nacadm - Configure and manipulate 802.1x authentication information
nacadm add-net -p prop=value[,prop=value..] network-name nacadm remove-net network-name nacadm modify-net -p prop=new-val[,prop=new-val..] network-name nacadm show-net [-P prop-name,...] [network-name]
Use the nacadm command to manipulate or display authentication information needed by the port-based network access control daemon (nacd).
Network names are case insensitive, but the case of a network name is preserved once the name is entered. A network cannot be named auto or automatic. Further, a network name must start with a letter or a number, and contain only letters, numbers, -, and _.
The nacadm subcommands, along with their related options and operands, are as follows:
Adds a new network and sets its properties. Use the option –p to provide a list of comma-separated properties with specified values.
The following network properties are needed to add a new network:
The list of accepted authenticated key management protocols on this network. The default list is DOT1X
The accepted EAP method on this network. There are EAP-method specific properties depending on what EAP method is used on this network. Currently, the nacd(8) service supports two EAP methods: "md5" and "tls" for EAP types EAP-MD5 and EAP-TLS. There is no default value for eap.
Password file name
CA (certificate authority) certificate file location. The default value is: /etc/certs/ca-certificates.crt
Client certificate file location
Client private key file location
Password file name
Removes a previously configured network specified by its network name.
Modifies the value of the property to the new value on the given network. Use the option –p to provide the list of properties whose values need to be modified.
Shows the configuration of all networks if network name is not specified. Shows the specified network if a network name is given.
Use the option –P with the show-net subcommand to display the configuration in a stable, machine-parseable format called the Parseable Output Format, described as follows:
One or more lines of colon (:) delimited fields. The output includes only those fields requested by the –P option. The fields are displayed in the same order as they were requested.
The following example shows how you can add an EAP-TLS network, then try to connect to the network and show the authentication status:
#nacadm add-net -p key-mgmt=DOT1X,eap=tls,identity="myid", ca-cert="ca-loc",client-cert="clnt-loc", private-key-file="priv-key-loc", private-key-passwd="password-file" foo #dladm set-linkprop -p authentication=foo net0 #dladm show-linkprop -p authentication-state LINK AUTHENTICATION-STATE net0 succeeded net1 off net2 off net3 offExample 2 Displaying a Specified Network Using the show-net Subcommand
The following example shows how you can display the network foo by specifying the network name foo in the show-net subcommand.
Note that the password is not shown.
#nacadm show-net foo NAME KEY-MGMT EAP IDENTITY CA-CERT CLIENT-CERT PRIVATE-KEY foo dot1x tls myid ca-loc clnt-loc priv-key-locExample 3 Saving the key-mgmt Value of a Specified Network to a Variable
The following example shows how you can save the key-mgmt value of network foo to a variable named key-mgmt:
#key_mgmt=`nacadm show-net -P key-mgmt foo`
See attributes(7) for descriptions of the following attributes: