search

suse-edge / nm-configurator

NetworkManager configuration tool
Apache License 2.0
7 stars 4 forks source link

Configuring 802.1x certificates #89

Closed koendelaat closed 3 weeks ago

koendelaat commented 3 months ago

To use 802.1x Network Access Control we need to provision the appropriate certificates for each node.

I found the following example how a nmstate file could look like:

interfaces:
- name: enp1s0
  type: ethernet
  state: up
  ipv4:
    enabled: true
    address:
    - ip: 192.0.2.1
      prefix-length: 24
    dhcp: false
  ipv6:
    enabled: false
  802.1x:
    ca-cert: /etc/pki/tls/certs/ca.crt
    client-cert: /etc/pki/tls/certs/client.crt
    eap-methods:
      - tls
    identity: client.example.org
    private-key: /etc/pki/tls/private/client.key
    private-key-password: password

If possible, can you give a working example configuration?

atanasdinov commented 3 months ago

Hey, @koendelaat.

Yes, 802.1x seems to be supported by nmstate even though there aren't any examples on the official docs. I only managed to find the code documentation which lists a simple example.

When building an image with EIB which is supposed to use more complex configurations, especially ones which require files to be on the filesystem, you'd have to plug in a custom script.

In general, you're able to supply certificates using a specific directory, however, the network customisation script is executed before the one storing these so it might not work. This is something which we will further investigate.

For now you'd have to bring your certificates under the /custom/files directory. Once this is done you will create a custom script to move those in the respective place (e.g. /etc/pki/tls or /etc/pki/trust). The execution of the scripts follows an alphabetical order and you would want yours to be executed before the network one. You can achieve this by prefixing your script with a number in the range of 00-04 since the network one is prefixed with 05.

Unfortunately, we do not have a working example for this type of configuration yet. Please let us know if you have further questions.

atanasdinov commented 2 months ago

Hi, @koendelaat.

We released nmc v0.3.1 based on the latest version of nmstate which includes your contribution regarding 802.1x Network Access Control.

This version of nmc is now accessible if you build EIB from source, and it would also be included in the EIB v1.1 release scheduled for late September. Please let us know if this resolves this current issue, thanks!

koendelaat commented 2 months ago

Thanks for the fast adoption of the 802.1x peap authentication in nmc.

This issue is related to the 802.1x certificates. I think it would still be relevant to have an example including certificate deployment.

For the system I was configuring, my issue is resolved.