802.1X authentication to the network of Bonding setting in CentOS7

2 minute read

Network settings on a single NIC work, but …

There was a case where I wanted the installed server network to be ** Bonging using multiple NIC ports and join the network with 802.1X authentication **.
I was only able to participate in the network with a single NIC by myself, but with the cooperation of the people around me, I was able to participate with 802.1X authentication even in the case of Bonking.

Even if I searched on the net, I could not find the method of 802.1X authentication with “** Bonding setting **”, so I will publish it as an article here. (Thanks to everyone who cooperated!)

Environment / things to prepare

I can’t answer the device information of the server and network switch, but I hope you can think that the server is a racking type server such as Fujitsu, HP, IBM, and the network switch is done using products such as NETGEAR and Cisco. think.

  • We will proceed on the premise that the network bonding settings are created in CentOS 7 in advance.
OS:CentOS7.8
NIC port to be Bonding: Wired connection with two ports on Intel 10G NIC
Certificate file: ZZZZZZ.pem(Or it may be in crt format)
Private key file: ZZZZZZ.p12

① Convert the certificate file from crt format to pem format

Initially, I received a certificate in the crt file format from the user, but I don’t know the cause, but in the crt format, 802.1X authentication failed in the subsequent work.
So, convert from crt to pem format with the following command.

  • If the certificate file remains in pem format, this work is not necessary.

```Command line
openssl x509 -in ZZZZZZ.crt -out ZZZZZZ.pem


# (2) Migrate the storage directory of the certificate file and private key file
 Save ZZZZZZ.pem and ZZZZZZ.p12 in `/ etc / pki / CA / certs /`.

# ③ Edit the ifcfg file
 The bonding setting file is set as follows in `/ etc / sysconfig / network-scripts / ifcfg-bond0`.

BONDING_OPTS=”mode=4 miimon=100 xmit_hash_policy=layer2+3”
DEVICE=bond0
TYPE=Bond
BOOTPROTO=none
BONDING_MASTER=yes
NAME=bond0
ONBOOT=yes
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
MTU=9000
DNS1=aaa.bbb.ccc.ddd
DNS2=aaa.bbb.ccc.ddd
GATEWAY=aaa.bbb.ccc.ddd
IPADDR=aaa.bbb.ccc.ddd
NETMASK=aaa.bbb.ccc.ddd
PREFIX=yy

802.1X authentication settings

KEY_MGMT=IEEE8021X
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=XXXXXXXXX
IEEE_8021X_CA_CERT=/etc/pki/CA/certs/ZZZZZZ.pem #Specify the path where the pem format file is saved in ②
IEEE_8021X_PRIVATE_KEY=/etc/pki/CA/certs/ZZZZZZ.p12 #Specify the path where the p12 format file is saved in (2)
DOMAIN=zzzz.zzzz.zzzz


# ④ Edit /etc/sysconfig/wpa_supplicant and /etc/wpa_supplicant/wpa_supplicant.conf
 Edit the contents of `/etc/wpa_supplicant/wpa_supplicant.conf` as follows.

INTERFACES=”-iZZZZZZ”
DRIVERS=”-Dwired”
OTHER_ARGS=”-u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid -t”


 Edit the contents of `/ etc / sysconfig / wpa_supplicant` as follows.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
key_mgmt=IEEE8021X
eap=tls
identity=”ZZZZZZ”
ca_cert=”/etc/pki/CA/certs/ZZZZZZ.pem”
private_key=”/etc/pki/CA/certs/ZZZZZZ.p12”
private_key_passwd=”ZZZZZZ”
}


# (5) Disable the startup of NetworkManager when the server starts.
 If NetworkManager is started in advance, 802.1X authentication cannot be performed, so ** disable the service **.

chkconfig NetworkManager off


# ⑥ Enable and start wpa_supplicant
 Since wpa_supplicant must be started for 802.1X authentication, ** enable and start the service **.

chkconfig wpa_supplicant on
systemctl start wpa_supplicant


# ⑦ Start wpa_supplicant and check if Connection succeeds.

 If you get `bond0: CTRL-EVENT-CONNECTED --Connection to <MAC address> completed` with the following command, 802.1X authentication is successful.

wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i bond0
```

⑧ Check if Supplicant authentication is successful on the network switch side

  • Log output and commands vary depending on the manufacturer and device of the network switch, so they are omitted.