Network settings on a single NIC work, but …
There was a case where I wanted the installed server network to be ** Bonging using multiple NIC ports and join the network with 802.1X authentication **.
I was only able to participate in the network with a single NIC by myself, but with the cooperation of the people around me, I was able to participate with 802.1X authentication even in the case of Bonking.
Even if I searched on the net, I could not find the method of 802.1X authentication with “** Bonding setting **”, so I will publish it as an article here. (Thanks to everyone who cooperated!)
Environment / things to prepare
I can’t answer the device information of the server and network switch, but I hope you can think that the server is a racking type server such as Fujitsu, HP, IBM, and the network switch is done using products such as NETGEAR and Cisco. think.
- We will proceed on the premise that the network bonding settings are created in CentOS 7 in advance.
OS:CentOS7.8 NIC port to be Bonding: Wired connection with two ports on Intel 10G NIC Certificate file: ZZZZZZ.pem(Or it may be in crt format) Private key file: ZZZZZZ.p12
① Convert the certificate file from crt format to pem format
Initially, I received a certificate in the crt file format from the user, but I don’t know the cause, but in the crt format, 802.1X authentication failed in the subsequent work.
So, convert from crt to pem format with the following command.
- If the certificate file remains in pem format, this work is not necessary.
openssl x509 -in ZZZZZZ.crt -out ZZZZZZ.pem
# (2) Migrate the storage directory of the certificate file and private key file Save ZZZZZZ.pem and ZZZZZZ.p12 in `/ etc / pki / CA / certs /`. # ③ Edit the ifcfg file The bonding setting file is set as follows in `/ etc / sysconfig / network-scripts / ifcfg-bond0`.
BONDING_OPTS=”mode=4 miimon=100 xmit_hash_policy=layer2+3”
802.1X authentication settings
IEEE_8021X_CA_CERT=/etc/pki/CA/certs/ZZZZZZ.pem #Specify the path where the pem format file is saved in ②
IEEE_8021X_PRIVATE_KEY=/etc/pki/CA/certs/ZZZZZZ.p12 #Specify the path where the p12 format file is saved in (2)
# ④ Edit /etc/sysconfig/wpa_supplicant and /etc/wpa_supplicant/wpa_supplicant.conf Edit the contents of `/etc/wpa_supplicant/wpa_supplicant.conf` as follows.
OTHER_ARGS=”-u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid -t”
Edit the contents of `/ etc / sysconfig / wpa_supplicant` as follows.
# (5) Disable the startup of NetworkManager when the server starts. If NetworkManager is started in advance, 802.1X authentication cannot be performed, so ** disable the service **.
chkconfig NetworkManager off
# ⑥ Enable and start wpa_supplicant Since wpa_supplicant must be started for 802.1X authentication, ** enable and start the service **.
chkconfig wpa_supplicant on
systemctl start wpa_supplicant
# ⑦ Start wpa_supplicant and check if Connection succeeds. If you get `bond0: CTRL-EVENT-CONNECTED --Connection to <MAC address> completed` with the following command, 802.1X authentication is successful.
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i bond0
⑧ Check if Supplicant authentication is successful on the network switch side
- Log output and commands vary depending on the manufacturer and device of the network switch, so they are omitted.