802.1X authentication to the network of Bonding setting in CentOS7
Network settings on a single NIC work, but …
There was a case where I wanted the installed server network to be ** Bonging using multiple NIC ports and join the network with 802.1X authentication **.
I was only able to participate in the network with a single NIC by myself, but with the cooperation of the people around me, I was able to participate with 802.1X authentication even in the case of Bonking.
Even if I searched on the net, I could not find the method of 802.1X authentication with “** Bonding setting **”, so I will publish it as an article here. (Thanks to everyone who cooperated!)
Environment / things to prepare
I can’t answer the device information of the server and network switch, but I hope you can think that the server is a racking type server such as Fujitsu, HP, IBM, and the network switch is done using products such as NETGEAR and Cisco. think.
- We will proceed on the premise that the network bonding settings are created in CentOS 7 in advance.
OS:CentOS7.8
NIC port to be Bonding: Wired connection with two ports on Intel 10G NIC
Certificate file: ZZZZZZ.pem(Or it may be in crt format)
Private key file: ZZZZZZ.p12
① Convert the certificate file from crt format to pem format
Initially, I received a certificate in the crt file format from the user, but I don’t know the cause, but in the crt format, 802.1X authentication failed in the subsequent work.
So, convert from crt to pem format with the following command.
- If the certificate file remains in pem format, this work is not necessary.
```Command line
openssl x509 -in ZZZZZZ.crt -out ZZZZZZ.pem
# (2) Migrate the storage directory of the certificate file and private key file
Save ZZZZZZ.pem and ZZZZZZ.p12 in `/ etc / pki / CA / certs /`.
# ③ Edit the ifcfg file
The bonding setting file is set as follows in `/ etc / sysconfig / network-scripts / ifcfg-bond0`.
BONDING_OPTS=”mode=4 miimon=100 xmit_hash_policy=layer2+3”
DEVICE=bond0
TYPE=Bond
BOOTPROTO=none
BONDING_MASTER=yes
NAME=bond0
ONBOOT=yes
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
MTU=9000
DNS1=aaa.bbb.ccc.ddd
DNS2=aaa.bbb.ccc.ddd
GATEWAY=aaa.bbb.ccc.ddd
IPADDR=aaa.bbb.ccc.ddd
NETMASK=aaa.bbb.ccc.ddd
PREFIX=yy
802.1X authentication settings
KEY_MGMT=IEEE8021X
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=XXXXXXXXX
IEEE_8021X_CA_CERT=/etc/pki/CA/certs/ZZZZZZ.pem #Specify the path where the pem format file is saved in ②
IEEE_8021X_PRIVATE_KEY=/etc/pki/CA/certs/ZZZZZZ.p12 #Specify the path where the p12 format file is saved in (2)
DOMAIN=zzzz.zzzz.zzzz
# ④ Edit /etc/sysconfig/wpa_supplicant and /etc/wpa_supplicant/wpa_supplicant.conf
Edit the contents of `/etc/wpa_supplicant/wpa_supplicant.conf` as follows.
INTERFACES=”-iZZZZZZ”
DRIVERS=”-Dwired”
OTHER_ARGS=”-u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid -t”
Edit the contents of `/ etc / sysconfig / wpa_supplicant` as follows.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
key_mgmt=IEEE8021X
eap=tls
identity=”ZZZZZZ”
ca_cert=”/etc/pki/CA/certs/ZZZZZZ.pem”
private_key=”/etc/pki/CA/certs/ZZZZZZ.p12”
private_key_passwd=”ZZZZZZ”
}
# (5) Disable the startup of NetworkManager when the server starts.
If NetworkManager is started in advance, 802.1X authentication cannot be performed, so ** disable the service **.
chkconfig NetworkManager off
# ⑥ Enable and start wpa_supplicant
Since wpa_supplicant must be started for 802.1X authentication, ** enable and start the service **.
chkconfig wpa_supplicant on
systemctl start wpa_supplicant
# ⑦ Start wpa_supplicant and check if Connection succeeds.
If you get `bond0: CTRL-EVENT-CONNECTED --Connection to <MAC address> completed` with the following command, 802.1X authentication is successful.
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i bond0
```
⑧ Check if Supplicant authentication is successful on the network switch side
- Log output and commands vary depending on the manufacturer and device of the network switch, so they are omitted.