Chapter 17. Authenticating a RHEL client to the network using the 802.1X standard
Administrators frequently use port-based Network Access Control (NAC) based on the IEEE 802.1X standard to protect a network from unauthorized LAN and Wi-Fi clients. The procedures in this section describe different options to configure network authentication.
17.1. Configuring 802.1X network authentication on an existing Ethernet connection using nmcli
Using the nmcli
utility, you can configure the client to authenticate itself to the network. This procedure describes how to configure Protected Extensible Authentication Protocol (PEAP) authentication with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2) in an existing NetworkManager Ethernet connection profile named enp1s0
.
Prerequisites
- The network must have 802.1X network authentication.
- The Ethernet connection profile exists in NetworkManager and has a valid IP configuration.
-
If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the
/etc/pki/ca-trust/source/anchors/
directory. -
The
wpa_supplicant
package is installed.
Procedure
Set the Extensible Authentication Protocol (EAP) to
peap
, the inner authentication protocol tomschapv2
, and the user name:#
nmcli connection modify enp1s0 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name
Note that you must set the
802-1x.eap
,802-1x.phase2-auth
, and802-1x.identity
parameters in a single command.Optionally, store the password in the configuration:
#
nmcli connection modify enp1s0 802-1x.password password
ImportantBy default, NetworkManager stores the password in clear text in the
/etc/sysconfig/network-scripts/keys-connection_name
file, that is readable only by theroot
user. However, clear text passwords in a configuration file can be a security risk.To increase the security, set the
802-1x.password-flags
parameter to0x1
. With this setting, on servers with the GNOME desktop environment or thenm-applet
running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.If the client is required to verify the certificate of the authenticator, set the
802-1x.ca-cert
parameter in the connection profile to the path of the CA certificate:#
nmcli connection modify enp1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt
NoteFor security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.
Activate the connection profile:
#
nmcli connection up enp1s0
Verification steps
- Access resources on the network that require network authentication.
Additional resources
- For details about adding a NetworkManager Ethernet connection profile, see Chapter 8, Configuring an Ethernet connection.
-
For further 802.1X-related parameters and their descriptions, see the
802-1x settings
section in thenm-settings(5)
man page. -
For further details about the
nmcli
utility, see thenmcli(1)
man page.
17.2. Configuring a static Ethernet connection with 802.1X network authentication using RHEL System Roles
Using RHEL System Roles, you can automate the creation of an Ethernet connection that uses the 802.1X standard to authenticate the client. This procedure describes how to remotely add an Ethernet connection for the enp1s0
interface with the following settings by running an Ansible playbook:
-
A static IPv4 address -
192.0.2.1
with a/24
subnet mask -
A static IPv6 address -
2001:db8:1::1
with a/64
subnet mask -
An IPv4 default gateway -
192.0.2.254
-
An IPv6 default gateway -
2001:db8:1::fffe
-
An IPv4 DNS server -
192.0.2.200
-
An IPv6 DNS server -
2001:db8:1::ffbb
-
A DNS search domain -
example.com
-
802.1X network authentication using the
TLS
Extensible Authentication Protocol (EAP)
Run this procedure on the Ansible control node.
Prerequisites
-
The
ansible
andrhel-system-roles
packages are installed on the control node. -
If you use a different remote user than
root
when you run the playbook, you must have appropriatesudo
permissions on the managed node. - The network supports 802.1X network authentication.
- The managed node uses NetworkManager.
The following files required for TLS authentication exist on the control node:
-
The client key stored in the
/srv/data/client.key
file. -
The client certificate stored in the
/srv/data/client.crt
file. -
The Certificate Authority (CA) certificate stored in the
/srv/data/ca.crt
file.
