0

I have an Ethernet link between two Linux hosts with a static IP config using systemd-networkd on the both sides without router, DHCP server, etc.

Is there a simple way to add a basic 802.1x security with only a shared passphrase (without certificate mechanism, with a tool like wpa_supplicants)?

Thanks, Emeric

rvs
  • 4,027
  • 1
  • 25
  • 30
Emeric Verschuur
  • 101
  • 1
  • 1
    My gut reaction would be that it makes no sense. 802.1x makes more sense when you have a lot of clients. I'd probably simply run a VPN such as WireGuard or ipsec on top of Ethernet to handle the authentication between two static endpoints. – vidarlo Jun 14 '22 at 16:52
  • Yes, WireGuard had already my second solution... – Emeric Verschuur Jun 15 '22 at 08:08
  • [MACSec](https://man7.org/linux/man-pages/man8/ip-macsec.8.html) seems to be precisely the solution I want... – Emeric Verschuur Jun 15 '22 at 08:17

1 Answers1

2

802.1X is used for port-level authentication. A supplicant (client) authenticates against an authenticator (switch) that uses a back-end authentication server over RADIUS.

Setting up a Linux server as both authenticator and authentication server might be possible, but you cannot use 802.1X for mutual authentication.

Depending on what you're actually trying to accomplish, 802.1X might not be useful anyway:

  • there's no encryption
  • without further mechanisms, it's rather easy to run a MitM attack

If you want encryption, there's MACsec (likely not practical either) or various flavors of VPN (IPsec, SSL, SSH, ...).

You should also consider hardening the service(s) you're using, so you can run them without further ado over a plain cable, zero-trust style.

Zac67
  • 8,639
  • 2
  • 10
  • 28
  • All right... Indeed, after search on my side, the 802.1x is not a good solution for my need. In addition, a good security on the application layer is the best solution, but is complicated to exhort people to adopt it correctly :p. [MACSec](https://man7.org/linux/man-pages/man8/ip-macsec.8.html) seems to be precisely the solution I want... – Emeric Verschuur Jun 15 '22 at 08:25
  • 1
    You link to `ip-macsec`, but IMO you cannot just configure MACSec with ip-macsec and be done with it. See `Notes` in `man ip-macsec`. Instead, you essentially need to use 802.1X-2010, which `wpa_supplicant` implements. And/or use NetworkManager, which can configure `wpa_supplicant` for you. – thaller Jul 20 '22 at 13:08