Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 3. Managing wifi connections

RHEL provides multiple utilities and applications to configure and connect to wifi networks, for example:

  • The nmcli utility
  • The GNOME system menu
  • The GNOME Settings application
  • The nm-connection-editor application

3.1. Supported wifi security types

Depending on the security type a wifi network supports, you can transmitted data more or less securely.

Warning

Do not connect to wifi networks that do not use encryption or which support only the insecure WEP or WPA standards.

RHEL 8 supports the following wifi security types:

  • None: Encryption is disabled, and data is transferred in plain text over the network.
  • Enhanced Open: With opportunistic wireless encryption (OWE), devices negotiate unique pairwise master keys (PMK) to encrypt connections in wireless networks without authentication.
  • WEP 40/128-bit Key (Hex or ASCII): The Wired Equivalent Privacy (WEP) protocol in this mode uses pre-shared keys only in hex or ASCII format. WEP is deprecated and will be removed in RHEL 9.1.
  • WEP 128-bit Passphrase. The WEP protocol in this mode uses an MD5 hash of the passphrase to derive a WEP key. WEP is deprecated and will be removed in RHEL 9.1.
  • Dynamic WEP (802.1x): A combination of 802.1X and EAP that uses the WEP protocol with dynamic keys. WEP is deprecated and will be removed in RHEL 9.1.
  • LEAP: The Lightweight Extensible Authentication Protocol, which was developed by Cisco, is a proprietary version of the extensible authentication protocol (EAP).
  • WPA & WPA2 Personal: In personal mode, the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication methods use a pre-shared key.
  • WPA & WPA2 Enterprise: In enterprise mode, WPA and WPA2 use the EAP framework and authenticate users to a remote authentication dial-in user service (RADIUS) server.
  • WPA3 Personal: Wi-Fi Protected Access 3 (WPA3) Personal uses simultaneous authentication of equals (SAE) instead of pre-shared keys (PSK) to prevent dictionary attacks. WPA3 uses perfect forward secrecy (PFS).

3.2. Connecting to a WPA2 or WPA3 Personal-protected wifi network using nmcli commands

You can use the nmcli utility to connect to a wifi network. When you attempt to connect to a network for the first time, the utility automatically creates a NetworkManager connection profile for it. If the network requires additional settings, such as static IP addresses, you can then modify the profile after it has been automatically created.

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. If the wifi radio has been disabled in NetworkManager, enable this feature:

    # nmcli radio wifi on
  2. Optional: Display the available wifi networks:

    # nmcli device wifi list
    IN-USE  BSSID              SSID          MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
            00:53:00:2F:3B:08  Office        Infra  44    270 Mbit/s  57      ▂▄▆_  WPA2 WPA3
            00:53:00:15:03:BF  --            Infra  1     130 Mbit/s  48      ▂▄__  WPA2 WPA3

    The service set identifier (SSID) column contains the names of the networks. If the column shows --, the access point of this network does not broadcast an SSID.

  3. Connect to the wifi network:

    # nmcli device wifi connect Office --ask
    Password: wifi-password

    If you prefer to set the password in the command instead of entering it interactively, use the password wifi-password option in the command instead of --ask:

    # nmcli device wifi connect Office wifi-password

    Note that, if the network requires static IP addresses, NetworkManager fails to activate the connection at this point. You can configure the IP addresses in later steps.