-
The client key stored in the
Procedure
If the host on which you want to execute the instructions in the playbook is not yet inventoried, add the IP or name of this host to the
/etc/ansible/hosts
Ansible inventory file:node.example.com
Create the
~/enable-802.1x.yml
playbook with the following content:--- - name: Configure an Ethernet connection with 802.1X authentication hosts: node.example.com become: true tasks: - name: Copy client key for 802.1X authentication copy: src: "/srv/data/client.key" dest: "/etc/pki/tls/private/client.key" mode: 0600 - name: Copy client certificate for 802.1X authentication copy: src: "/srv/data/client.crt" dest: "/etc/pki/tls/certs/client.crt" - name: Copy CA certificate for 802.1X authentication copy: src: "/srv/data/ca.crt" dest: "/etc/pki/ca-trust/source/anchors/ca.crt" - include_role: name: linux-system-roles.network vars: network_connections: - name: enp1s0 type: ethernet autoconnect: yes ip: address: - 192.0.2.1/24 - 2001:db8:1::1/64 gateway4: 192.0.2.254 gateway6: 2001:db8:1::fffe dns: - 192.0.2.200 - 2001:db8:1::ffbb dns_search: - example.com ieee802_1x: identity: user_name eap: tls private_key: "/etc/pki/tls/private/client.key" private_key_password: "password" client_cert: "/etc/pki/tls/certs/client.crt" ca_cert: "/etc/pki/ca-trust/source/anchors/ca.crt" domain_suffix_match: example.com state: up
Run the playbook:
To connect as
root
user to the managed host, enter:#
ansible-playbook -u root ~/enable-802.1x.yml
To connect as a user to the managed host, enter:
#
ansible-playbook -u user_name --ask-become-pass ~/ethernet-static-IP.yml
The
--ask-become-pass
option makes sure that theansible-playbook
command prompts for thesudo
password of the user defined in the-u user_name
option.
If you do not specify the
-u user_name
option,ansible-playbook
connects to the managed host as the user that is currently logged in to the control node.
Additional resources
-
For details about the parameters used in
network_connections
and for additional information about thenetwork
System Role, see the/usr/share/ansible/roles/rhel-system-roles.network/README.md
file. -
For details about the 802.1X parameters, see the
ieee802_1x
section in the/usr/share/ansible/roles/rhel-system-roles.network/README.md
file. -
For details about the
ansible-playbook
command, see theansible-playbook(1)
man page.
17.3. Configuring 802.1X network authentication on an existing Wi-Fi connection using nmcli
Using the nmcli
utility, you can configure the client to authenticate itself to the network. This procedure describes how to configure Protected Extensible Authentication Protocol (PEAP) authentication with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2) in an existing NetworkManager Wi-Fi connection profile named wlp1s0
.
Prerequisites
- The network must have 802.1X network authentication.
- The Wi-Fi connection profile exists in NetworkManager and has a valid IP configuration.
-
If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the
/etc/pki/ca-trust/source/anchors/
directory. -
The
wpa_supplicant
package is installed.
Procedure
Set the Wi-Fi security mode to
wpa-eap
, the Extensible Authentication Protocol (EAP) topeap
, the inner authentication protocol tomschapv2
, and the user name:#
nmcli connection modify wpl1s0 802-11-wireless-security.key-mgmt wpa-eap 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name
Note that you must set the
802-11-wireless-security.key-mgmt
,802-1x.eap
,802-1x.phase2-auth
, and802-1x.identity
parameters in a single command.Optionally, store the password in the configuration:
#
nmcli connection modify wpl1s0 802-1x.password password
ImportantBy default, NetworkManager stores the password in clear text in the
/etc/sysconfig/network-scripts/keys-connection_name
file, that is readable only by theroot
user. However, clear text passwords in a configuration file can be a security risk.To increase the security, set the
802-1x.password-flags
parameter to0x1
. With this setting, on servers with the GNOME desktop environment or thenm-applet
running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.If the client is required to verify the certificate of the authenticator, set the
802-1x.ca-cert
parameter in the connection profile to the path of the CA certificate:#
nmcli connection modify wpl1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt
NoteFor security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.
Activate the connection profile:
#
nmcli connection up wpl1s0
Verification steps
- Access resources on the network that require network authentication.
Additional resources
- For details about adding a NetworkManager Ethernet connection profile, see Chapter 9, Managing Wi-Fi connections.
-
For further 802.1X-related parameters and their descriptions, see the
802-1x settings
section in thenm-settings(5)
man page. -
For further details about the
nmcli
utility, see thenmcli(1)
man page.