Wiki source code of NetworkManager

Last modified by Sebastian Marsching on 2022/05/29 14:00
Show last authors
1 # Verify certificate subject when using 802.1x / EAP
2
3 When using 802.1x authentication (e.g. for a WiFi), specifying a certificate authority (CA) for the server certificate is simple. However, specifying the CA might not be sufficient because it might also issue client certificates or even certificates for a completely different purpose. For this reason, one should also check the certificate subject in order to ensure that the client is connected to the proper RADIUS server(s).
4
5 Unfortunately, the GUI (as of Ubuntu 16.04 LTS) does not provide any configuration option for such a verification. Luckily, this is just a shortcoming of the GUI, not of NetworkManager itself. NetworkManager allows for verifying the server certificate using the `subject-match`, `domain-suffix-match`, and `altsubject-matches` options. These options can be specified in the `802-1x` section of the connection's configuration file. For system-wide connections, the configuration files are typically stored in `/etc/NetworkManager/system-connections`. For some reason, the `subject-match` option is not recommended any longer and the [documentation](https://developer.gnome.org/NetworkManager/stable/ref-settings.html) suggests using the `domain-suffix-match` option instead. As the name suggest, the `domain-suffix-match` option specifies a DNS name suffix. If the common name (CN) of the certificate's subject or one of the DNS names stored in the certificate matches, the check succeeds.
6
7 When the server certificate should be verified in both phases of the EAP authentication process, one can prefix all of the options with `phase2-` (e.g. `phase2-domain-suffix-match`) in order to verify them in the second phase. Typically, one will check for the same DNS name suffix in both phases, so that `domain-suffix-match` and `phase2-domain-suffix-match` will specify the same value.