NetworkManager

Last modified by Sebastian Marsching on 2022/05/29 14:00

Verify certificate subject when using 802.1x / EAP

When using 802.1x authentication (e.g. for a WiFi), specifying a certificate authority (CA) for the server certificate is simple. However, specifying the CA might not be sufficient because it might also issue client certificates or even certificates for a completely different purpose. For this reason, one should also check the certificate subject in order to ensure that the client is connected to the proper RADIUS server(s).

Unfortunately, the GUI (as of Ubuntu 16.04 LTS) does not provide any configuration option for such a verification. Luckily, this is just a shortcoming of the GUI, not of NetworkManager itself. NetworkManager allows for verifying the server certificate using the subject-match, domain-suffix-match, and altsubject-matches options. These options can be specified in the 802-1x section of the connection's configuration file. For system-wide connections, the configuration files are typically stored in /etc/NetworkManager/system-connections. For some reason, the subject-match option is not recommended any longer and the documentation suggests using the domain-suffix-match option instead. As the name suggest, the domain-suffix-match option specifies a DNS name suffix. If the common name (CN) of the certificate's subject or one of the DNS names stored in the certificate matches, the check succeeds.

When the server certificate should be verified in both phases of the EAP authentication process, one can prefix all of the options with phase2- (e.g. phase2-domain-suffix-match) in order to verify them in the second phase. Typically, one will check for the same DNS name suffix in both phases, so that domain-suffix-match and phase2-domain-suffix-match will specify the same value.