NMSetting8021x

NMSetting8021x — Describes 802.1x-authenticated connection properties

Functions

NMSetting * nm_setting_802_1x_new ()
NMSetting8021xCKScheme nm_setting_802_1x_check_cert_scheme ()
guint32 nm_setting_802_1x_get_num_eap_methods ()
const char * nm_setting_802_1x_get_eap_method ()
gboolean nm_setting_802_1x_add_eap_method ()
void nm_setting_802_1x_remove_eap_method ()
gboolean nm_setting_802_1x_remove_eap_method_by_value ()
void nm_setting_802_1x_clear_eap_methods ()
const char * nm_setting_802_1x_get_identity ()
const char * nm_setting_802_1x_get_anonymous_identity ()
const char * nm_setting_802_1x_get_pac_file ()
gboolean nm_setting_802_1x_get_system_ca_certs ()
const char * nm_setting_802_1x_get_ca_path ()
const char * nm_setting_802_1x_get_phase2_ca_path ()
NMSetting8021xCKScheme nm_setting_802_1x_get_ca_cert_scheme ()
GBytes * nm_setting_802_1x_get_ca_cert_blob ()
const char * nm_setting_802_1x_get_ca_cert_path ()
const char * nm_setting_802_1x_get_ca_cert_uri ()
gboolean nm_setting_802_1x_set_ca_cert ()
const char * nm_setting_802_1x_get_ca_cert_password ()
NMSettingSecretFlags nm_setting_802_1x_get_ca_cert_password_flags ()
const char * nm_setting_802_1x_get_subject_match ()
guint32 nm_setting_802_1x_get_num_altsubject_matches ()
const char * nm_setting_802_1x_get_altsubject_match ()
gboolean nm_setting_802_1x_add_altsubject_match ()
void nm_setting_802_1x_remove_altsubject_match ()
gboolean nm_setting_802_1x_remove_altsubject_match_by_value ()
void nm_setting_802_1x_clear_altsubject_matches ()
const char * nm_setting_802_1x_get_domain_suffix_match ()
const char * nm_setting_802_1x_get_domain_match ()
NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme ()
GBytes * nm_setting_802_1x_get_client_cert_blob ()
const char * nm_setting_802_1x_get_client_cert_path ()
const char * nm_setting_802_1x_get_client_cert_uri ()
gboolean nm_setting_802_1x_set_client_cert ()
const char * nm_setting_802_1x_get_client_cert_password ()
NMSettingSecretFlags nm_setting_802_1x_get_client_cert_password_flags ()
const char * nm_setting_802_1x_get_phase1_peapver ()
const char * nm_setting_802_1x_get_phase1_peaplabel ()
const char * nm_setting_802_1x_get_phase1_fast_provisioning ()
const char * nm_setting_802_1x_get_phase2_auth ()
const char * nm_setting_802_1x_get_phase2_autheap ()
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_ca_cert_scheme ()
GBytes * nm_setting_802_1x_get_phase2_ca_cert_blob ()
const char * nm_setting_802_1x_get_phase2_ca_cert_path ()
const char * nm_setting_802_1x_get_phase2_ca_cert_uri ()
gboolean nm_setting_802_1x_set_phase2_ca_cert ()
const char * nm_setting_802_1x_get_phase2_ca_cert_password ()
NMSettingSecretFlags nm_setting_802_1x_get_phase2_ca_cert_password_flags ()
const char * nm_setting_802_1x_get_phase2_subject_match ()
guint32 nm_setting_802_1x_get_num_phase2_altsubject_matches ()
const char * nm_setting_802_1x_get_phase2_altsubject_match ()
gboolean nm_setting_802_1x_add_phase2_altsubject_match ()
void nm_setting_802_1x_remove_phase2_altsubject_match ()
gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value ()
void nm_setting_802_1x_clear_phase2_altsubject_matches ()
const char * nm_setting_802_1x_get_phase2_domain_suffix_match ()
const char * nm_setting_802_1x_get_phase2_domain_match ()
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme ()
GBytes * nm_setting_802_1x_get_phase2_client_cert_blob ()
const char * nm_setting_802_1x_get_phase2_client_cert_path ()
const char * nm_setting_802_1x_get_phase2_client_cert_uri ()
gboolean nm_setting_802_1x_set_phase2_client_cert ()
const char * nm_setting_802_1x_get_phase2_client_cert_password ()
NMSettingSecretFlags nm_setting_802_1x_get_phase2_client_cert_password_flags ()
const char * nm_setting_802_1x_get_password ()
NMSettingSecretFlags nm_setting_802_1x_get_password_flags ()
GBytes * nm_setting_802_1x_get_password_raw ()
NMSettingSecretFlags nm_setting_802_1x_get_password_raw_flags ()
const char * nm_setting_802_1x_get_pin ()
NMSettingSecretFlags nm_setting_802_1x_get_pin_flags ()
NMSetting8021xCKScheme nm_setting_802_1x_get_private_key_scheme ()
GBytes * nm_setting_802_1x_get_private_key_blob ()
const char * nm_setting_802_1x_get_private_key_path ()
const char * nm_setting_802_1x_get_private_key_uri ()
gboolean nm_setting_802_1x_set_private_key ()
const char * nm_setting_802_1x_get_private_key_password ()
NMSettingSecretFlags nm_setting_802_1x_get_private_key_password_flags ()
NMSetting8021xCKFormat nm_setting_802_1x_get_private_key_format ()
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_private_key_scheme ()
GBytes * nm_setting_802_1x_get_phase2_private_key_blob ()
const char * nm_setting_802_1x_get_phase2_private_key_path ()
const char * nm_setting_802_1x_get_phase2_private_key_uri ()
gboolean nm_setting_802_1x_set_phase2_private_key ()
const char * nm_setting_802_1x_get_phase2_private_key_password ()
NMSettingSecretFlags nm_setting_802_1x_get_phase2_private_key_password_flags ()
NMSetting8021xCKFormat nm_setting_802_1x_get_phase2_private_key_format ()
NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags ()
int nm_setting_802_1x_get_auth_timeout ()
gboolean nm_setting_802_1x_get_optional ()

