Skip to Content

Changes for page NetworkManager

Last modified by Sebastian Marsching on 2022/05/29 14:00
From version 1.2
edited by Sebastian Marsching
on 2022/03/27 14:21
Change comment: Added tag [Linux]
To version 2.1
edited by Sebastian Marsching
on 2022/05/29 14:00
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,6 +1,6 @@
1 1  # Verify certificate subject when using 802.1x / EAP
2 2  
3 -When using 802.1x authentication (e.g. for a [WiFi](https://sebastian.marsching.com/wiki/WiFi)), specifying a certificate authority (CA) for the server certificate is simple. However, specifying the CA might not be sufficient because it might also issue client certificates or even certificates for a completely different purpose. For this reason, one should also check the certificate subject in order to ensure that the client is connected to the proper RADIUS server(s).
3 +When using 802.1x authentication (e.g. for a WiFi), specifying a certificate authority (CA) for the server certificate is simple. However, specifying the CA might not be sufficient because it might also issue client certificates or even certificates for a completely different purpose. For this reason, one should also check the certificate subject in order to ensure that the client is connected to the proper RADIUS server(s).
4 4  
5 5  Unfortunately, the GUI (as of Ubuntu 16.04 LTS) does not provide any configuration option for such a verification. Luckily, this is just a shortcoming of the GUI, not of NetworkManager itself. NetworkManager allows for verifying the server certificate using the `subject-match`, `domain-suffix-match`, and `altsubject-matches` options. These options can be specified in the `802-1x` section of the connection's configuration file. For system-wide connections, the configuration files are typically stored in `/etc/NetworkManager/system-connections`. For some reason, the `subject-match` option is not recommended any longer and the [documentation](https://developer.gnome.org/NetworkManager/stable/ref-settings.html) suggests using the `domain-suffix-match` option instead. As the name suggest, the `domain-suffix-match` option specifies a DNS name suffix. If the common name (CN) of the certificate's subject or one of the DNS names stored in the certificate matches, the check succeeds.
6 6