/usr/share/gtk-doc/html/NetworkManager/settings-802-1x.html is in network-manager-dev 1.10.6-2ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>802-1x: NetworkManager Reference Manual</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="NetworkManager Reference Manual">
<link rel="up" href="ch01.html" title="Configuration Settings">
<link rel="prev" href="settings-connection.html" title="connection">
<link rel="next" href="settings-adsl.html" title="adsl">
<meta name="generator" content="GTK-Doc V1.27 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="5"><tr valign="middle">
<td width="100%" align="left" class="shortcuts">
<a href="#" class="shortcut">Top</a><span id="nav_properties"> <span class="dim">|</span>
<a href="#settings-802-1x.properties" class="shortcut">
Properties
</a></span>
</td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="16" height="16" border="0" alt="Home"></a></td>
<td><a accesskey="u" href="ch01.html"><img src="up.png" width="16" height="16" border="0" alt="Up"></a></td>
<td><a accesskey="p" href="settings-connection.html"><img src="left.png" width="16" height="16" border="0" alt="Prev"></a></td>
<td><a accesskey="n" href="settings-adsl.html"><img src="right.png" width="16" height="16" border="0" alt="Next"></a></td>
</tr></table>
<div class="refentry">
<a name="settings-802-1x"></a><div class="titlepage"></div>
<div class="refnamediv"><table width="100%"><tr>
<td valign="top">
<h2>802-1x</h2>
<p>802-1x — IEEE 802.1x Authentication Settings</p>
</td>
<td class="gallery_image" valign="top" align="right"></td>
</tr></table></div>
<div class="refsect1">
<a name="id-1.3.3.3.2"></a><h2>
Properties
</h2>
<div class="table">
<a name="id-1.3.3.3.2.2.1"></a><p class="title"><b>Table 57. </b></p>
<div class="table-contents"><table class="table" border="1">
<colgroup>
<col>
<col>
<col>
<col>
</colgroup>
<thead><tr>
<th>Key Name</th>
<th>Value Type</th>
<th>Default Value</th>
<th>Value Description</th>
</tr></thead>
<tbody>
<tr>
<td><pre class="screen">altsubject-matches</pre></td>
<td><pre class="screen">array of string</pre></td>
<td><pre class="screen">[]</pre></td>
<td>List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.</td>
</tr>
<tr>
<td><pre class="screen">anonymous-identity</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.</td>
</tr>
<tr>
<td><pre class="screen">auth-timeout</pre></td>
<td><pre class="screen">int32</pre></td>
<td><pre class="screen">0</pre></td>
<td>A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.</td>
</tr>
<tr>
<td><pre class="screen">ca-cert</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the CA certificate if used by the EAP method specified in the "eap" property. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.</td>
</tr>
<tr>
<td><pre class="screen">ca-cert-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to access the CA certificate stored in "ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.</td>
</tr>
<tr>
<td><pre class="screen">ca-cert-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "ca-cert-password" property.</td>
</tr>
<tr>
<td><pre class="screen">ca-path</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "ca-cert" property.</td>
</tr>
<tr>
<td><pre class="screen">client-cert</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the client certificate if used by the EAP method specified in the "eap" property. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte.</td>
</tr>
<tr>
<td><pre class="screen">client-cert-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to access the client certificate stored in "client-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.</td>
</tr>
<tr>
<td><pre class="screen">client-cert-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "client-cert-password" property.</td>
</tr>
<tr>
<td><pre class="screen">domain-suffix-match</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.</td>
</tr>
<tr>
<td><pre class="screen">eap</pre></td>
<td><pre class="screen">array of string</pre></td>
<td><pre class="screen">[]</pre></td>
<td>The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.</td>
</tr>
<tr>
<td><pre class="screen">identity</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Identity string for EAP authentication methods. Often the user's user or login name.</td>
</tr>
<tr>
<td><pre class="screen">name</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen">802-1x</pre></td>
<td>The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".</td>
</tr>
<tr>
<td><pre class="screen">pac-file</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>UTF-8 encoded file path containing PAC for EAP-FAST.</td>
</tr>
<tr>
<td><pre class="screen">password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>UTF-8 encoded password used for EAP authentication methods. If both the "password" property and the "password-raw" property are specified, "password" is preferred.</td>
</tr>
<tr>
<td><pre class="screen">password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "password" property.</td>
</tr>
<tr>
<td><pre class="screen">password-raw</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the "password" property and the "password-raw" property are specified, "password" is preferred.</td>
</tr>
<tr>
<td><pre class="screen">password-raw-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "password-raw" property.</td>
</tr>
<tr>
<td><pre class="screen">phase1-auth-flags</pre></td>
<td><pre class="screen">uint32</pre></td>
<td><pre class="screen">0</pre></td>
<td>Specifies authentication flags to use in "phase 1" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.</td>
</tr>
<tr>
<td><pre class="screen">phase1-fast-provisioning</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the "eap" property. Recognized values are "0" (disabled), "1" (allow unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details.</td>
