Wired 802.1X configuration

I’m struggling to find where to configure wired 802.1X in OpenSUSE 42.1. This will be in a corporate environment with OpenSUSE clients that have already been deployed.

Where do I configure wired 802.1X within the GUI?

Just verifying your question,
Although it’s probably technically possible, it’s very unusual to configure 802.1x for anything but a WiFi connection.

It may not be offered in a standard connection manager.
Can you provide details about the vendor of your 802.1x server side (and secondarily the components used, like whether you’re using a RADIUS server and the particular 802.1x protocol used)?

TSU

We are deploying wired 802.1X in a corporate environment. Therefore, the OpenSUSE client will need to send and respond to EAPoL frames between the client and the switch and use EAP-FAST or PEAP to send the user’s credentials. The switch will then send the user’s credentials to a RADIUS server.

So far, OpenSUSE is the only Linux distribution that we cannot easily configure 802.1X on the client. Mint, Fedora, and Ubuntu offer 802.1X configuration right out of the box and those clients are able to access the network.

My fear is that we will force end users away from using OpenSUSE (which would be a shame).

Technically, 802.1x is also known as a “port based firewall” system.
You should not have DHCP issuing IP addresses until after being authenticated and no client machine should automatically have an IP address when connected to the network, which is a major hurdle for deploying on most wired networks.

This means that typically you’ll need some kind of special login agent, and you aren’t likely running ethernet when the machine is first connected to the network.

Or, are you simply running some kind of hybrid authentication system?
So, for instance if your main purpose is to use RADIUS authentication, a common architecture is to deploy LDAP (or AD) using RADIUS to store your credentials. So, in theory you can use RADIUS to be the authenticator for various network security Domains, like 802.1x, LDAP and more.

I would consider your system not a pure 802.1x but some kind of hybrid if your client machines are issued IP addresses before authentication (a major security compromise) and encapsulate your EAP or PEAP packets in ethernet when being sent to your authenticator.

If you’ve set up something working that you’re comfortable with on other distros, I’d suggest you start with how those are set up. In particular, Fedora shares many packages and architectural similarities with openSUSE.

TSU

You are correct. The end user device does not acquire an IP address until it sends authentication to the switch (the switch sends the authentication to the RADIUS server, the RADIUS server checks Active Directory, AD sends the allow or deny response back to the RADIUS server, the RADIUS server sends the response to the switch and the switch then moves the port into an authenticated state if allowed).

I’m not sure where the topic IP addresses came up since that’s not the issue. The issue is that I’m looking for a straight forward way to configure 802.1X within OpenSUSE LEAP 42.1 using EAP-FAST or PEAP.

All the other Linux distros we’ve tested successfully so far have a simple GUI built-in with a drop down that allows 802.1X configuration. We shouldn’t have to ask our end users to download a separate network management tool or run specialized scripts for 802.1X on a distro as well respected and widely deployed as OpenSUSE.

Something like this (not my environment; found this image via Google):

https://www.rz.uni-konstanz.de/fileadmin/_migrated/RTE/RTEmagicC_config-debian-gnome-2.30-en.png.png

Today, Gnome Network Manager (typically referred to only as “Network Manager” in openSUSE) appears to support 802.1x on wired connections, I don’t have a setup to test how well it works. My guess is that’s what you’re currently using in other distros if they’re set up successfully.

Today, I’ve noticed Network Manager looks differently in different Desktops. I don’t have access to a KDE Desktop using NM at the moment, but on an LXDE Desktop, it appears to support a wired 802.1x connection. My guess is that you should see this version of NM in XFCE and likely Gnome Desktop as well.

TSU

I finally found where to configure 802.1X.

Under YaST2 > Network Settings > Global Setting > Network Setup Method: change ‘Wicked Service’ to ‘NetworkManager Service’

The KDE applet started and I was able to configure 802.1X and authenticate successfully to the network.

Yes, although I’ve never used it, NM has had this capability for a while now.

Mint, Ubuntu, and probably Fedora all use NetworkManager. With opensuse, that’s optional. Try switching to NetworkManager (in Yast Network Settings), and see if that works.

That’s apparently what the OP did (post #7) :slight_smile:

Missed that. Thanks for pointing it out.