Properties

GStrv altsubject-matches Read / Write
char * anonymous-identity Read / Write
int auth-timeout Read / Write
GBytes * ca-cert Read / Write
char * ca-cert-password Read / Write
NMSettingSecretFlags ca-cert-password-flags Read / Write
char * ca-path Read / Write
GBytes * client-cert Read / Write
char * client-cert-password Read / Write
NMSettingSecretFlags client-cert-password-flags Read / Write
char * domain-match Read / Write
char * domain-suffix-match Read / Write
GStrv eap Read / Write
char * identity Read / Write
gboolean optional Read / Write
char * pac-file Read / Write
char * password Read / Write
NMSettingSecretFlags password-flags Read / Write
GBytes * password-raw Read / Write
NMSettingSecretFlags password-raw-flags Read / Write
guint phase1-auth-flags Read / Write
char * phase1-fast-provisioning Read / Write
char * phase1-peaplabel Read / Write
char * phase1-peapver Read / Write
GStrv phase2-altsubject-matches Read / Write
char * phase2-auth Read / Write
char * phase2-autheap Read / Write
GBytes * phase2-ca-cert Read / Write
char * phase2-ca-cert-password Read / Write
NMSettingSecretFlags phase2-ca-cert-password-flags Read / Write
char * phase2-ca-path Read / Write
GBytes * phase2-client-cert Read / Write
char * phase2-client-cert-password Read / Write
NMSettingSecretFlags phase2-client-cert-password-flags Read / Write
char * phase2-domain-match Read / Write
char * phase2-domain-suffix-match Read / Write
GBytes * phase2-private-key Read / Write
char * phase2-private-key-password Read / Write
NMSettingSecretFlags phase2-private-key-password-flags Read / Write
char * phase2-subject-match Read / Write
char * pin Read / Write
NMSettingSecretFlags pin-flags Read / Write
GBytes * private-key Read / Write
char * private-key-password Read / Write
NMSettingSecretFlags private-key-password-flags Read / Write
char * subject-match Read / Write
gboolean system-ca-certs Read / Write

