Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

nacadm (8)

Name

nacadm - Configure and manipulate 802.1x authentication information

Synopsis

        
nacadm add-net -p prop=value[,prop=value..] network-name      
nacadm remove-net network-name       
nacadm modify-net -p prop=new-val[,prop=new-val..] network-name        
nacadm show-net [-P prop-name,...] [network-name]

Description

Use the nacadm command to manipulate or display authentication information needed by the port-based network access control daemon (nacd).

Network names are case insensitive, but the case of a network name is preserved once the name is entered. A network cannot be named auto or automatic. Further, a network name must start with a letter or a number, and contain only letters, numbers, -, and _.

Sub Commands

The nacadm subcommands, along with their related options and operands, are as follows:

add-net –p prop=value[,prop=value] network-name

Adds a new network and sets its properties. Use the option –p to provide a list of comma-separated properties with specified values.

The following network properties are needed to add a new network:

General properties needed for all networks:
key-mgmt

The list of accepted authenticated key management protocols on this network. The default list is DOT1X

eap

The accepted EAP method on this network. There are EAP-method specific properties depending on what EAP method is used on this network. Currently, the nacd(8) service supports two EAP methods: "md5" and "tls" for EAP types EAP-MD5 and EAP-TLS. There is no default value for eap.

Properties needed for network using the EAP-MD5 method:
identity

User name

password

Password file name

Properties needed for network using the EAP-TLS method:
identity

User name

ca-cert

CA (certificate authority) certificate file location. The default value is: /etc/certs/ca-certificates.crt

client-cert

Client certificate file location

private-key-file

Client private key file location

private-key-passwd

Password file name

remove-net network-name

Removes a previously configured network specified by its network name.

modify-net –p prop=new-val[,prop=new-val..] network-name

Modifies the value of the property to the new value on the given network. Use the option –p to provide the list of properties whose values need to be modified.

show-net [–P prop-name[,...] [network-name]

Shows the configuration of all networks if network name is not specified. Shows the specified network if a network name is given.

Use the option –P with the show-net subcommand to display the configuration in a stable, machine-parseable format called the Parseable Output Format, described as follows:

Parseable Output Format

One or more lines of colon (:) delimited fields. The output includes only those fields requested by the –P option. The fields are displayed in the same order as they were requested.

Examples

Example 1 Adding EAP-TLS Network and Displaying Authentication Status for Connection Attempt

The following example shows how you can add an EAP-TLS network, then try to connect to the network and show the authentication status:

#nacadm add-net -p key-mgmt=DOT1X,eap=tls,identity="myid",
ca-cert="ca-loc",client-cert="clnt-loc",
private-key-file="priv-key-loc",
private-key-passwd="password-file" foo

#dladm set-linkprop -p authentication=foo net0
        
#dladm show-linkprop -p authentication-state
LINK  AUTHENTICATION-STATE
net0  succeeded
net1  off
net2  off
net3  off
Example 2 Displaying a Specified Network Using the show-net Subcommand

The following example shows how you can display the network foo by specifying the network name foo in the show-net subcommand.

Note that the password is not shown.

 
#nacadm show-net foo
        
NAME KEY-MGMT EAP  IDENTITY CA-CERT CLIENT-CERT PRIVATE-KEY      
foo  dot1x    tls  myid     ca-loc  clnt-loc    priv-key-loc
Example 3 Saving the key-mgmt Value of a Specified Network to a Variable

The following example shows how you can save the key-mgmt value of network foo to a variable named key-mgmt:

#key_mgmt=`nacadm show-net -P key-mgmt foo`

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
network/network-access-control
Interface Stability
Committed

See Also

attributes(7), dladm(8), nacd(8)