Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 19. Authenticating a RHEL client to the network using the 802.1X standard

Administrators frequently use port-based Network Access Control (NAC) based on the IEEE 802.1X standard to protect a network from unauthorized LAN and Wi-Fi clients. The procedures in this section describe different options to configure network authentication.

19.1. Configuring 802.1X network authentication on an existing Ethernet connection using nmcli

Using the nmcli utility, you can configure the client to authenticate itself to the network. This procedure describes how to configure Protected Extensible Authentication Protocol (PEAP) authentication with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2) in an existing NetworkManager Ethernet connection profile named enp1s0.

Prerequisites

  1. The network must have 802.1X network authentication.
  2. The Ethernet connection profile exists in NetworkManager and has a valid IP configuration.
  3. If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the /etc/pki/ca-trust/source/anchors/ directory.
  4. The wpa_supplicant package is installed.

Procedure

  1. Set the Extensible Authentication Protocol (EAP) to peap, the inner authentication protocol to mschapv2, and the user name: 

    # nmcli connection modify enp1s0 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name

    Note that you must set the 802-1x.eap, 802-1x.phase2-auth, and 802-1x.identity parameters in a single command.

  2. Optionally, store the password in the configuration: 

    # nmcli connection modify enp1s0 802-1x.password password
    Important

    By default, NetworkManager stores the password in clear text in the /etc/sysconfig/network-scripts/keys-connection_name file, that is readable only by the root user. However, clear text passwords in a configuration file can be a security risk.

    To increase the security, set the 802-1x.password-flags parameter to 0x1. With this setting, on servers with the GNOME desktop environment or the nm-applet running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.

  3. If the client is required to verify the certificate of the authenticator, set the 802-1x.ca-cert parameter in the connection profile to the path of the CA certificate: 

    # nmcli connection modify enp1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt
    Note

    For security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.

  4. Activate the connection profile: 

    # nmcli connection up enp1s0

Verification steps

  • Access resources on the network that require network authentication.

Additional resources

  • For details about adding a NetworkManager Ethernet connection profile, see Configuring an Ethernet connection.
  • For further 802.1X-related parameters and their descriptions, see the 802-1x settings section in the nm-settings(5) man page.
  • For further details about the nmcli utility, see the nmcli(1) man page.

19.2. Configuring a static Ethernet connection with 802.1X network authentication using RHEL System Roles

Using RHEL System Roles, you can automate the creation of an Ethernet connection that uses the 802.1X standard to authenticate the client. This procedure describes how to remotely add an Ethernet connection for the enp1s0 interface with the following settings by running an Ansible playbook:

  • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
  • A static IPv6 address - 2001:db8:1::1 with a /64 subnet mask
  • An IPv4 default gateway - 192.0.2.254
  • An IPv6 default gateway - 2001:db8:1::fffe
  • An IPv4 DNS server - 192.0.2.200
  • An IPv6 DNS server - 2001:db8:1::ffbb
  • A DNS search domain - example.com
  • 802.1X network authentication using the TLS Extensible Authentication Protocol (EAP)

Run this procedure on the Ansible control node.

Prerequisites

  • The ansible and rhel-system-roles packages are installed on the control node.
  • If you use a different remote user than root when you run the playbook, you must have appropriate sudo permissions on the managed node.
  • The network supports 802.1X network authentication.
  • The managed node uses NetworkManager.

  • The following files required for TLS authentication exist on the control node:

    • The client key is stored in the /srv/data/client.key file.
    • The client certificate is stored in the /srv/data/client.crt file.
    • The Certificate Authority (CA) certificate is stored in the /srv/data/ca.crt file.

