2.2.10. Configuring Connection Settings

⁠2.2.10. Configuring Connection Settings

⁠2.2.10.1. Configuring 802.1X Security

802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). It is also called WPA Enterprise. Simply put, 802.1X security is a way of controlling access to a logical network from a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.

802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry. In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.

802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how security is achieved on the network.

You can configure 802.1X security for a wired or wireless connection type by opening the Network window (see Section 2.2.1, “Connecting to a Network Using a GUI”) and following the applicable procedure below. Press the Super key to enter the Activities Overview, type control network and then press Enter. The Network settings tool appears. Proceed to Procedure 2.9, “For a Wired Connection” or Procedure 2.10, “For a Wireless Connection”:

⁠

Procedure 2.9. For a Wired Connection

Select a Wired network interface from the left-hand-side menu.
Either click on Add Profile to add a new network connection profile for which you want to configure 802.1X security, or select an existing connection profile and click the gear wheel icon.
Then select Security and set the symbolic power button to ON to enable settings configuration.
Proceed to Section 2.2.10.1.1, “Configuring TLS (Transport Layer Security) Settings”

⁠

Procedure 2.10. For a Wireless Connection

Select a Wireless network interface from the left-hand-side menu. If necessary, set the symbolic power button to ON and check that your hardware switch is on.
Either select the connection name of a new connection, or click the gear wheel icon of an existing connection profile, for which you want to configure 802.1X security. In the case of a new connection, complete any authentication steps to complete the connection and then click the gear wheel icon.
Select Security.
From the drop-down menu select one of the following security methods: LEAP, Dynamic WEP (802.1X), or WPA & WPA2 Enterprise.
Refer to Section 2.2.10.1.1, “Configuring TLS (Transport Layer Security) Settings” for descriptions of which extensible authentication protocol (EAP) types correspond to your selection in the Security drop-down menu.

⁠2.2.10.1.1. Configuring TLS (Transport Layer Security) Settings

With Transport Layer Security, the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.

The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.

NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.

⁠Selecting an Authentication Method

Select from one of following authentication methods:

Select TLS for Transport Layer Security and proceed to Section 2.2.10.1.2, “Configuring TLS Settings”;
Select FAST for Flexible Authentication via Secure Tunneling and proceed to Section 2.2.10.1.4, “Configuring Tunneled TLS Settings”;
Select Tunneled TLS for Tunneled Transport Layer Security, otherwise known as TTLS, or EAP-TTLS and proceed to Section 2.2.10.1.4, “Configuring Tunneled TLS Settings”;
Select Protected EAP (PEAP) for Protected Extensible Authentication Protocol and proceed to Section 2.2.10.1.5, “Configuring Protected EAP (PEAP) Settings”.

⁠2.2.10.1.2. Configuring TLS Settings

Identity: Provide the identity of this server.
User certificate: Click to browse for, and select, a personal X.509 certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
CA certificate: Click to browse for, and select, an X.509 certificate authority certificate file encoded with Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM).
Private key: Click to browse for, and select, a private key file encoded with Distinguished Encoding Rules (DER), Privacy Enhanced Mail (PEM), or the Personal Information Exchange Syntax Standard (PKCS #12).
Private key password: Enter the password for the private key in the Private key field. Select Show password to make the password visible as you type it.

⁠2.2.10.1.3. Configuring FAST Settings

Anonymous Identity: Provide the identity of this server.
PAC provisioning: Select the check box to enable and then select from Anonymous, Authenticated, and Both.
PAC file: Click to browse for, and select, a protected access credential (PAC) file.
Inner authentication: GTC — Generic Token Card.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
Username: Enter the user name to be used in the authentication process.
Password: Enter the password to be used in the authentication process.

⁠2.2.10.1.4. Configuring Tunneled TLS Settings

Anonymous identity: This value is used as the unencrypted identity.
CA certificate: Click to browse for, and select, a Certificate Authority's certificate.
Inner authentication: PAP — Password Authentication Protocol.
MSCHAP — Challenge Handshake Authentication Protocol.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
CHAP — Challenge Handshake Authentication Protocol.
Username: Enter the user name to be used in the authentication process.
Password: Enter the password to be used in the authentication process.

⁠2.2.10.1.5. Configuring Protected EAP (PEAP) Settings

Anonymous Identity: This value is used as the unencrypted identity.
CA certificate: Click to browse for, and select, a Certificate Authority's certificate.
PEAP version: The version of Protected EAP to use. Automatic, 0 or 1.
Inner authentication: MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
MD5 — Message Digest 5, a cryptographic hash function.
GTC — Generic Token Card.
Username: Enter the user name to be used in the authentication process.
Password: Enter the password to be used in the authentication process.

⁠2.2.10.2. Configuring Wi-Fi Security

Security: None — Do not encrypt the Wi-Fi connection.
WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).
WEP 128-bit Passphrase — An MD5 hash of the passphrase will be used to derive a WEP key.
LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
Dynamic WEP (802.1X) — WEP keys are changed dynamically. Use with Section 2.2.10.1.1, “Configuring TLS (Transport Layer Security) Settings”
WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
WPA & WPA2 Enterprise — WPA for use with a RADIUS authentication server to provide IEEE 802.1X network access control. Use with Section 2.2.10.1.1, “Configuring TLS (Transport Layer Security) Settings”
Password: Enter the password to be used in the authentication process.

