How to Configure 802.1x Authentication for Linux on a Windows Domain Network


2 views

When trying to connect a Linux workstation to a corporate Windows domain network with 802.1x authentication, you'll typically encounter these technical hurdles:

1. Certificate requirements:
   - Machine certificate (client authentication)
   - Trusted root CA certificate
   - Private key with proper permissions

2. Authentication protocol requirements:
   - Typically PEAP or EAP-TLS
   - May require machine account authentication

Instead of trying to export certificates from Windows machines, the proper approach is:

# Request certificate through domain-joined Windows machine
$cert = Get-Certificate -Template "YourMachineAuthTemplate" 
        -CertStoreLocation Cert:\LocalMachine\My 
        -Url ldap:

# Export public portion only (no private key needed here)
Export-Certificate -Cert $cert -FilePath machine_cert.cer

Then obtain the root CA certificate:

# From any domain-joined machine:
certmgr.msc → Trusted Root Certification Authorities → Export CA cert

The most reliable method is using wpa_supplicant:

# Sample /etc/wpa_supplicant/wpa_supplicant.conf
network={
    ssid="YOUR_DOMAIN_NETWORK"
    key_mgmt=IEEE8021X
    eap=TLS
    identity="host/mylinuxhost.yourdomain.com"
    ca_cert="/etc/ssl/certs/domain_ca.pem"
    client_cert="/etc/ssl/certs/machine_cert.pem"
    private_key="/etc/ssl/private/machine_key.pem"
    private_key_passwd="yourpassword"
    phase2="auth=MSCHAPV2"
}

For GUI-based setup:

nmcli connection add \
    type ethernet \
    con-name "Corporate 802.1x" \
    ifname eth0 \
    802-1x.eap tls \
    802-1x.identity "host/mylinuxhost.yourdomain.com" \
    802-1x.ca-cert /etc/ssl/certs/domain_ca.pem \
    802-1x.client-cert /etc/ssl/certs/machine_cert.pem \
    802-1x.private-key /etc/ssl/private/machine_key.pem

When things don't work:

# Check authentication logs
journalctl -u wpa_supplicant -f

# Verify switch port configuration
tcpdump -i eth0 -n port 1812 or port 1813

# Test certificate chain
openssl verify -CAfile domain_ca.pem machine_cert.pem

Remember to:

# Set proper permissions
chmod 600 /etc/ssl/private/machine_key.pem
chown root:root /etc/ssl/private/machine_key.pem

# Consider using PKCS#12 containers
openssl pkcs12 -export \
    -in machine_cert.pem \
    -inkey machine_key.pem \
    -out machine.p12 \
    -certfile domain_ca.pem

When trying to connect a Linux workstation to a Windows domain network with 802.1x authentication, you'll encounter several technical hurdles. The authentication typically requires:

  • Machine certificate (with exportable private key)
  • Domain CA certificate
  • Proper EAPOL configuration

Your initial approach with the Windows VM was correct in principle but needs refinement. Here's a more effective certificate extraction method:

# On Windows (run as Admin in PowerShell):
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*CN=$env:COMPUTERNAME*"} | Export-Certificate -FilePath C:\temp\machinecert.cer -Type CERT

For the private key (when marked non-exportable), we can use Mimikatz (requires temporary Admin rights):

privilege::debug
crypto::certificates /export /systemstore:LOCAL_MACHINE

For Fedora 21 with NetworkManager, create a configuration file at /etc/NetworkManager/system-connections/:

[connection]
id=Wired 802.1x
uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type=802-3-ethernet
timestamp=1234567890

[802-3-ethernet]

[802-1x]
eap=peap;
identity=%{USERNAME}
ca-cert=/etc/pki/tls/certs/domain-ca.pem
client-cert=/etc/pki/tls/certs/machine-cert.pem
private-key=/etc/pki/tls/private/machine-key.pem
private-key-password=yourpassword
phase2-auth=mschapv2

[ipv4]
method=auto

For more control, configure wpa_supplicant directly:

network={
    ssid="your_domain"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="machine$@DOMAIN"
    password="machine_password_hash"
    ca_cert="/etc/ssl/certs/domain-ca.pem"
    phase2="auth=MSCHAPV2"
}

While PowerBroker provides domain authentication, it doesn't automatically handle 802.1x. You'll need to:

  1. Ensure the machine account exists in Active Directory
  2. Verify the computer object has proper permissions for network authentication
  3. Check if your domain uses machine certificate auto-enrollment (GPO)

When authentication fails:

# Monitor authentication attempts:
sudo tail -f /var/log/syslog | grep -i eap

# Verify certificate chain:
openssl verify -CAfile /etc/pki/tls/certs/domain-ca.pem /etc/pki/tls/certs/machine-cert.pem

# Test network authentication:
sudo wpa_supplicant -c/etc/wpa_supplicant.conf -iwlp2s0 -d

Remember that switch ports often have security features like MAC lockdown that may need adjustment when changing operating systems, even with the same physical hardware.