Procedure

  1. If the host on which you want to execute the instructions in the playbook is not yet inventoried, add the IP or name of this host to the /etc/ansible/hosts Ansible inventory file: 

    node.example.com

  2. Create the ~/enable-802.1x.yml playbook with the following content: 

    ---
- name: Configure an Ethernet connection with 802.1X authentication
  hosts: node.example.com
  become: true
  tasks:
    - name: Copy client key for 802.1X authentication
      copy:
        src: "/srv/data/client.key"
        dest: "/etc/pki/tls/private/client.key"
        mode: 0600

    - name: Copy client certificate for 802.1X authentication
      copy:
        src: "/srv/data/client.crt"
        dest: "/etc/pki/tls/certs/client.crt"

    - name: Copy CA certificate for 802.1X authentication
      copy:
        src: "/srv/data/ca.crt"
        dest: "/etc/pki/ca-trust/source/anchors/ca.crt"

    - include_role:
        name: linux-system-roles.network
      vars:
        network_connections:
          - name: enp1s0
            type: ethernet
            autoconnect: yes
            ip:
              address:
                - 192.0.2.1/24
                - 2001:db8:1::1/64
              gateway4: 192.0.2.254
              gateway6: 2001:db8:1::fffe
              dns:
                - 192.0.2.200
                - 2001:db8:1::ffbb
              dns_search:
                - example.com
            ieee802_1x:
              identity: user_name
              eap: tls
              private_key: "/etc/pki/tls/private/client.key"
              private_key_password: "password"
              client_cert: "/etc/pki/tls/certs/client.crt"
              ca_cert: "/etc/pki/ca-trust/source/anchors/ca.crt"
              domain_suffix_match: example.com
            state: up

  3. Run the playbook:

    • To connect as root user to the managed host, enter: 

      # ansible-playbook -u root ~/enable-802.1x.yml

    • To connect as a user to the managed host, enter: 

      # ansible-playbook -u user_name --ask-become-pass ~/ethernet-static-IP.yml

      The --ask-become-pass option makes sure that the ansible-playbook command prompts for the sudo password of the user defined in the -u user_name option.

    If you do not specify the -u user_name option, ansible-playbook connects to the managed host as the user that is currently logged in to the control node.

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • ansible-playbook(1) man page

19.3. Configuring 802.1X network authentication on an existing Wi-Fi connection using nmcli

Using the nmcli utility, you can configure the client to authenticate itself to the network. This procedure describes how to configure Protected Extensible Authentication Protocol (PEAP) authentication with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2) in an existing NetworkManager Wi-Fi connection profile named wlp1s0.

Prerequisites

  1. The network must have 802.1X network authentication.
  2. The Wi-Fi connection profile exists in NetworkManager and has a valid IP configuration.
  3. If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the /etc/pki/ca-trust/source/anchors/ directory.
  4. The wpa_supplicant package is installed.

Procedure

  1. Set the Wi-Fi security mode to wpa-eap, the Extensible Authentication Protocol (EAP) to peap, the inner authentication protocol to mschapv2, and the user name: 

    # nmcli connection modify wpl1s0 802-11-wireless-security.key-mgmt wpa-eap 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name

    Note that you must set the 802-11-wireless-security.key-mgmt, 802-1x.eap, 802-1x.phase2-auth, and 802-1x.identity parameters in a single command.

  2. Optionally, store the password in the configuration: 

    # nmcli connection modify wpl1s0 802-1x.password password
    Important

    By default, NetworkManager stores the password in clear text in the /etc/sysconfig/network-scripts/keys-connection_name file, that is readable only by the root user. However, clear text passwords in a configuration file can be a security risk.

    To increase the security, set the 802-1x.password-flags parameter to 0x1. With this setting, on servers with the GNOME desktop environment or the nm-applet running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.

  3. If the client is required to verify the certificate of the authenticator, set the 802-1x.ca-cert parameter in the connection profile to the path of the CA certificate: 

    # nmcli connection modify wpl1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt
    Note

    For security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.

  4. Activate the connection profile: 

    # nmcli connection up wpl1s0

Verification steps

  • Access resources on the network that require network authentication.

Additional resources

  • For details about adding a NetworkManager Ethernet connection profile, see Managing Wi-Fi connections.
  • For further 802.1X-related parameters and their descriptions, see the 802-1x settings section in the nm-settings(5) man page.
  • For further details about the nmcli utility, see the nmcli(1) man page.