Types and Values

#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH
#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11
enum NMSetting8021xCKFormat
enum NMSetting8021xCKScheme
enum NMSetting8021xAuthFlags
#define NM_SETTING_802_1X_SETTING_NAME
#define NM_SETTING_802_1X_EAP
#define NM_SETTING_802_1X_IDENTITY
#define NM_SETTING_802_1X_ANONYMOUS_IDENTITY
#define NM_SETTING_802_1X_PAC_FILE
#define NM_SETTING_802_1X_CA_CERT
#define NM_SETTING_802_1X_CA_CERT_PASSWORD
#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS
#define NM_SETTING_802_1X_CA_PATH
#define NM_SETTING_802_1X_SUBJECT_MATCH
#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES
#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH
#define NM_SETTING_802_1X_DOMAIN_MATCH
#define NM_SETTING_802_1X_CLIENT_CERT
#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD
#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PHASE1_PEAPVER
#define NM_SETTING_802_1X_PHASE1_PEAPLABEL
#define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING
#define NM_SETTING_802_1X_PHASE1_AUTH_FLAGS
#define NM_SETTING_802_1X_PHASE2_AUTH
#define NM_SETTING_802_1X_PHASE2_AUTHEAP
#define NM_SETTING_802_1X_PHASE2_CA_CERT
#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD
#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PHASE2_CA_PATH
#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH
#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES
#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH
#define NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PASSWORD
#define NM_SETTING_802_1X_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PASSWORD_RAW
#define NM_SETTING_802_1X_PASSWORD_RAW_FLAGS
#define NM_SETTING_802_1X_PRIVATE_KEY
#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD
#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY
#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD
#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS
#define NM_SETTING_802_1X_PIN
#define NM_SETTING_802_1X_PIN_FLAGS
#define NM_SETTING_802_1X_SYSTEM_CA_CERTS
#define NM_SETTING_802_1X_AUTH_TIMEOUT
#define NM_SETTING_802_1X_OPTIONAL
  NMSetting8021x

Object Hierarchy

    GEnum
    ├── NMSetting8021xCKFormat
    ╰── NMSetting8021xCKScheme
    GFlags
    ╰── NMSetting8021xAuthFlags
    GObject
    ╰── NMSetting
        ╰── NMSetting8021x

Description

The NMSetting8021x object is a NMSetting subclass that describes properties necessary for connection to 802.1x-authenticated networks, such as WPA and WPA2 Enterprise Wi-Fi networks and wired 802.1x networks. 802.1x connections typically use certificates and/or EAP authentication methods to securely verify, identify, and authenticate the client to the network itself, instead of simply relying on a widely shared static key.

It's a good idea to read up on wpa_supplicant configuration before using this setting extensively, since most of the options here correspond closely with the relevant wpa_supplicant configuration options.

Furthermore, to get a good idea of 802.1x, EAP, TLS, TTLS, etc and their applications to Wi-Fi and wired networks, you'll want to get copies of the following books.

802.11 Wireless Networks: The Definitive Guide, Second Edition Author: Matthew Gast ISBN: 978-0596100520

Cisco Wireless LAN Security Authors: Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky ISBN: 978-1587051548

Functions

nm_setting_802_1x_new ()

NMSetting *
nm_setting_802_1x_new (void);

Creates a new NMSetting8021x object with default values.

Returns

the new empty NMSetting8021x object


nm_setting_802_1x_check_cert_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_check_cert_scheme (gconstpointer pdata,
                                     gsize length,
                                     GError **error);

Determines and verifies the blob type. When setting certificate properties of NMSetting8021x the blob must be not UNKNOWN (or NULL).

Parameters

pdata

the data pointer.

[allow-none]

length

the length of the data

 

error

validation reason.

[allow-none][out]

Returns

the scheme of the blob or NM_SETTING_802_1X_CK_SCHEME_UNKNOWN. For NULL it also returns NM_SETTING_802_1X_CK_SCHEME_UNKNOWN.

Since: 1.2


nm_setting_802_1x_get_num_eap_methods ()

guint32
nm_setting_802_1x_get_num_eap_methods (NMSetting8021x *setting);

Returns the number of eap methods allowed for use when connecting to the network. Generally only one EAP method is used. Use the functions nm_setting_802_1x_get_eap_method(), nm_setting_802_1x_add_eap_method(), and nm_setting_802_1x_remove_eap_method() for adding, removing, and retrieving allowed EAP methods.

Parameters

setting

the NMSetting8021x

 

Returns

the number of allowed EAP methods


nm_setting_802_1x_get_eap_method ()

const char *
nm_setting_802_1x_get_eap_method (NMSetting8021x *setting,
                                  guint32 i);

Returns the name of the allowed EAP method at index i .

Parameters

setting

the NMSetting8021x

 

i

the index of the EAP method name to return

 

Returns

the name of the allowed EAP method at index i


nm_setting_802_1x_add_eap_method ()

gboolean
nm_setting_802_1x_add_eap_method (NMSetting8021x *setting,
                                  const char *eap);

Adds an allowed EAP method. The setting is not valid until at least one EAP method has been added. See “eap” property for a list of allowed EAP methods.

Parameters

setting

the NMSetting8021x

 

eap

the name of the EAP method to allow for this connection

 

Returns

TRUE if the EAP method was successfully added, FALSE if it was not a valid method or if it was already allowed.


nm_setting_802_1x_remove_eap_method ()

void
nm_setting_802_1x_remove_eap_method (NMSetting8021x *setting,
                                     guint32 i);

Removes the allowed EAP method at the specified index.

