802.1X / EAP-TLS

Enterprise network access control using certificate-based authentication.

Topics

Topic	Description
Concepts	802.1X architecture, EAP methods, RADIUS flow
Certificates	PKI requirements, enrollment, renewal
wpa_supplicant	Configuration, profiles, debugging
NetworkManager	GUI and CLI configuration, nmcli
Troubleshooting	Common failures, packet captures, logs

Topic

Description

Concepts

802.1X architecture, EAP methods, RADIUS flow

Certificates

PKI requirements, enrollment, renewal

wpa_supplicant

Configuration, profiles, debugging

NetworkManager

GUI and CLI configuration, nmcli

Troubleshooting

Common failures, packet captures, logs

Why EAP-TLS?

EAP-TLS provides the strongest authentication:

Mutual authentication — both client and server prove identity
No passwords — certificates eliminate credential theft risk
Device identity — certificates tied to specific machines
Revocation — compromised certs can be instantly revoked

Architecture

┌─────────────┐     802.1X      ┌─────────────┐     RADIUS      ┌─────────────┐
│   Client    │◄──────────────►│   Switch/   │◄──────────────►│    ISE/     │
│  (Linux)    │   EAP-TLS      │     AP      │   EAP-TLS      │   RADIUS    │
└─────────────┘                └─────────────┘                └─────────────┘
      │                                                              │
      │              Certificate Validation                          │
      └──────────────────────────────────────────────────────────────┘

Requirements

Certificates

CA Certificate — trust anchor for validating server
Client Certificate — proves client identity
Private Key — signs authentication handshake

Configuration Files

Path	Purpose
/etc/wpa_supplicant/wpa_supplicant.conf	wpa_supplicant configuration
/etc/NetworkManager/system-connections/	NetworkManager connection profiles
/etc/ssl/certs/	CA certificates
/etc/ssl/private/	Private keys (restricted permissions)

Path

Purpose

/etc/wpa_supplicant/wpa_supplicant.conf

wpa_supplicant configuration

/etc/NetworkManager/system-connections/

NetworkManager connection profiles

/etc/ssl/certs/

CA certificates

/etc/ssl/private/

Private keys (restricted permissions)

Quick Start

wpa_supplicant

# /etc/wpa_supplicant/wpa_supplicant-wired.conf
ctrl_interface=/run/wpa_supplicant
eapol_version=2

network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="host/{HOSTNAME}.{DOMAIN}"
    ca_cert="{path-ssl-certs}/ca-chain.pem"
    client_cert="{path-ssl-certs}/client.pem"
    private_key="{path-ssl-private}/client.key"
    private_key_passwd=""
}

Enable Service

systemctl enable --now [email protected]

Security — PKI and certificate infrastructure
Networking — Network configuration