. You do not need to fill in the DHCP client ID field.
Automatic (DHCP) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
Shared to other computers — Choose this option if the interface you are configuring is for sharing an Internet or WAN connection. The interface is assigned an address in the 10.42.x.1/24 range, a DHCP server and DNS server are started, and the interface is connected to the default network connection on the system with network address translation (NAT).
DisabledIPv4 is disabled for this connection.
Wired, Wireless and DSL Connection Methods
Manual — Choose this option if you want to assign IP addresses manually.
Mobile Broadband Connection Methods
Automatic (PPP) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (PPP) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you want to manually specify DNS servers.
VPN Connection Methods
Automatic (VPN) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (VPN) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you want to manually specify DNS servers.
DSL Connection Methods
Automatic (PPPoE) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (PPPoE) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you want to manually specify DNS servers.
For information on configuring static routes for the network connection, go to Section 2.7.8, “Configuring Routes”.

2.7.7. Configuring IPv6 Settings

Method
Ignore — Choose this option if you want to ignore IPv6 settings for this connection.
Automatic — Choose this option to use SLAAC to create an automatic, stateless configuration based on the hardware address and router advertisements (RA).
Automatic, addresses only — Choose this option if the network you are connecting to uses router advertisements (RA) to create an automatic, stateless configuration, but you want to assign DNS servers manually.
Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
Manual — Choose this option if you want to assign IP addresses manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
Addresses
DNS servers — Enter a comma separated list of DNS servers.
Search domains — Enter a comma separated list of domain controllers.
For information on configuring static routes for the network connection, go to Section 2.7.8, “Configuring Routes”.

2.7.8. Configuring Routes

A host's routing table will be automatically populated with routes to directly connected networks. The routes are learned by examining the network interfaces when they are up. This section describes entering static routes to networks or hosts which can be reached by traversing an intermediate network or connection, such as a VPN tunnel or leased line. In order to reach a remote network or host, the system is given the address of a gateway to which traffic should be sent.
When a host's interface is configured by DHCP, an address of a gateway that leads to an upstream network or the Internet is usually assigned. This gateway is usually referred to as the default gateway as it is the gateway to use if no better route is known to the system (and present in the routing table). Network administrators often use the first or last host IP address in the network as the gateway address; for example, 192.168.10.1 or 192.168.10.254. Not to be confused by the address which represents the network itself; in this example, 192.168.10.0, or the subnet's broadcast address; in this example 192.168.10.255.

Configuring Static Routes

To set a static route, open the IPv4 or IPv6 settings window for the connection you want to configure. See Section 2.3.1, “Connecting to a Network Using a GUI” for instructions on how to do that.
Routes
Address — Enter the IP address of a remote network, sub-net, or host.
Netmask — The netmask or prefix length of the IP address entered above.
Gateway — The IP address of the gateway leading to the remote network, sub-net, or host entered above.
Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.
Automatic
When Automatic is ON, routes from RA or DHCP are used, but you can also add additional static routes. When OFF, only static routes you define are used.
Use this connection only for resources on its network
Select this check box to prevent the connection from becoming the default route. Typical examples are where a connection is a VPN tunnel or a leased line to a head office and you do not want any Internet-bound traffic to pass over the connection. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.