Parameters

setting

the NMSetting8021x

 

i

the index of the EAP method to remove

 

nm_setting_802_1x_remove_eap_method_by_value ()

gboolean
nm_setting_802_1x_remove_eap_method_by_value
                               (NMSetting8021x *setting,
                                const char *eap);

Removes the allowed EAP method method .

Parameters

setting

the NMSetting8021x

 

eap

the name of the EAP method to remove

 

Returns

TRUE if the EAP method was founs and removed, FALSE if it was not.


nm_setting_802_1x_clear_eap_methods ()

void
nm_setting_802_1x_clear_eap_methods (NMSetting8021x *setting);

Clears all allowed EAP methods.

Parameters

setting

the NMSetting8021x

 

nm_setting_802_1x_get_identity ()

const char *
nm_setting_802_1x_get_identity (NMSetting8021x *setting);

Returns the identifier used by some EAP methods (like TLS) to authenticate the user. Often this is a username or login name.

Parameters

setting

the NMSetting8021x

 

Returns

the user identifier


nm_setting_802_1x_get_anonymous_identity ()

const char *
nm_setting_802_1x_get_anonymous_identity
                               (NMSetting8021x *setting);

Returns the anonymous identifier used by some EAP methods (like TTLS) to authenticate the user in the outer unencrypted "phase 1" authentication. The inner "phase 2" authentication will use the “identity” in a secure form, if applicable for that EAP method.

Parameters

setting

the NMSetting8021x

 

Returns

the anonymous identifier


nm_setting_802_1x_get_pac_file ()

const char *
nm_setting_802_1x_get_pac_file (NMSetting8021x *setting);

Returns the file containing PAC credentials used by EAP-FAST method.

Parameters

setting

the NMSetting8021x

 

Returns

the PAC file


nm_setting_802_1x_get_system_ca_certs ()

gboolean
nm_setting_802_1x_get_system_ca_certs (NMSetting8021x *setting);

Sets the “system-ca-certs” property. The “ca-path” and “phase2-ca-path” properties are ignored if the “system-ca-certs” property is TRUE, in which case a system-wide CA certificate directory specified at compile time (using the --system-ca-path configure option) is used in place of these properties.

Parameters

setting

the NMSetting8021x

 

Returns

TRUE if a system CA certificate path should be used, FALSE if not


nm_setting_802_1x_get_ca_path ()

const char *
nm_setting_802_1x_get_ca_path (NMSetting8021x *setting);

Returns the path of the CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the “ca-cert” property to add more CA certificates for verifying the network to client.

Parameters

setting

the NMSetting8021x

 

Returns

the CA certificate directory path


nm_setting_802_1x_get_phase2_ca_path ()

const char *
nm_setting_802_1x_get_phase2_ca_path (NMSetting8021x *setting);

Returns the path of the "phase 2" CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the “phase2-ca-cert” property to add more CA certificates for verifying the network to client.

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" CA certificate directory path


nm_setting_802_1x_get_ca_cert_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_ca_cert_scheme (NMSetting8021x *setting);

Returns the scheme used to store the CA certificate. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the CA certificate (blob or path)


nm_setting_802_1x_get_ca_cert_blob ()

GBytes *
nm_setting_802_1x_get_ca_cert_blob (NMSetting8021x *setting);

Returns the CA certificate blob if the CA certificate is stored using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.

Parameters

setting

the NMSetting8021x

 

Returns

the CA certificate data.

[transfer none]


nm_setting_802_1x_get_ca_cert_path ()

const char *
nm_setting_802_1x_get_ca_cert_path (NMSetting8021x *setting);

Returns the CA certificate path if the CA certificate is stored using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.

Parameters

setting

the NMSetting8021x

 

Returns

path to the CA certificate file


nm_setting_802_1x_get_ca_cert_uri ()

const char *
nm_setting_802_1x_get_ca_cert_uri (NMSetting8021x *setting);

Returns the CA certificate URI analogously to nm_setting_802_1x_get_ca_cert_blob() and nm_setting_802_1x_get_ca_cert_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_ca_cert ()

gboolean
nm_setting_802_1x_set_ca_cert (NMSetting8021x *setting,
                               const char *value,
                               NMSetting8021xCKScheme scheme,
                               NMSetting8021xCKFormat *out_format,
                               GError **error);

Reads a certificate from disk and sets the “ca-cert” property with the raw certificate data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the CA certificate file (PEM or DER format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the CA certificate.

