The GUI of NetworkManager is pretty user friendly, when it comes to create easily 802.1x connection configurations (WPA2 Enterprise). In a command line environment (non-GUI setups) that kind of connections should be created and handled by using the TUI tool
nmcli. When invoked, that tool communicates with the locally running NetworkManager daemon.
It is rather strange that on many Internet user forums an easy thing to do, like creating and exploring 802.1x connection by using
nmcli, is declared mission impossible, and wpa_supplicant is pointed out as the only available tool for connecting to WPA2 Enterprise hotspot infrastructure. The goal of this post is to show that
nmcli is capable of doing that natively.
To create 802.1x connection in command line mode the
nmcli tool need to be invoked correctly. It is not practical to enter the
nmcli interactive shell for describing the connection parameters one by one. The easiest way is to create the connection description at once by executing a single command line. Note that some of the options passed as arguments to
nmcli are in fact critical, even if they are not considered as such by the syntax checker. For instance, the process of tunnelling the plain-text password requires a positive verification of the RADIUS X.509 certificate to resist the mighty "man-in-the-middle" kind of attacks. Therefore, a copy of the CA X.509 certificate need to be stored locally, as text file (preferably in PEM format).
The example bellow shows how to define all the parameters of a 802.1x connection, required for using "eduroam" hotspot (more about Eduroam):
$ sudo nmcli connection add type wifi con-name "eduroam" ifname wlan0 ssid "eduroam" -- wifi-sec.key-mgmt wpa-eap 802-1x.eap ttls 802-1x.phase2-auth pap 802-1x.identity "firstname.lastname@example.org" 802-1x.anonymous-identity "email@example.com" 802-1x.ca-cert "/home/user/CA-wifi.crt" 802-1x.password 3423sd3easd32e2
Note the use of full path to the CA X.509 certificate file given above (
/home/user/CA-wifi.crt). Declaring a relative path instead need to be avoided.
In case of a successful execution of the command line, the connection "eduroam" will appear as available in the list of suported connections:
$ nmcli c s
Once listed there, the connection can be activated by executing:
$ sudo nmcli c up eduroam
and in case of successful activation, the usual kind of message will appear on the display:
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)
It is very good idea to clear the shell history in order to prevent the password from disclosure, since it is part of the command line defining the connection.