Ubuntu – How do you configure Netplan on Ubuntu to store 802.1x credentials securely

authenticationnetplannetworkingpassword

In an 802.1x enterprise network, I can use NetworkManager to configure 802.1x parameters, including the password. This all works, but requires storing the password in cleartext.

We are trying to use Netplan to store the credentials more securely (as a hashed password), but we cannot make the 802.1x connections authenticate.

I haven't been able to find a good guide for building a Netplan configuration that includes 802.1x credentials.

(UPDATE: There is a bug in Netplan about hashed password, https://github.com/CanonicalLtd/netplan/pull/78), which seems to be the main issue)


Here is a file that does not work

network: 
  version: 2
  renderer: networkd
  ethernets: 
    enp0s31f6:
      auth:
        key-management: 802.1x
        password: hash:some-stuff-here
        method: peap
        identity: ghewett
      dhcp4: false
      addresses:
        - 1.2.3.4
      gateway4: 5.6.7.8
      nameservers:
        search: [cisco.com, otherdomain]
        addresses:
          - 1.1.1.1
          - 2.2.2.2

(IP's and credentials changed )

This gives us

DEBUG:command generate: running ['/lib/netplan/generate']
** (generate:19354): DEBUG: 09:23:41.614: Processing input file /etc/netplan/01-netcfg.yaml..
** (generate:19354): DEBUG: 09:23:41.614: starting new processing pass
Error in network definition /etc/netplan/01-netcfg.yaml line 7 column 6: unknown key auth

Best Answer

  • See https://netplan.io/examples, and the https://netplan.io site in general has good info. Make sure to sudo netplan --debug generate to check .yaml files, and generate config files, and then sudo netplan apply to make them active.


    Authentication
    
    Netplan supports advanced authentication settings for ethernet and wifi interfaces, as well as individual wifi networks, by means of the auth block.
    
    auth (mapping)
    
        Specifies authentication settings for a device of type ethernets:, or an access-points: entry on a wifis: device.
    
        The auth block supports the following properties:
    
        key-management (scalar)
            The supported key management modes are none (no key management); psk (WPA with pre-shared key, common for home wifi); eap (WPA with EAP, common for enterprise wifi); and 802.1x (used primarily for wired Ethernet connections).
        password (scalar)
            The password string for EAP, or the pre-shared key for WPA-PSK.
    
        The following properties can be used if key-management is eap or 802.1x:
    
        method (scalar)
            The EAP method to use. The supported EAP methods are tls (TLS), peap (Protected EAP), and ttls (Tunneled TLS).
        identity (scalar)
            The identity to use for EAP.
        anonymous-identity (scalar)
            The identity to pass over the unencrypted channel if the chosen EAP method supports passing a different tunnelled identity.
        ca-certificate (scalar)
            Path to a file with one or more trusted certificate authority (CA) certificates.
        client-certificate (scalar)
            Path to a file containing the certificate to be used by the client during authentication.
        client-key (scalar)
            Path to a file containing the private key corresponding to client-certificate.
        client-key-password (scalar)
            Password to use to decrypt the private key specified in client-key if it is encrypted.
    

    Source: https://netplan.io/reference#authentication

    Update #1:

    Note: make sure there are no TABS in your .yaml file...

    Add your certs, restore the IP's, and try this...

    network:
      version: 2
      renderer: networkd
      ethernets:
        enp0s31f6:
          auth:
            key-management: 802.1x
            method: peap
            identity: "ghewett@example.com"
            ca-certificate: my_ca.pem
            client-certificate: my_cert.pem
            client-key: my_key.pem
          addresses:
            - 1.2.3.4
          gateway4: 5.6.7.8
          nameservers:
            search: [cisco.com, otherdomain]
            addresses:
              - 1.1.1.1
              - 2.2.2.2
    
  • Related Question