  4. If the network requires static IP addresses:

    1. Configure the IPv4 address settings, for example:

      # nmcli connection modify Office ipv4.method manual ipv4.addresses 192.0.2.1/24 ipv4.gateway 192.0.2.254 ipv4.dns 192.0.2.200 ipv4.dns-search example.com
    2. Configure the IPv6 address settings, for example:

      # nmcli connection modify Office ipv6.method manual ipv6.addresses 2001:db8:1::1/64 ipv6.gateway 2001:db8:1::fffe ipv6.dns 2001:db8:1::ffbb ipv6.dns-search example.com
  5. Re-activate the connection:

    # nmcli connection up Office

Verification

  1. Display the active connections:

    # nmcli connection show --active
    NAME    ID                                    TYPE  DEVICE
    Office  2501eb7e-7b16-4dc6-97ef-7cc460139a58  wifi  wlp0s20f3

    If the output lists the wifi connection you have created, the connection is active.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

Additional resources

  • nm-settings-nmcli(5) man page

3.3. Configuring a wifi connection using nmtui

The nmtui application provides a text-based user interface for NetworkManager. You can use nmtui to connect to a wifi network.

Note

In nmtui:

  • Navigate by using the cursor keys.
  • Press a button by selecting it and hitting Enter.
  • Select and deselect checkboxes by using Space.

Procedure

  1. If you do not know the network device name you want to use in the connection, display the available devices:

    # nmcli device status
    DEVICE     TYPE      STATE                   CONNECTION
    wlp2s0    wifi      unavailable             --
    ...
  2. Start nmtui:

    # nmtui
  3. Select Edit a connection, and press Enter.
  4. Press the Add button.
  5. Select Wi-Fi from the list of network types, and press Enter.
  6. Optional: Enter a name for the NetworkManager profile to be created.
  7. Enter the network device name into the Device field.
  8. Enter the name of the Wi-Fi network, the Service Set Identifier (SSID), into the SSID field.
  9. Leave the Mode field set to its default, Client.
  10. Select the Security field, press Enter, and set the authentication type of the network from the list.

    Depending on the authentication type you have selected, nmtui displays different fields.

  11. Fill the authentication type-related fields.
  12. If the Wi-Fi network requires static IP addresses:

    1. Press the Automatic button next to the protocol, and select Manual from the displayed list.
    2. Press the Show button next to the protocol you want to configure to display additional fields, and fill them.
  13. Press the OK button to create and automatically activate the new connection.

    nmtui wi fi dynamic IP
  14. Press the Back button to return to the main menu.
  15. Select Quit, and press Enter to close the nmtui application.

Verification

  1. Display the active connections:

    # nmcli connection show --active
    NAME    ID                                    TYPE  DEVICE
    Office  2501eb7e-7b16-4dc6-97ef-7cc460139a58  wifi  wlp0s20f3

    If the output lists the wifi connection you have created, the connection is active.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

3.4. Connecting to a wifi network using the GNOME system menu

You can use the GNOME system menu to connect to a wifi network. When you connect to a network for the first time, GNOME creates a NetworkManager connection profile for it. If you configure the connection profile to not automatically connect, you can also use the GNOME system menu to manually connect to a wifi network with an existing NetworkManager connection profile.

Note

Using the GNOME system menu to establish a connection to a wifi network for the first time has certain limitations. For example, you can not configure IP address settings. In this case first configure the connections:

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. Open the system menu on the right side of the top bar.
  2. Expand the Wi-Fi Not Connected entry.
  3. Click Select Network:

    gnome select wifi
  4. Select the wifi network you want to connect to.
  5. Click Connect.
  6. If this is the first time you connect to this network, enter the password for the network, and click Connect.

Verification

  1. Open the system menu on the right side of the top bar, and verify that the wifi network is connected:

    gnome wifi connected

    If the network appears in the list, it is connected.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

3.5. Connecting to a wifi network using the GNOME settings application

You can use the GNOME settings application, also named gnome-control-center, to connect to a wifi network and configure the connection. When you connect to the network for the first time, GNOME creates a NetworkManager connection profile for it.

In GNOME settings, you can configure wifi connections for all wifi network security types that RHEL supports.

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. Press the Super key, type Wi-Fi, and press Enter.
  2. Click on the name of the wifi network you want to connect to.
  3. Enter the password for the network, and click Connect.
  4. If the network requires additional settings, such as static IP addresses or a security type other than WPA2 Personal:

    1. Click the gear icon next to the network’s name.
    2. Optional: Configure the network profile on the Details tab to not automatically connect.

