802.1X / EAP-TLS

Enterprise network access control using certificate-based authentication.

Topics

Topic Description

Concepts

802.1X architecture, EAP methods, RADIUS flow

Certificates

PKI requirements, enrollment, renewal

wpa_supplicant

Configuration and profiles

systemd Integration

Service management, boot order, DHCP coordination

Troubleshooting

Battle-tested fixes for common failures

Why EAP-TLS?

EAP-TLS provides the strongest authentication:

  • Mutual authentication — both client and server prove identity

  • No passwords — certificates eliminate credential theft risk

  • Device identity — certificates tied to specific machines

  • Revocation — compromised certs can be instantly revoked

Architecture

802.1X Authentication Flow
Figure 1. 802.1X EAP-TLS Authentication Flow

The authentication flow involves three parties: the supplicant (Linux client), the authenticator (switch or access point), and the authentication server (ISE/RADIUS). EAP-TLS provides mutual certificate-based authentication.

Requirements

Certificates

  • CA Certificate — trust anchor for validating server

  • Client Certificate — proves client identity

  • Private Key — signs authentication handshake

Configuration Files

Path Purpose

/etc/wpa_supplicant/wpa_supplicant.conf

wpa_supplicant configuration

/etc/NetworkManager/system-connections/

NetworkManager connection profiles

/etc/ssl/certs/

CA certificates

/etc/ssl/private/

Private keys (restricted permissions)

Quick Start

wpa_supplicant

# /etc/wpa_supplicant/wpa_supplicant-wired.conf
ctrl_interface=/run/wpa_supplicant
eapol_version=2

network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="host/{HOSTNAME}.{DOMAIN}"
    ca_cert="{path-ssl-certs}/ca-chain.pem"
    client_cert="{path-ssl-certs}/client.pem"
    private_key="{path-ssl-private}/client.key"
    private_key_passwd=""
}

Enable Service

systemctl enable --now [email protected]

Related