Configure 802.1x Authentication in Linux


Table of contents

The following instructions describe the steps required to install network access certificates and configure network connection profiles to use those certificates on Linux hosts.

Before following the instructions below, system administrators will need to generate network access certificates for the host. See the Linux Network Certificate CLI Tool article to do so.

Once the certificates are in hand, continue with the instructions below.

The network connection profiles configured below will only work after a network port has been migrated to the policy-based network.

Install the network authentication certificate

  1. Upload the certificate and private key generated to /tmp on the host.
    scp ./<CERTIFICATE> <HOSTNAME>:/tmp
    scp ./<PRIVATE_KEY> <HOSTNAME>:/tmp
    where <CERTIFICATE> and <PRIVATE_KEY> are the filenames of your certificate and private key respectively and <HOSTNAME> is the fully-qualified domain name of the host on which you will be installing the certificate. 
    NOTE: You may also use a GUI SFTP client to transfer the certificate and private key.  Whatever you're most comfortable with!

  2. Connect to the host via SSH: ssh <HOSTNAME>
  3. Elevate your privileges. su
    NOTE: You may also prefix all of the commands below with 'sudo' is that is configured.

  4. Move the certificate to from /tmp to its final destination.
    On RHEL: mv /tmp/<CERTIFICATE> /etc/pki/tls/certs/
    On Ubuntu: mv /tmp/<CERTIFICATE> /etc/ssl/certs/
  5. Move the private key to its final destination.
    On RHEL: mv /tmp/<PRIVATE_KEY> /etc/pki/tls/private/
    On Ubuntu: mv /tmp/<PRIVATE_KEY> /etc/ssl/private/
  6. Set the ownership and permissions on the certificate and private key:
    On RHEL:
    chown root:root /etc/pki/tls/private/<PRIVATE_KEY>
    chown root:root /etc/pki/tls/certs/<CERTIFICATE>
    chmod 400 /etc/pki/tls/private/<PRIVATE_KEY>
    chmod 444 /etc/pki/tls/certs/<CERTIFICATE>
    On Ubuntu:
    chown root:root /etc/ssl/private/<PRIVATE_KEY>
    chown root:root /etc/ssl/certs/<CERTIFICATE>
    chmod 400 /etc/ssl/private/<PRIVATE_KEY>
    chmod 444 /etc/ssl/certs/<CERTIFICATE>
  7. If SELinux is enabled, restore SELinux contexts just in case.
    On RHEL:
    restorecon -r /etc/pki/tls/certs/
    restorecon -r /etc/pki/private/
    On Ubuntu:
    restorecon -r /etc/ssl/certs
    restorecon -r /etc/ssl/private/
  8. Assure the only copy of the certificate and private key is on the host itself. Delete the certificate and key from /tmp if needed. Delete the certificate and private key from your local host as well.
  9. Done!

Top

Create connection profiles using network authentication certificates

NOTE: All of the commands below should be executed with elevated privileges.

Wired connection profile

  1. Create a new ethernet connection profile:
    nmcli connection add type ethernet con-name "wired-umd"
    NOTE: We've named this connection "wired-umd". You may customize this name.
  2. Modify the above connection to add the 802.1x authentication parameters:
    NOTE: The following command involves typing your password within the command which could cause your password to be stored in your command history. Investigate using $HISTCONTROL or other methods to avoid this.
    nmcli connection modify wired-umd 802-1x.eap tls \
      802-1x.client-cert /etc/pki/tls/certs/<CERTIFICATE> \
      802-1x.private-key /etc/pki/private/<PRIVATE_KEY> \
      802-1x.ca-cert <CA_BUNDLE> \
      802-1x.identity <FQDN>@umd.edu \
      802-1x.private-key-password <PASSWORD>
      802-1x.private-key-password-flags 0 \
      connection.autoconnect yes \ 
      connection.autoconnect-priority 100
    where <CERTIFICATE> and <PRIVATE_KEY> are the filenames of the network access certificate and private key respectively, <FQDN> is the fully-qualified domain name (e.g. linuxrocks.umd.edu) and <PASSWORD> is the password used to encrypt the private key (optional). <CA_BUNDLE> is the local trusted certificate authority bundle. On RHEL, this is "/etc/pki/tls/certs/ca-bundle.crt" and on Ubuntu, it is "/etc/ssl/ca-certificates.crt".
    NOTE: If you did not set a password on your private key, the "802-1x.private-key-password" parameter should be omitted and "802-1x.private-key-password-flags" should be set to "4".
    NOTE: <FQDN>@umd.edu may look odd but is necessary. You need to specify your FQDN with "@umd.edu" appended to the end e.g. linuxrocks.umd.edu@umd.edu.
  3. Plug the network cable into the host if it is not already.
  4. If you have migrated the network port to the policy-based network, you may test your connection profile. Continue to the next step. Otherwise, stop here
  5. Activate your new ethernet connection: nmcli con up wired-umd
  6. Confirm the new connection is active: nmcli con show --active
  7. Done!

Top

Wireless connection profile

  1. Create a new wifi connection profile and set the SSID to "eduroam":
    nmcli connection add type wifi con-name "wireless-umd" ssid "eduroam"
    NOTE: We've named this connection "wireless-umd". You may customize this name.

  2. Modify the above connection to add the 802.1x authentication parameters:
    NOTE: The following command involves typing your password within the command which could cause your password to be stored in your command history. Investigate using $HISTCONTROL or other methods to avoid this.
    nmcli connection modify wireless-umd \
      802-11-wireless-security.key-mgmt wpa-eap \
      802-1x.eap tls \
      802-1x.client-cert /etc/pki/tls/certs/<CERTIFICATE>.pem  \
      802-1x.private-key /etc/pki/private/<PRIVATE_KEY>.pem \
      802-1x.ca-cert <CA_BUNDLE> \
      802-1x.identity <FQDN>@umd.edu \
      802-1x.private-key-password <PASSWORD>
      802-1x.private-key-password-flags 0 \
      connection.autoconnect yes \ 
      connection.autoconnect-priority 100
    where <CERTIFICATE> and <PRIVATE_KEY> are the filenames of the network access certificate and private key respectively, <FQDN> is the fully-qualified domain name (e.g. linuxrocks.umd.edu) and <PASSWORD> is the password used to encrypt the private key (optional). <CA_BUNDLE> is the local trusted certificate authority bundle. On RHEL, this is "/etc/pki/tls/certs/ca-bundle.crt" and on Ubuntu, it is "/etc/ssl/ca-certificates.crt".
    NOTE: If you did not set a password on your private key, the "802-1x.private-key-password" parameter should be omitted and "802-1x.private-key-password-flags" should be set to "4".
    NOTE: <FQDN>@umd.edu shown above may look odd but is necessary. You need to specify your FQDN with "@umd.edu" appended to the end e.g. linuxrocks.umd.edu@umd.edu.

  3. Activate your new wireless connection: nmcli con up wireless-umd
  4. Confirm the new connection is active: nmcli con show --active
  5. Done!

Top