      If you deactivate this feature, you must always manually connect to the network, for example, using GNOME settings or the GNOME system menu.

    3. Configure IPv4 settings on the IPv4 tab, and IPv6 settings on the IPv6 tab.
    4. On the Security tab, select the authentication of the network, such as WPA3 Personal, and enter the password.

      Depending on the selected security, the application shows additional fields. Fill them accordingly. For details, ask the administrator of the wifi network.

    5. Click Apply.

Verification

  1. Open the system menu on the right side of the top bar, and verify that the wifi network is connected:

    gnome wifi connected

    If the network appears in the list, it is connected.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

3.6. Configuring a wifi connection using nm-connection-editor

You can use the nm-connection-editor application to create a connection profile for a wireless network. In this application you can configure all wifi network authentication types that RHEL supports.

By default, NetworkManager enables the auto-connect feature for connection profiles and automatically connects to a saved network if it is available.

Prerequisites

  • A wifi device is installed on the host.
  • The wifi device is enabled, if it has a hardware switch.

Procedure

  1. Open a terminal and enter:

    # nm-connection-editor
  2. Click the + button to add a new connection.
  3. Select the Wi-Fi connection type, and click Create.
  4. Optional: Set a name for the connection profile.
  5. Optional: Configure the network profile on the General tab to not automatically connect.

    If you deactivate this feature, you must always manually connect to the network, for example, using GNOME settings or the GNOME system menu.

  6. On the Wi-Fi tab, enter the service set identifier (SSID) in the SSID field.
  7. On the Wi-Fi Security tab, select the authentication type for the network, such as WPA3 Personal, and enter the password.

    Depending on the selected security, the application shows additional fields. Fill them accordingly. For details, ask the administrator of the wifi network.

  8. Configure IPv4 settings on the IPv4 tab, and IPv6 settings on the IPv6 tab.
  9. Click Save.
  10. Close the Network Connections window.

Verification

  1. Open the system menu on the right side of the top bar, and verify that the wifi network is connected:

    gnome wifi connected

    If the network appears in the list, it is connected.

  2. Ping a hostname or IP address:

    # ping -c 3 example.com

3.7. Configuring a wifi connection with 802.1X network authentication using the RHEL System Roles

Using RHEL System Roles, you can automate the creation of a wifi connection. This procedure describes how to remotely add a wireless connection profile for the wlp1s0 interface using an Ansible playbook. The created profile uses the 802.1X standard to authenticate the client to a wifi network. The playbook configures the connection profile to use DHCP. To configure static IP settings, adapt the parameters in the ip dictionary accordingly.

Perform this procedure on the Ansible control node.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The hosts or host groups on which you want to run this playbook are listed in the Ansible inventory file.
  • The network supports 802.1X network authentication.
  • You installed the wpa_supplicant package on the managed node.
  • DHCP is available in the network of the managed node.
  • The following files required for TLS authentication exist on the control node:

    • The client key is stored in the /srv/data/client.key file.
    • The client certificate is stored in the /srv/data/client.crt file.
    • The CA certificate is stored in the /srv/data/ca.crt file.

Procedure

  1. Create a playbook file, for example ~/enable-802.1x.yml, with the following content:

    ---
    - name: Configure a wifi connection with 802.1X authentication
      hosts: "managed-node-01.example.com"
      tasks:
        - name: Copy client key for 802.1X authentication
          copy:
            src: "/srv/data/client.key"
            dest: "/etc/pki/tls/private/client.key"
            mode: 0400
    
        - name: Copy client certificate for 802.1X authentication
          copy:
            src: "/srv/data/client.crt"
            dest: "/etc/pki/tls/certs/client.crt"
    
        - name: Copy CA certificate for 802.1X authentication
          copy:
            src: "/srv/data/ca.crt"
            dest: "/etc/pki/ca-trust/source/anchors/ca.crt"
    
