Categories
802.1X Linux Network

Linux and IEEE 802.1X

What is IEEE 802.1X anyway?

More and more companies run a shared desk strategy. Combined with the possibility of home office this often means that employees use their laptop both at home and at the office. The shared desk strategy however forces them to work at different work spaces (and connect to different network ports or docking stations).

But how do you prevent someone unknown to connect his own device to your company network? One way is MAC address filtering, however faking a MAC address is only one Google query away, so this is insufficient for today’s security needs. And that’s where 802.1X joins the game by adding a certificate based authentication to this scheme. The only downside is, that this requires more infrastructure (like a radius server and a CA) and also network switches supporting that protocol (common home use devices unfortunately don’t do that). As my own devices don’t support that I’ll just document the client side of things here.

Basic configuration

In order to start your configuration you’ll first of all new a certificate/key – you’ll usually get that from your local system administrator. In our example

/etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.crt
/etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.key

If you got those files you can start the basic 802.1X configuration using wpa_supplicant:

linux # cat /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1
network={
	key_mgmt=IEEE8021X
	eap=TLS
	identity="client1"
	client_cert="/etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.crt"
	private_key="/etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.key"
}

In order to establish connection, wpa_supplicant needs to be started:

linux # wpa_supplicant -D wired -i enp3s0f0 -c wpa_supplicant.conf 
Successfully initialized wpa_supplicant
enp3s0f0: Associated with 01:80:c2:00:00:03
enp3s0f0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
enp3s0f0: CTRL-EVENT-EAP-STARTED EAP authentication started
enp3s0f0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
enp3s0f0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
enp3s0f0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=radius.8021x.mydomain.de' hash=422d594f30df7ed1582444a832f9c68b2107624d4ec38a050b1358a757e81d8a
enp3s0f0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.8021x.mydomain.de
enp3s0f0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=radius.8021x.mydomain.de' hash=422d594f30df7ed1582444a832f9c68b2107624d4ec38a050b1358a757e81d8a
enp3s0f0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.8021x.radius.mydomain.de
enp3s0f0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=radius.8021x.mydomain.de' hash=422d594f30df7ed1582444a832f9c68b2107624d4ec38a050b1358a757e81d8a
enp3s0f0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.8021x.radius.mydomain.de
enp3s0f0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
enp3s0f0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]

Network manager configuration

While doing the config with wpa_supplicant works in today’s Linux distributions something like network manager (or its command line tool nmcli) is better integrated (especially on the desktop). More information about possibly options can be found here.

A basic configuration for my ethernet device enp3s0f0 looks like this:

linux # nmcli connection add type ethernet \
ifname enp3s0f0 \
con-name "Ethernet 802.1X" \
802-1x.eap tls \
802-1x.identity "client1" \
802-1x.client-cert /etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.crt \
802-1x.private-key /etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.key \
802-1x.private-key-password-flags 0x4
Connection 'Ethernet 802.1X' (0fb68464-fa82-4a30-840b-a227cb04c0a5) successfully added.

This will create a new network manager connection with basically the same settings as the wpa_supplicant config above. However you might have noticed the additional option 802-1x.private-key-password-flags set to 0x4. During my first tries I didn’t set this option which caused network manager to ask for a password of the secret key (which in my case wasn’t needed). Looking for a solution I found the explanation at the very bottom (section: Secret flag types) of this page (0x4 meaning: do not ask for password).

We can also check the complete config of this new connection:

linux # nmcli connection show "Ethernet 802.1X"
connection.id:                          Ethernet 802.1X
connection.uuid:                        0fb68464-fa82-4a30-840b-a227cb04c0a5
<...>
connection.type:                        802-3-ethernet
connection.interface-name:              enp3s0f0
connection.autoconnect:                 yes
<...>
802-1x.eap:                             tls
802-1x.identity:                        client1
<...>
802-1x.client-cert:                     /etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.crt
<...>
802-1x.private-key:                     /etc/wpa_supplicant/client1.misc.8021x.radius.mydomain.de.key
<...>

Leave a Reply

Your email address will not be published. Required fields are marked *