Chapter 7. Managing Wi-Fi connections

Procedure

1. To create a Wi-Fi connection profile with static IP configuration:

   $ nmcli con add con-name MyCafe ifname wlan0 type wifi ssid MyCafe ip4 192.0.2.101/24 gw4 192.0.2.1

2. Set a DNS server. For example, to set 192.0.2.1 as the DNS server:

   $ nmcli con modify con-name MyCafe ipv4.dns "192.0.2.1"

3. Optionally, set a DNS search domain. For example, to set the search domain to example.com:

   $ nmcli con modify con-name MyCafe ipv4.dns-search "example.com"

4. To check a specific property, for example mtu:

   $ nmcli connection show id MyCafe | grep mtu
   802-11-wireless.mtu:                     auto

5. To change the property of a setting:

   $ nmcli connection modify id MyCafe wireless.mtu 1350

6. To verify the change:

   $ nmcli connection show id MyCafe | grep mtu
   802-11-wireless.mtu:                     1350

Verification steps

1. Use the ping utility to verify that this host can send packets to other hosts.

   • Ping an IP address in the same subnet. For example:

     # ping 192.0.2.103

     If the command fails, verify the IP and subnet settings.

   • Ping an IP address in a remote subnet. For example:

     # ping 198.51.16.3

     • If the command fails, ping the default gateway to verify settings.

       # ping 192.0.2.1

2. Use the host utility to verify that name resolution works. For example:

   # host client.example.com

   If the command returns any error, such as connection timed out or no servers could be reached, verify your DNS settings.

Procedure

1. Press the Super key to enter the Activities Overview, type Wi-Fi and press Enter. In the left-hand-side menu entry you see the list of available networks.

2. Select the gear wheel icon to the right of the Wi-Fi connection name that you want to edit, and the editing connection dialog appears. The Details menu window shows the connection details where you can make further configuration.

   Options

   1. If you select Connect automatically, NetworkManager auto-connects to this connection whenever NetworkManager detects that it is available. If you do not want NetworkManager to connect automatically, clear the check box. Note that when the check box is clear, you have to select that connection manually in the network connection icon’s menu to cause it to connect.
   2. To make a connection available to other users, select the Make available to other users check box.

   3. You can also control the background data usage by changing the Restrict background data usage option.

      Note

      To delete a Wi-Fi connection, click the Forget Connection red box.

3. Select the Identity menu entry to see the basic configuration options.

   SSID — The Service Set Identifier (SSID) of the access point (AP).

   BSSID — The Basic Service Set Identifier (BSSID) is the MAC address, also known as a hardware address, of the specific wireless access point you are connecting to when in Infrastructure mode. This field is blank by default, and you are able to connect to a wireless access point by SSID without having to specify its BSSID. If the BSSID is specified, it will force the system to associate to a specific access point only. For ad-hoc networks, the BSSID is generated randomly by the mac80211 subsystem when the ad-hoc network is created. It is not displayed by NetworkManager.

   MAC address — The MAC address allows you to associate a specific wireless adapter with a specific connection (or connections).

   Cloned Address — A cloned MAC address to use in place of the real hardware address. Leave blank unless required.

4. For further IP address configuration , select the IPv4 and IPv6 menu entries.

   By default, both IPv4 and IPv6 are set to automatic configuration depending on current network settings. This means that addresses such as the local IP address, DNS address, and other settings will be detected automatically when the interface connects to a network. If a DHCP server assigns the IP configuration in this network, this is sufficient, but you can also provide static configuration in the IPv4 and IPv6 Settings. In the IPv4 and IPv6 menu entries, you can see the following settings:

   • IPv4 Method

     • Automatic (DHCP) — Choose this option if the network you are connecting to uses Router Advertisements (RA) or a DHCP server to assign dynamic IP addresses. You can see the assigned IP address in the Details menu entry.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
     • Manual — Choose this option if you want to assign IP addresses manually.
     • Disable — IPv4 is disabled for this connection.

   • DNS

     If Automatic is ON, and no DHCP server is available that assigns DNS servers to this connection, switch it to OFF to enter the IP address of a DNS server separating the IPs by comma.

   • Routes

     Note that in the Routes section, when Automatic is ON, routes from Router Advertisements (RA) or DHCP are used, but you can also add additional static routes. When OFF, only static routes are used.

     • Address — Enter the IP address of a remote network, sub-net, or host.
     • Netmask — The netmask or prefix length of the IP address entered above.
     • Gateway — The IP address of the gateway leading to the remote network, sub-net, or host entered above.
     • Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.

   • Use this connection only for resources on its network

     Select this check box to prevent the connection from becoming the default route.

