802.1X authentication to the network of Bonding setting in CentOS7

Network settings on a single NIC work, but ...

There was a case where I wanted the installed server network to be ** Bonging using multiple NIC ports and join the network with 802.1X authentication **. I was only able to participate in the network with a single NIC by myself, but with the cooperation of the people around me, I was able to participate with 802.1X authentication even in the case of Bonking.

Even if I searched on the net, I could not find the method of 802.1X authentication with "** Bonding setting **", so I will publish it as an article here. (Thanks to everyone who cooperated!)

Environment / things to prepare

I can't answer the device information of the server and network switch, but I hope you can think that the server is a racking type server such as Fujitsu, HP, IBM, and the network switch is done using products such as NETGEAR and Cisco. think.

• We will proceed on the premise that the network bonding settings are created in CentOS 7 in advance.

OS:CentOS7.8
NIC port to be Bonding: Wired connection with two ports on Intel 10G NIC
Certificate file: ZZZZZZ.pem(Or it may be in crt format)
Private key file: ZZZZZZ.p12

① Convert the certificate file from crt format to pem format

Initially, I received a certificate in the crt file format from the user, but I don't know the cause, but in the crt format, 802.1X authentication failed in the subsequent work. So, convert from crt to pem format with the following command.

• If the certificate file remains in pem format, this work is not necessary.

openssl x509 -in ZZZZZZ.crt -out ZZZZZZ.pem

(2) Migrate the storage directory of the certificate file and private key file

Save ZZZZZZ.pem and ZZZZZZ.p12 in / etc / pki / CA / certs /.

③ Edit the ifcfg file

The bonding setting file is set as follows in / etc / sysconfig / network-scripts / ifcfg-bond0.

BONDING_OPTS="mode=4 miimon=100 xmit_hash_policy=layer2+3"
DEVICE=bond0
TYPE=Bond
BOOTPROTO=none
BONDING_MASTER=yes
NAME=bond0
ONBOOT=yes
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
MTU=9000
DNS1=aaa.bbb.ccc.ddd
DNS2=aaa.bbb.ccc.ddd
GATEWAY=aaa.bbb.ccc.ddd
IPADDR=aaa.bbb.ccc.ddd
NETMASK=aaa.bbb.ccc.ddd
PREFIX=yy

# 802.1X authentication settings
KEY_MGMT=IEEE8021X
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=XXXXXXXXX
IEEE_8021X_CA_CERT=/etc/pki/CA/certs/ZZZZZZ.pem #Specify the path where the pem format file is saved in ②
IEEE_8021X_PRIVATE_KEY=/etc/pki/CA/certs/ZZZZZZ.p12 #Specify the path where the p12 format file is saved in (2)
DOMAIN=zzzz.zzzz.zzzz

④ Edit /etc/sysconfig/wpa_supplicant and /etc/wpa_supplicant/wpa_supplicant.conf

Edit the contents of /etc/wpa_supplicant/wpa_supplicant.conf as follows.

INTERFACES="-iZZZZZZ"
DRIVERS="-Dwired"
OTHER_ARGS="-u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid -t"

Edit the contents of / etc / sysconfig / wpa_supplicant as follows.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
        key_mgmt=IEEE8021X
        eap=tls
        identity="ZZZZZZ"
        ca_cert="/etc/pki/CA/certs/ZZZZZZ.pem"
        private_key="/etc/pki/CA/certs/ZZZZZZ.p12"
        private_key_passwd="ZZZZZZ"
        }

(5) Disable the startup of NetworkManager when the server starts.

If NetworkManager is started in advance, 802.1X authentication cannot be performed, so ** disable the service **.

chkconfig NetworkManager off

⑥ Enable and start wpa_supplicant

Since wpa_supplicant must be started for 802.1X authentication, ** enable and start the service **.

chkconfig wpa_supplicant on
systemctl start wpa_supplicant

⑦ Start wpa_supplicant and check if Connection succeeds.

If you get bond0: CTRL-EVENT-CONNECTED --Connection to <MAC address> completed with the following command, 802.1X authentication is successful.

wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i bond0

⑧ Check if Supplicant authentication is successful on the network switch side

• Log output and commands vary depending on the manufacturer and device of the network switch, so they are omitted.