How do you configure Netplan on Ubuntu to store 802.1x credentials securely?

In an 802.1x enterprise network, I can use NetworkManager to configure 802.1x parameters, including the password. This all works, but requires storing the password in cleartext.

We are trying to use Netplan to store the credentials more securely (as a hashed password), but we cannot make the 802.1x connections authenticate.

I haven't been able to find a good guide for building a Netplan configuration that includes 802.1x credentials.

(UPDATE: There is a bug in Netplan about hashed password, https://github.com/CanonicalLtd/netplan/pull/78), which seems to be the main issue)


Here is a file that does not work

network: 
  version: 2
  renderer: networkd
  ethernets: 
    enp0s31f6:
      auth:
        key-management: 802.1x
        password: hash:some-stuff-here
        method: peap
        identity: ghewett
      dhcp4: false
      addresses:
        - 1.2.3.4
      gateway4: 5.6.7.8
      nameservers:
        search: [cisco.com, otherdomain]
        addresses:
          - 1.1.1.1
          - 2.2.2.2

(IP's and credentials changed )

This gives us

DEBUG:command generate: running ['/lib/netplan/generate']
** (generate:19354): DEBUG: 09:23:41.614: Processing input file /etc/netplan/01-netcfg.yaml..
** (generate:19354): DEBUG: 09:23:41.614: starting new processing pass
Error in network definition /etc/netplan/01-netcfg.yaml line 7 column 6: unknown key auth

See https://netplan.io/examples, and the https://netplan.io site in general has good info. Make sure to sudo netplan --debug generate to check .yaml files, and generate config files, and then sudo netplan apply to make them active.


Authentication

Netplan supports advanced authentication settings for ethernet and wifi interfaces, as well as individual wifi networks, by means of the auth block.

auth (mapping)

    Specifies authentication settings for a device of type ethernets:, or an access-points: entry on a wifis: device.

    The auth block supports the following properties:

    key-management (scalar)
        The supported key management modes are none (no key management); psk (WPA with pre-shared key, common for home wifi); eap (WPA with EAP, common for enterprise wifi); and 802.1x (used primarily for wired Ethernet connections).
    password (scalar)
        The password string for EAP, or the pre-shared key for WPA-PSK.

    The following properties can be used if key-management is eap or 802.1x:

    method (scalar)
        The EAP method to use. The supported EAP methods are tls (TLS), peap (Protected EAP), and ttls (Tunneled TLS).
    identity (scalar)
        The identity to use for EAP.
    anonymous-identity (scalar)
        The identity to pass over the unencrypted channel if the chosen EAP method supports passing a different tunnelled identity.
    ca-certificate (scalar)
        Path to a file with one or more trusted certificate authority (CA) certificates.
    client-certificate (scalar)
        Path to a file containing the certificate to be used by the client during authentication.
    client-key (scalar)
        Path to a file containing the private key corresponding to client-certificate.
    client-key-password (scalar)
        Password to use to decrypt the private key specified in client-key if it is encrypted.

Source: https://netplan.io/reference#authentication

Update #1:

Note: make sure there are no TABS in your .yaml file...

Add your certs, restore the IP's, and try this...

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s31f6:
      auth:
        key-management: 802.1x
        method: peap
        identity: "[email protected]"
        ca-certificate: my_ca.pem
        client-certificate: my_cert.pem
        client-key: my_key.pem
      addresses:
        - 1.2.3.4
      gateway4: 5.6.7.8
      nameservers:
        search: [cisco.com, otherdomain]
        addresses:
          - 1.1.1.1
          - 2.2.2.2

The default netplan that ship with Ubuntu 18.04.02 does not support wired authentication so there is not chance of if working. The latest version on github in early March 2019 does support authentication but it is lacking other things that are required. The WPA supplicant requires a CLI flag to use the wired driver for it to work with and I wrote a PR to add this to netplan. Netplan also handle hashed passwords in a way that breaks them so there is another PR to fix that.

If you want to try these, PR, the instructions are:

  1. Have a server install of Ubuntu 18.04.02

  2. Install supplicant

    • sudo apt install wpasupplicant"
  3. Install needed build tools with

    • sudo apt install make cpp pkg-config libyaml-dev uuid-dev libgio2.0-cil-dev libglib2.0-dev pandoc
  4. Get the patched netplan software with

    • git clone https://github.com/fluffy/netplan.git
    • cd netplan
    • git checkout all
  5. Build and install it with

    • make
    • sudo make install
  6. Generate a hashed version of your password

    • echo -n 'MyPassword' | iconv -t UTF-16LE | openssl md4 -binary | xxd -p
    • history -c
  7. Edit the netplan config file

    • cd /etc/netplan
    • sudo mv 50-cloud-init.yaml config.yaml
    • sudo emacs /etc/netplan/config.yaml
  8. Get it to look something like:

network:
    version: 2
    ethernets:
        enp0s31f6:
            dhcp4: true
            optional: true
            auth:
                key-management: 802.1x
                wired: true
                method: ttls
                identity: [email protected]
                password: hash:83...11

  1. Apply it with

    • sudo netplan apply
  2. At this point if you reboot, it should work but some things to check to help debug

  3. Check the WPA supplicant config file

    • sudo cat /run/netplan/wpa-enp0s31f6.conf

and it should look like

 ctrl_interface=/run/wpa_supplicant
 network={
   key_mgmt=IEEE8021X
   eap=TTLS
  identity="[email protected]"
  password=hash:83..11
}

Make sure there are not quotes around the password if using hashed passwords.

  1. Check the systemd template

    • ls /run/systemd/system/systemd-networkd.service.wants/netplan*enp0s31f6.service

It should return something like

/run/systemd/system/systemd-networkd.service.wants/[email protected]

The key thing is to check that it as wpa-wired in it

  1. Test the auth works with passwords and all

    • kill any running version of wpa_supplicant then do

    • sudo wpa_supplicant -c /run/netplan/wpa-enp0s31f6.conf -i enp0s31f6 -D wired

You will see a flow of info about the 802.1x messages and near the end there should be a "Authentication succeeded"

You will need to Ctrl^C this kill it.

  1. Reboot and enjoy ....