⁠2.2.10.3. Configuring PPP (Point-to-Point) Settings

Configure Methods
Use point-to-point encryption (MPPE): Microsoft Point-To-Point Encryption protocol (RFC 3078).
Allow BSD data compression: PPP BSD Compression Protocol (RFC 1977).
Allow Deflate data compression: PPP Deflate Protocol (RFC 1979).
Use TCP header compression: Compressing TCP/IP Headers for Low-Speed Serial Links (RFC 1144).
Send PPP echo packets: LCP Echo-Request and Echo-Reply Codes for loopback tests (RFC 1661).

⁠2.2.10.4. Configuring IPv4 Settings

The IPv4 Settings tab allows you to configure the method used to connect to a network, to enter IP address, route, and DNS information as required. The IPv4 Settings tab is available when you create and modify one of the following connection types: wired, wireless, mobile broadband, VPN or DSL. If you need to configure IPv6 addresses, see Section 2.2.10.5, “Configuring IPv6 Settings”. If you need to configure static routes, click the Routes button and proceed to Section 2.2.10.6, “Configuring Routes”.

If you are using DHCP to obtain a dynamic IP address from a DHCP server, you can simply set Method to Automatic (DHCP).

⁠Setting the Method

⁠

Available IPv4 Methods by Connection Type

When you click the Method drop-down menu, depending on the type of connection you are configuring, you are able to select one of the following IPv4 connection methods. All of the methods are listed here according to which connection type, or types, they are associated with:

Method: Automatic (DHCP) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. You do not need to fill in the DHCP client ID field.
Automatic (DHCP) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
Shared to other computers — Choose this option if the interface you are configuring is for sharing an Internet or WAN connection. The interface is assigned an address in the 10.42.x.1/24 range, a DHCP server and DNS server are started, and the interface is connected to the default network connection on the system with network address translation (NAT).
Disabled — IPv4 is disabled for this connection.
Wired, Wireless and DSL Connection Methods: Manual — Choose this option if you want to assign IP addresses manually.
Mobile Broadband Connection Methods: Automatic (PPP) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (PPP) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you want to manually specify DNS servers.
VPN Connection Methods: Automatic (VPN) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (VPN) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you want to manually specify DNS servers.
DSL Connection Methods: Automatic (PPPoE) — Choose this option if the network you are connecting to assigns your IP address and DNS servers automatically.
Automatic (PPPoE) addresses only — Choose this option if the network you are connecting to assigns your IP address automatically, but you wish to manually specify DNS servers.

For information on configuring static routes for the network connection, go to Section 2.2.10.6, “Configuring Routes”.

⁠2.2.10.5. Configuring IPv6 Settings

Method: Ignore — Choose this option if you want to ignore IPv6 settings for this connection.
Automatic — Choose this option to use router advertisement (RA) to create an automatic, stateless configuration.
Automatic, addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
Manual — Choose this option if the network you are connecting to does not have a DHCP server and you want to assign IP addresses manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
Addresses: DNS servers — Enter a comma separated list of DNS servers.
Search domains — Enter a comma separated list of domain controllers.

For information on configuring static routes for the network connection, go to Section 2.2.10.6, “Configuring Routes”.

⁠2.2.10.6. Configuring Routes

A host's routing table will be automatically populated with routes to directly connected networks. The routes are learned by examining the network interfaces when they are “up”. This section describes entering static routes to networks or hosts which can be reached by traversing an intermediate network or connection, such as a VPN tunnel or leased line. In order to reach a remote network or host, the system is given the address of a gateway to which traffic should be sent.

When a host's interface is configured by DHCP, an address of a gateway that leads to an upstream network or the Internet is usually assigned. This gateway is usually referred to as the default gateway as it is the gateway to use if no better route is known to the system (and present in the routing table). Network administrators often use the first or last host IP address in the network as the gateway address; for example, 192.168.10.1 or 192.168.10.254. Not to be confused by the address which represents the network itself; in this example, 192.168.10.0, or the subnet's broadcast address; in this example 192.168.10.255.

⁠Configuring Static Routes

To set a static route, open the IPv4 or IPv6 settings window for the connection you want to configure. See Section 2.2.1, “Connecting to a Network Using a GUI” for instructions on how to do that.

Routes: Address — Enter the IP address of a remote network, sub-net, or host.
Netmask — The netmask or prefix length of the IP address entered above.
Gateway — The IP address of the gateway leading to the remote network, sub-net, or host entered above.
Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.
Automatic: When Automatic is ON, routes from RA or DHCP are used, but you can also add additional static routes. When OFF, only static routes you define are used.
Use this connection only for resources on its network: Select this check box to prevent the connection from becoming the default route. Typical examples are where a connection is a VPN tunnel or a leased line to a head office and you do not want any Internet-bound traffic to pass over the connection. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.