How to Automate Creation of 802.1x wpa_supplicant.conf on Linux With Microsoft Certificate Authorities
When it comes to secure network access in Linux environments, 802.1X and wpa_supplicant are fundamental components. The ability to automate the creation of the wpa_supplicant.conf file, a crucial element of these systems, can greatly enhance their functionality and efficiency. In this context, the role of X.509 certificates becomes crucial, providing reliable, secure authentication for 802.1X connections.
This article walks you through how to automate the creation and ongoing management of wpa_supplicant.conf provisioned with an X.509 certificate from a Microsoft Certificate Authority using Revocent’s CertAccord Enterprise solution.
CertAccord Enterprise’s Role
CertAccord Enterprise can automate the creation and ongoing life-cycle management of X.509 certificates on Linux/Mac endpoints from Microsoft ADCS Certificate Authorities for a wide variety of purposes. CertAccord Enterprise can create certificates compatible with wpa_supplicant and then automate the creation or update of wpa_supplicant.conf using its Certificate Appliers API.
The Certificate Appliers API is a simple API based on the principle of CertAccord Enterprise executing all “applier” programs associated with the “purpose” of a certificate. This is done by placing the executable, called an “applier”, in the /etc/cmb/certappliers directory and naming the file to indicate when it should be run. The applier is run by CertAccord Enterprise whenever a certificate of a matching purpose is created or renewed.
The applier is given the path to a “certinfo” file on the command line:
–certinfo /path/to/file.certinfo
The certinfo file contains information about the certificate that was created such as the certificate file path, certificate key, and type of certificate. The applier can then perform whatever action is required.
This article provides a working applier which creates the wpa_supplicant.conf file configured with an X.509 certificate. It will also update the wpa_supplicant.conf file if any of the key data changes as well.
Download Certificate Applier for wpa_supplicant.conf
You can download the Certificate Applier for wpa_supplicant here:
certapplier-wpa-supplicant-v1
NOTE: Make sure to remove CR (\r) chars from the downloaded file. The /bin/bash command will fail to run any script which contains CR chars as the line terminator. Use a command line “dos2unix” to remove the CR chars once the file is on the endpoint.
Installing Certificate Applier
Follow the steps below to install and configure the Certificate Applier for wpa_supplicant.
These steps will create a CertAccord Enterprise specific Certificate Purpose named “NetAuth”. This value can be whatever you wish, but you must be very careful to change all references to this name in the procedure below and in the applier script itself.
- Login to your Microsoft CA where you create and publish Templates
- Create a new Template named “CertAccord NetAuth” (you can use any name). The Template should be configured for both CertAccord use and for compatibility with your 802.1X server. It’s suggested you copy the Template that is working for your Windows devices for 802.1x and you modify it to meet CertAccord Enterprise requirements.
- Login to CertAccord Management Console
- Go to Settings > Certificate Purposes and add Purpose Name=”NetAuth” Usages=ClientAuthentication
- Go to Settings > Certificate Policy Binding and add a binding for Purpose “NetAuth” to the “CertAccord NetAuth” policy
- Go to Settings -> Certificate Subject Binding and create a binding for Purpose “NetAuth”. In most cases you want to have a Subject of “CN=${hostNameFromConnect}” and one SAN entry of type “Dns” with value “${hostNameFromConnect}”.
- Login to Linux/Mac endpoint
- Copy the downloaded cert applier: cp wpa-supplicant.NetAuth.purpose /etc/cmb/certappliers/
- Make cert applier executable: chmod +x /etc/cmb/certappliers/wpa-supplicant.NetAuth.purpose
- Register agent: cmb register server=$yourserver.domain
- Create certificate: cmb cert create purpose=NetAuth certstoragefmt=pkcs12
- Check /etc/wpa_supplicant/wpa_supplicant.conf to verify it has been configured correctly
If there are any problems, have a look at these logs which capture output from the applier script:
/var/cmb/log/certappliers/wpa-supplicant.NetAuth.purpose.stderr
/var/cmb/log/certappliers/wpa-supplicant.NetAuth.purpose.stdout
The file /var/cmb/log/certappliers/wpa-supplicant.NetAuth.purpose.result contains data about how the applier was run and runtime related data. Here’s an example:
# Results of Certificate Applier wpa-supplicant.NetAuth.purpose
applier_name=”wpa-supplicant.NetAuth.purpose”
command=”/etc/cmb/certappliers/wpa-supplicant.NetAuth.purpose –certinfo /tmp/certinfo2411990089143489977.tmp”
current_effective_uid=”0″
current_real_uid=”0″
current_user_name=”root”
elapsed_time=”15 ms”
end_time=”Thu Jun 08 13:23:37 PDT 2023″
exit_code=”0″
start_time=”Thu Jun 08 13:23:37 PDT 2023″
Summary
Using CertAccord Enterprise and it’s Certificate Applier API you can quickly configure wpa_supplicant.conf at scale. The configuration will also not need to be manually updated in the future when the certificate expires because CertAccord Enterprise will automatically renew the certificate.
References
CertAccord Enterprise Administration Guide
Automating X.509 Certificate Application Integration with Certificate Appliers