Can the Network-Manager use certificates stored on smartcards (e.g. YubiKey) for wired 802.1X authentication?
Posted by this-is-robin@reddit | linuxadmin | View on Reddit | 5 comments
So I am implementing 802.1X authentication (EAP-TLS) for the wired connection on my Ubuntu 24.04 laptop. If I just store the client certificate + private key in form of a .p12 file and select it when configuring the 802.1X setting via the graphical Network Manager, everything works without a problem.
But to make things more secure, I want to store the .p12 file on a YubiKey. So far, importing that file onto the YubiKey is no problem. But how do I tell the Network-Manager to look for the client certificate + private key on the YubiKey? I have edited the connection using nmcli and for the fields 802-1x.client-cert and 802-1x.private-key I am using the URL value of the certificate provided by the p11tool --list-all-certs command. Is that correct?
Or is it simply not possible to use smartcards for 802.1X authentication?
Awkward_Reason_3640@reddit
Been messing with this too, and Ubuntu isn’t built with smartcard support. Even if you compile a custom version, getting it to pull the private key properly is a headache.
If anyone figures out a clean fix, definitely share.
ericreiss@reddit
Yes, it looks like the only method is to pay for support from Canonical and my boss is supporting that. I talked with Canonical and Yubikey. Yubikey is willing to get on a call with Canonical support with me so that we can get this to work. They volunteered to be subject matter experts.
I have it working on Windows. The same Windows AD and NPS server and WIFI APs pointed to that NPS and it won't work on Ubuntu. My recompiled wpa_supplicant now offers to let me choose certs from the Yubikey but for the private key won't do a PIN just keeps asking for a password.
ericreiss@reddit
I am working on this same issue right now. I was on the phone with Canonical this morning. They are supposed to bet back to me.
Network Manager uses wpa_supplicant but the Ubuntu version is v2.10 an has been compiled without the CONFIG_SMARTCARD=y option. wpa_supplicant is from an open source location.
If yuou issue wpa_supplicant -v on your system, you will see the version and who the primary developer is.
If you go to w1.fi/wpa_supplicant you will see that they are on version 2.11. HAve been since 2013.
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 24.10 are all still using this old version without Smartcard support compiled in.
I have compiled my own version with the config for SmartCard support but I am not sure if I have done it correctly. It compiled with no errors.
then I used the nmcli command to adda connection from the command line and used network manager.
While it is now looking at the Yubikey and asks for a Pin when setting up the connection in network manager, I am still not successful. It keeps asking for the private key password.
I will try to remember to post back here if I learn anything.
I was pointing out to them our exact senario and they seemed to agree that since they ahve many governemtn users with PIV CAC cards which is how our Yubikeys are functioning, it is a feature they think they shoudl have.
My EAP-TLS server are Widnows Server 2022 Standard with Certificate Authoritiy servers (root and subordinate) and also have Network Policy Services (NPS) running configured to use the WiFi APs with Enterprise WPA/WPA2 (RADIUS).
From my Windows 10 client, I can authenticate with the same Yubikey when it prompts me to pick a user certificate and then prompts me for the Pin.
So if Windows can do this, why not Ubuntu, right.
Hopefully more soon.
this-is-robin@reddit (OP)
Thanks for your lengthy reply.
>It keeps asking for the private key password.
I get the exact same issue, even when entering the correct password, I get immediately prompted again.
ericreiss@reddit
Same here.
When I look at the event viewer logs on the NPS server, nothing is registered there. So it is never leaving the Ubuntu client.