Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 32. Authenticating a RHEL client to the network by using the 802.1X standard with a certificate stored on the file system

Administrators frequently use port-based Network Access Control (NAC) based on the IEEE 802.1X standard to protect a network from unauthorized LAN and Wi-Fi clients. To enable a client to connect to such networks, you must configure 802.1X authentication on this clients.

32.1. Configuring 802.1X network authentication on an existing Ethernet connection by using nmcli

You can use the nmcli utility to configure an Ethernet connection with 802.1X network authentication on the command line.

Prerequisites

  • The network supports 802.1X network authentication.
  • The Ethernet connection profile exists in NetworkManager and has a valid IP configuration.

  • The following files required for TLS authentication exist on the client:

    • The client key stored is in the /etc/pki/tls/private/client.key file, and the file is owned and only readable by the root user.
    • The client certificate is stored in the /etc/pki/tls/certs/client.crt file.
    • The Certificate Authority (CA) certificate is stored in the /etc/pki/tls/certs/ca.crt file.
  • The wpa_supplicant package is installed.

Procedure

  1. Set the Extensible Authentication Protocol (EAP) to tls and the paths to the client certificate and key file: 

    # nmcli connection modify enp1s0 802-1x.eap tls 802-1x.client-cert /etc/pki/tls/certs/client.crt 802-1x.private-key /etc/pki/tls/certs/certs/client.key

    Note that you must set the 802-1x.eap, 802-1x.client-cert, and 802-1x.private-key parameters in a single command.

  2. Set the path to the CA certificate: 

    # nmcli connection modify enp1s0 802-1x.ca-cert /etc/pki/tls/certs/ca.crt

  3. Set the identity of the user used in the certificate: 

    # nmcli connection modify enp1s0 802-1x.identity user@example.com

  4. Optionally, store the password in the configuration: 

    # nmcli connection modify enp1s0 802-1x.private-key-password password
    Important

    By default, NetworkManager stores the password in clear text in the /etc/sysconfig/network-scripts/keys-connection_name file, that is readable only by the root user. However, clear text passwords in a configuration file can be a security risk.

    To increase the security, set the 802-1x.password-flags parameter to 0x1. With this setting, on servers with the GNOME desktop environment or the nm-applet running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.

  5. Activate the connection profile: 

    # nmcli connection up enp1s0

Verification

  • Access resources on the network that require network authentication.

Additional resources

32.2. Configuring a static Ethernet connection with 802.1X network authentication by using nmstatectl

Use the nmstatectl utility to configure an Ethernet connection with 802.1X network authentication through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl automatically rolls back the changes to avoid leaving the system in an incorrect state.

Note

The nmstate library only supports the TLS Extensible Authentication Protocol (EAP) method.

Prerequisites

  • The network supports 802.1X network authentication.
  • The managed node uses NetworkManager.

  • The following files required for TLS authentication exist on the client:

    • The client key stored is in the /etc/pki/tls/private/client.key file, and the file is owned and only readable by the root user.
    • The client certificate is stored in the /etc/pki/tls/certs/client.crt file.
    • The Certificate Authority (CA) certificate is stored in the /etc/pki/tls/certs/ca.crt file.

Procedure

  1. Create a YAML file, for example ~/create-ethernet-profile.yml, with the following content: 

    ---
interfaces:
- name: enp1s0
  type: ethernet
  state: up
  ipv4:
    enabled: true
    address:
    - ip: 192.0.2.1
      prefix-length: 24
    dhcp: false
  ipv6:
    enabled: true
    address:
    - ip: 2001:db8:1::1
      prefix-length: 64
    autoconf: false
    dhcp: false
  802.1x:
    ca-cert: /etc/pki/tls/certs/ca.crt
    client-cert: /etc/pki/tls/certs/client.crt
    eap-methods:
      - tls
    identity: client.example.org
    private-key: /etc/pki/tls/private/client.key
    private-key-password: password
routes:
  config:
  - destination: 0.0.0.0/0
    next-hop-address: 192.0.2.254
    next-hop-interface: enp1s0
  - destination: ::/0
    next-hop-address: 2001:db8:1::fffe
    next-hop-interface: enp1s0
dns-resolver:
  config:
    search:
    - example.com
    server:
    - 192.0.2.200
    - 2001:db8:1::ffbb

    These settings define an Ethernet connection profile for the enp1s0 device with the following settings:

    • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
    • A static IPv6 address - 2001:db8:1::1 with a /64 subnet mask
    • An IPv4 default gateway - 192.0.2.254
    • An IPv6 default gateway - 2001:db8:1::fffe
    • An IPv4 DNS server - 192.0.2.200
    • An IPv6 DNS server - 2001:db8:1::ffbb
    • A DNS search domain - example.com
    • 802.1X network authentication using the TLS EAP protocol

  2. Apply the settings to the system: 

    # nmstatectl apply ~/create-ethernet-profile.yml

Verification

  • Access resources on the network that require network authentication.

32.3. Configuring a static Ethernet connection with 802.1X network authentication by using the network RHEL system role

You can remotely configure an Ethernet connection with 802.1X network authentication by using the network RHEL system role.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The network supports 802.1X network authentication.
  • The managed nodes uses NetworkManager.

  • The following files required for TLS authentication exist on the control node:

    • The client key is stored in the /srv/data/client.key file.
    • The client certificate is stored in the /srv/data/client.crt file.
    • The Certificate Authority (CA) certificate is stored in the /srv/data/ca.crt file.

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content: 

    ---
- name: Configure an Ethernet connection with 802.1X authentication
  hosts: managed-node-01.example.com
  tasks:
    - name: Copy client key for 802.1X authentication
      ansible.builtin.copy:
        src: "/srv/data/client.key"
        dest: "/etc/pki/tls/private/client.key"
        mode: 0600

    - name: Copy client certificate for 802.1X authentication
      ansible.builtin.copy:
        src: "/srv/data/client.crt"
        dest: "/etc/pki/tls/certs/client.crt"

    - name: Copy CA certificate for 802.1X authentication
      ansible.builtin.copy:
        src: "/srv/data/ca.crt"
        dest: "/etc/pki/ca-trust/source/anchors/ca.crt"

    - name: Configure connection
      ansible.builtin.include_role:
        name: rhel-system-roles.network
      vars:
        network_connections:
          - name: enp1s0
            type: ethernet
            autoconnect: yes
            ip:
              address:
                - 192.0.2.1/24
                - 2001:db8:1::1/64
              gateway4: 192.0.2.254
              gateway6: 2001:db8:1::fffe
              dns:
                - 192.0.2.200
                - 2001:db8:1::ffbb
              dns_search:
                - example.com
            ieee802_1x:
              identity: user_name
              eap: tls
              private_key: "/etc/pki/tls/private/client.key"
              private_key_password: "password"
              client_cert: "/etc/pki/tls/certs/client.crt"
              ca_cert: "/etc/pki/ca-trust/source/anchors/ca.crt"
              domain_suffix_match: example.com
            state: up

    These settings define an Ethernet connection profile for the enp1s0 device with the following settings:

    • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
    • A static IPv6 address - 2001:db8:1::1 with a /64 subnet mask
    • An IPv4 default gateway - 192.0.2.254
    • An IPv6 default gateway - 2001:db8:1::fffe
    • An IPv4 DNS server - 192.0.2.200
    • An IPv6 DNS server - 2001:db8:1::ffbb
    • A DNS search domain - example.com
    • 802.1X network authentication using the TLS Extensible Authentication Protocol (EAP)

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • /usr/share/doc/rhel-system-roles/network/ directory