   Alternatively, to configure IPv6 settings in a Wi-Fi connection, select the IPv6 menu entry:

   • IPv6 Method

     • Automatic — Choose this option to use IPv6 Stateless Address AutoConfiguration (SLAAC) to create an automatic, stateless configuration based on the hardware address and Router Advertisements (RA).
     • Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
     • Manual — Choose this option if you want to assign IP addresses manually.
     • Disable — IPv6 is disabled for this connection.
   • The DNS, Routes, Use this connection only for resources on its network fields are common to IPv4 settings.

5. To configure Security settings in a Wi-Fi connection, select the Security menu entry.

   Warning

   Do not connect to Wi-Fi networks without encryption or which support only the insecure WEP or WPA standards.

   The following configuration options are available:

   • Security

     • None — Encryption is disabled, and data is transferred in plain text over the network.
     • WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).
     • WEP 128-bit Passphrase — An MD5 hash of the passphrase to derive a WEP key.
     • Dynamic WEP (802.1X) — WEP keys are changed dynamically.
     • LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
     • WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. Wi-Fi Protected Access 2 (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
     • WPA & WPA2 Enterprise — WPA and WPA 2 for use with a RADIUS authentication server to provide IEEE 802.1X network access control.
     • WPA3 Personal — Wi-Fi Protected Access 3 (WPA3) Personal uses Simultaneous Authentication of Equals (SAE) instead of pre-shared keys (PSK) to prevent dictionary attacks. WPA3 uses perfect forward secrecy.
   • Password — Enter the password to be used in the authentication process.
6. Once you have finished the configuration, click the Apply button to save it.

Procedure

1. To refresh the available Wi-Fi connection list:

   $ nmcli device wifi rescan

2. To view the available Wi-Fi access points:

   $ nmcli dev wifi list
   
   IN-USE  SSID      MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
   ...
           MyCafe    Infra  3     405 Mbit/s  85      ▂▄▆█  WPA1 WPA2

3. To connect to a Wi-Fi connection using nmcli:

   $ nmcli dev wifi connect SSID-Name password wireless-password

   For example:

   $ nmcli dev wifi connect MyCafe password wireless-password

   Note that if you want to disable the Wi-Fi state:

   $ nmcli radio wifi off

Procedure

1. Open the GNOME Shell network connection icon menu from the top right-hand corner of the screen.
2. Select Wi-Fi Not Connected.
3. Click the Select Network option.

4. Click the name of the network to which you want to connect, and then click Connect.

   Note that if you do not see the network, the network might be hidden.

5. If the network is protected by a password or encryption keys are required, enter the password and click Connect.

   Note that if you do not know the password, contact the administrator of the Wi-Fi network.

6. If the connection is successful, the name of the network is visible in the connection icon menu and the wireless indicator is on the top right-hand corner of the screen.

Prerequisites

1. The network must have 802.1X network authentication.
2. The Wi-Fi connection profile exists in NetworkManager and has a valid IP configuration.
3. If the client is required to verify the certificate of the authenticator, the Certificate Authority (CA) certificate must be stored in the /etc/pki/ca-trust/source/anchors/ directory.
4. The wpa_supplicant package is installed.

Procedure

1. Set the Wi-Fi security mode to wpa-eap, the Extensible Authentication Protocol (EAP) to peap, the inner authentication protocol to mschapv2, and the user name:

   # nmcli connection modify wpl1s0 wireless-security.key-mgmt wpa-eap 802-1x.eap peap 802-1x.phase2-auth mschapv2 802-1x.identity user_name

   Note that you must set the wireless-security.key-mgmt, 802-1x.eap, 802-1x.phase2-auth, and 802-1x.identity parameters in a single command.

2. Optionally, store the password in the configuration:

   # nmcli connection modify wpl1s0 802-1x.password password

   Important

   By default, NetworkManager stores the password in clear text in the /etc/sysconfig/network-scripts/keys-connection_name file, that is readable only by the root user. However, clear text passwords in a configuration file can be a security risk.

   To increase the security, set the 802-1x.password-flags parameter to 0x1. With this setting, on servers with the GNOME desktop environment or the nm-applet running, NetworkManager retrieves the password from these services. In other cases, NetworkManager prompts for the password.

3. If the client is required to verify the certificate of the authenticator, set the 802-1x.ca-cert parameter in the connection profile to the path of the CA certificate:

   # nmcli connection modify wpl1s0 802-1x.ca-cert /etc/pki/ca-trust/source/anchors/ca.crt

   Note

   For security reasons, Red Hat recommends using the certificate of the authenticator to enable clients to validate the identity of the authenticator.

4. Activate the connection profile:

   # nmcli connection up wpl1s0