        - block:
            - import_role:
                name: linux-system-roles.network
              vars:
                network_connections:
                  - name: Configure the Example-wifi profile
                    interface_name: wlp1s0
                    state: up
                    type: wireless
                    autoconnect: yes
                    ip:
                      dhcp4: true
                      auto6: true
                    wireless:
                      ssid: "Example-wifi"
                      key_mgmt: "wpa-eap"
                    ieee802_1x:
                      identity: "user_name"
                      eap: tls
                      private_key: "/etc/pki/tls/client.key"
                      private_key_password: "password"
                      private_key_password_flags: none
                      client_cert: "/etc/pki/tls/client.pem"
                      ca_cert: "/etc/pki/tls/cacert.pem"
                      domain_suffix_match: "example.com"
  2. Run the playbook:

    # ansible-playbook ~/enable-802.1x.yml

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file

3.8. Configuring 802.1X network authentication on an existing wifi connection using nmcli

Using the nmcli utility, you can configure the client to authenticate itself to the network. This procedure describes how to configure Protected Extensible Authentication Protocol (PEAP) authentication with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2) in an existing NetworkManager wifi connection profile named wlp1s0.

Prerequisites

  1. The network must have 802.1X network authentication.
  2. The wifi connection profile exists in NetworkManager and has a valid IP configuration.
  3. If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the /etc/pki/ca-trust/source/anchors/ directory.
  4. The wpa_supplicant package is installed.

Procedure

  1. Set the wifi security mode to wpa-eap, the Extensible Authentication Protocol (EAP) to peap, the inner authentication protocol to mschapv2, and the user name:

    # nmcli connection modify wlp1s0 wireless-security.key-mgmt wpa-eap 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name

    Note that you must set the wireless-security.key-mgmt, 802-1x.eap, 802-1x.phase2-auth, and 802-1x.identity parameters in a single command.

  2. Optionally, store the password in the configuration:

    # nmcli connection modify wlp1s0 802-1x.password password
    Important

    By default, NetworkManager stores the password in clear text in the /etc/sysconfig/network-scripts/keys-connection_name file, that is readable only by the root user. However, clear text passwords in a configuration file can be a security risk.

    To increase the security, set the 802-1x.password-flags parameter to 0x1. With this setting, on servers with the GNOME desktop environment or the nm-applet running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.

  3. If the client is required to verify the certificate of the authenticator, set the 802-1x.ca-cert parameter in the connection profile to the path of the CA certificate:

    # nmcli connection modify wlp1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt
    Note

    For security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.

  4. Activate the connection profile:

    # nmcli connection up wlp1s0

Verification steps

  • Access resources on the network that require network authentication.

Additional resources

3.9. Manually setting the wireless regulatory domain

On RHEL, a udev rule executes the setregdomain utility to set the wireless regulatory domain. The utility then provides this information to the kernel.

By default, setregdomain attempts to determine the country code automatically. If this fails, the wireless regulatory domain setting might be wrong. To work around this problem, you can manually set the country code.

Important

Manually setting the regulatory domain disables the automatic detection. Therefore, if you later use the computer in a different country, the previously configured setting might no longer be correct. In this case, remove the /etc/sysconfig/regdomain file to switch back to automatic detection or use this procedure to manually update the regulatory domain setting again.

Procedure

  1. Optional: Display the current regulatory domain settings:

    # iw reg get
    global
    country US: DFS-FCC
    ...
  2. Create the /etc/sysconfig/regdomain file with the following content:

    COUNTRY=<country_code>

    Set the COUNTRY variable to an ISO 3166-1 alpha2 country code, such as DE for Germany or US for the United States of America.

  3. Set the regulatory domain:

    # setregdomain

Verification

  • Display the regulatory domain settings:

    # iw reg get
    global
    country DE: DFS-ETSI
    ...

Additional resources