</tr>
<tr>
<td><pre class="screen">phase1-peaplabel</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new PEAP label. See the wpa_supplicant documentation for more details.</td>
</tr>
<tr>
<td><pre class="screen">phase1-peapver</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Forces which PEAP version is used when PEAP is set as the EAP method in the "eap" property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version.</td>
</tr>
<tr>
<td><pre class="screen">phase2-altsubject-matches</pre></td>
<td><pre class="screen">array of string</pre></td>
<td><pre class="screen">[]</pre></td>
<td>List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.</td>
</tr>
<tr>
<td><pre class="screen">phase2-auth</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Specifies the allowed "phase 2" inner non-EAP authentication methods when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. Recognized non-EAP "phase 2" methods are "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.</td>
</tr>
<tr>
<td><pre class="screen">phase2-autheap</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Specifies the allowed "phase 2" inner EAP-based authentication methods when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.</td>
</tr>
<tr>
<td><pre class="screen">phase2-ca-cert</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the "phase 2" CA certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.</td>
</tr>
<tr>
<td><pre class="screen">phase2-ca-cert-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to access the "phase2" CA certificate stored in "phase2-ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.</td>
</tr>
<tr>
<td><pre class="screen">phase2-ca-cert-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "phase2-ca-cert-password" property.</td>
</tr>
<tr>
<td><pre class="screen">phase2-ca-path</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "phase2-ca-cert" property.</td>
</tr>
<tr>
<td><pre class="screen">phase2-client-cert</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the "phase 2" client certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.</td>
</tr>
<tr>
<td><pre class="screen">phase2-client-cert-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to access the "phase2" client certificate stored in "phase2-client-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.</td>
</tr>
<tr>
<td><pre class="screen">phase2-client-cert-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "phase2-client-cert-password" property.</td>
</tr>
<tr>
<td><pre class="screen">phase2-domain-suffix-match</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.</td>
</tr>
<tr>
<td><pre class="screen">phase2-private-key</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the "phase 2" inner private key when the "phase2-auth" or "phase2-autheap" property is set to "tls". Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the "phase2-private-key-password" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the "phase2-private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate.</td>
</tr>
<tr>
<td><pre class="screen">phase2-private-key-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to decrypt the "phase 2" private key specified in the "phase2-private-key" property when the private key either uses the path scheme, or is a PKCS#12 format key.</td>
</tr>
<tr>
<td><pre class="screen">phase2-private-key-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "phase2-private-key-password" property.</td>
</tr>
<tr>
<td><pre class="screen">phase2-subject-match</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:phase2-domain-suffix-match.</td>
</tr>
<tr>
<td><pre class="screen">pin</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>PIN used for EAP authentication methods.</td>
</tr>
<tr>
<td><pre class="screen">pin-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "pin" property.</td>
</tr>
<tr>
<td><pre class="screen">private-key</pre></td>
<td><pre class="screen">byte array</pre></td>
<td><pre class="screen"></pre></td>
<td>Contains the private key when the "eap" property is set to "tls". Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the "private-key-password" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the "private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate. WARNING: "private-key" is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.</td>
</tr>
<tr>
<td><pre class="screen">private-key-password</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>The password used to decrypt the private key specified in the "private-key" property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key.</td>
</tr>
<tr>
<td><pre class="screen">private-key-password-flags</pre></td>
<td><pre class="screen">NMSettingSecretFlags (uint32)</pre></td>
<td><pre class="screen"></pre></td>
<td>Flags indicating how to handle the "private-key-password" property.</td>
</tr>
<tr>
<td><pre class="screen">subject-match</pre></td>
<td><pre class="screen">string</pre></td>
<td><pre class="screen"></pre></td>
<td>Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:domain-suffix-match.</td>
</tr>
<tr>
<td><pre class="screen">system-ca-certs</pre></td>
<td><pre class="screen">boolean</pre></td>
<td><pre class="screen">FALSE</pre></td>
<td>When TRUE, overrides the "ca-path" and "phase2-ca-path" properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the "ca-cert" and "phase2-ca-cert" properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides "ca-cert" and "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).</td>
</tr>
</tbody>
</table></div>
</div>
<p><br class="table-break"></p>
</div>
</div>
<div class="footer">
<hr>Generated by GTK-Doc V1.27</div>
</body>
</html>
|