Before You Begin
You must be an administrator with the rights to install packages, start services, and administer the network. The root role has all of these rights. The System Administration, Service Configuration, and Network Management rights profiles provide these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Perform the required IEEE 802.1X setup tasks, which typically include the following:
Designating a host system to be used as the client (or supplicant) that requests access to a secured network.
Determining a network access point (a switch) to be used as the authenticator that passes the authentication requests and responses between the client and the authentication server.
Designating an authentication server that is running an AAA application such as Radius to authenticate the client.
Determining which method of network security the system that you are connecting to uses, for example, MD5 or TLS, and the corresponding credentials (ID and password) that are required.
client$ pkg install network-access-control
client$ svcs network-access-control STATE STIME FMRI online Sep_07 svc:/network/network-access-control:default
client$ svcadm enable network-access-control
client$ nacadm add-net -p key-mgmt=DOT1X,eap=tls,\ ca-cert=file-location,client-cert=cert-location,\ private-key-file=key-location,private-key-passwd=key-file network-name
Specifies an acceptable authenticated key management protocol. Currently, DOT1X is the only key management protocol that is supported.
Space-separated list of acceptable Extensible Authentication Protocol (EAP) methods. Use tls for Transport Layer Security (TLS).
Location of the TLS certificate authority (CA) certificate. The default location is /etc/certs/ca-certificates.crt.
Location of the client certificate.
Location of the client private key.
File containing the client private key password.
Name that you assign to the given network.
For example, associate the certificate with the network name netsec0:
$ nacadm add-net -p key-mgmt=DOT1X,eap=tls,client-cert=/etc/certs/localhost/nacd0.pem,\ private-key-file=/etc/nacd/priv-key.pem,private-key-passwd=.admin/dot1x.pwd netsec0
$ dladm set-linkprop -p authentication=netsec0 net0
This step enables the IEEE 802.1X process on the net0 datalink.
$ dladm show-linkprop -p authentication-state LINK AUTHENTICATION-STATE net0 succeeded net1 off net2 off
Possible values for the AUTHENTICATION-STATE field are succeeded (default), off, failed, and in-process.
You can disable IEEE 802.1X port-based authentication on a datalink in two ways.
Switching the authentication property off.
$ dladm set-linkprop -p authentication=off net0
Resetting the authentication property.
$ dladm reset-linkprop -p authentication net0
This example shows how to display configuration information for a network that uses IEEE 802.1X port-based authentication.
$ nacadm show-net netsec0 NAME KEY-MGMT EAP IDENTITY CA-CERT CERT PRIV-KEY netsec0 dot1x tls id /etc/certs/ca-certificates/CA/Swissign_Gold1.pem /etc/certs/localhost/nacd0.pem /etc/nacd/priv-key.pem