I have a corporate environment that I’m trying to connect to wirelessly. I set up everything in YaST lan using wicked, choosing “WPA-EAP” for my authentication type, then for “EAP Mode” I have “TLS” selected. I then point to the client/server certificates, the client key, save and I have no wireless connection.
Checking in the syslog, wicked spits out:
wicked[890]: ifcfg-wlan0: no WIRELESS_WPA_PASSWORD value specified
and that’s about it. The option in YaST to enter a password is grayed out, and it’s my assumption that passwords are not need using these certificates. I started looking around and saw this bug:https://github.com/openSUSE/wicked/issues/69
which seems like what I would want for this to work.
If this is not supported, the idea is kind of dead in the water. If it is, I have some questions about installing certificates as well if anyone can help. Thanks!
Nothing, but I’m asking about Wicked specifically since that’s what’s currently part of a production OS. Does that mean Wicked does not support 802.1x?
What is production OS? NetworkManager is officially supported network management tool and is just as legitimate part of production OS as wicked. You have a task to complete - connect to you work environment - and it is logical to take tool that does the job.
Does that mean Wicked does not support 802.1x?
802.1x is not relevant because it is wired authentication, not wireles. But it is true, wicked does not really implement EAP-TLS, it even says it in manual page. The fact that YaST offers authentication method that does not works can be considered a bug.
802.1x (not to be confused with 802.11) is almost always implemented as an enterprise capable wireless authentication method, often referred to as a “portless firewall.” Although technically its pieces might be implemented over a wired only (802.3) network, I’ve not seen it. The reason why this is a “portless firewall” and different than more common WPA authentication is that 802.1x requires authentication before an IP address is issued, thought to be more secure than conventional connections which are issued a working IP address before authentication either denies or approves access.
Answering the original question…
No, Wicked does not support 802.1x.
You either need to use Network Manager, an alternative wireless connection manager or proprietary software typically from the vendor of the access point.
TSU
Addition DR:TMI
I notieced awhile back EAP in Wicked as well and didn’t follow up on that.
The problem is that wicked only supports “simple” network connections and maybe EAP is a newly supported protocol to use for simple connections.
Problem for Wicked is that it’s not just the initial authentication protocol, 802.1x is a somewheat complex, multi-step process where you first authenticate through the AP to a remote credentials database or authenticator of some sort (eg RADIUS or LDAP or AD), before a separate step to set up the actual wireless session. Am skipping over many details, but the setup and process can be complex and fairly long.
And, Wicked today just doesn’t support these different steps.