 

scheme

desired storage scheme for the certificate

 

out_format

on successful return, the type of the certificate added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_ca_cert_password ()

const char *
nm_setting_802_1x_get_ca_cert_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used to access the CA certificate stored in “ca-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Since: 1.8


nm_setting_802_1x_get_ca_cert_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_ca_cert_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “ca-cert-password”

Since: 1.8


nm_setting_802_1x_get_subject_match ()

const char *
nm_setting_802_1x_get_subject_match (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “subject-match” property. This is the substring to be matched against the subject of the authentication server certificate, or NULL no subject verification is to be performed.


nm_setting_802_1x_get_num_altsubject_matches ()

guint32
nm_setting_802_1x_get_num_altsubject_matches
                               (NMSetting8021x *setting);

Returns the number of entries in the “altsubject-matches” property of this setting.

Parameters

setting

the NMSetting8021x

 

Returns

the number of altsubject-matches entries.


nm_setting_802_1x_get_altsubject_match ()

const char *
nm_setting_802_1x_get_altsubject_match
                               (NMSetting8021x *setting,
                                guint32 i);

Returns the altSubjectName match at index i .

Parameters

setting

the NMSettingConnection

 

i

the zero-based index of the array of altSubjectName matches

 

Returns

the altSubjectName match at index i


nm_setting_802_1x_add_altsubject_match ()

gboolean
nm_setting_802_1x_add_altsubject_match
                               (NMSetting8021x *setting,
                                const char *altsubject_match);

Adds an allowed alternate subject name match. Until at least one match is added, the altSubjectName of the remote authentication server is not verified.

Parameters

setting

the NMSetting8021x

 

altsubject_match

the altSubjectName to allow for this connection

 

Returns

TRUE if the alternative subject name match was successfully added, FALSE if it was already allowed.


nm_setting_802_1x_remove_altsubject_match ()

void
nm_setting_802_1x_remove_altsubject_match
                               (NMSetting8021x *setting,
                                guint32 i);

Removes the allowed altSubjectName at the specified index.

Parameters

setting

the NMSetting8021x

 

i

the index of the altSubjectName match to remove

 

nm_setting_802_1x_remove_altsubject_match_by_value ()

gboolean
nm_setting_802_1x_remove_altsubject_match_by_value
                               (NMSetting8021x *setting,
                                const char *altsubject_match);

Removes the allowed altSubjectName altsubject_match .

Parameters

setting

the NMSetting8021x

 

altsubject_match

the altSubjectName to remove

 

Returns

TRUE if the alternative subject name match was found and removed, FALSE if it was not.


nm_setting_802_1x_clear_altsubject_matches ()

void
nm_setting_802_1x_clear_altsubject_matches
                               (NMSetting8021x *setting);

Clears all altSubjectName matches.

Parameters

setting

the NMSetting8021x

 

nm_setting_802_1x_get_domain_suffix_match ()

const char *
nm_setting_802_1x_get_domain_suffix_match
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “domain-suffix-match” property.

Since: 1.2


nm_setting_802_1x_get_domain_match ()

const char *
nm_setting_802_1x_get_domain_match (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “domain-match” property.

Since: 1.24


nm_setting_802_1x_get_client_cert_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_client_cert_scheme
                               (NMSetting8021x *setting);

Returns the scheme used to store the client certificate. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the client certificate (blob or path)


nm_setting_802_1x_get_client_cert_blob ()

GBytes *
nm_setting_802_1x_get_client_cert_blob
                               (NMSetting8021x *setting);

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

the client certificate data.

[transfer none]


nm_setting_802_1x_get_client_cert_path ()

const char *
nm_setting_802_1x_get_client_cert_path
                               (NMSetting8021x *setting);

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

path to the client certificate file


nm_setting_802_1x_get_client_cert_uri ()

const char *
nm_setting_802_1x_get_client_cert_uri (NMSetting8021x *setting);

Returns the client certificate URI analogously to nm_setting_802_1x_get_client_cert_blob() and nm_setting_802_1x_get_client_cert_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_client_cert ()

gboolean
nm_setting_802_1x_set_client_cert (NMSetting8021x *setting,
                                   const char *value,
                                   NMSetting8021xCKScheme scheme,
                                   NMSetting8021xCKFormat *out_format,
                                   GError **error);

Reads a certificate from disk and sets the “client-cert” property with the raw certificate data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the client certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the client certificate.

 

scheme

desired storage scheme for the certificate

 

out_format

on successful return, the type of the certificate added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_client_cert_password ()

const char *
nm_setting_802_1x_get_client_cert_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used to access the client certificate stored in “client-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Since: 1.8


nm_setting_802_1x_get_client_cert_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_client_cert_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “client-cert-password”

Since: 1.8


nm_setting_802_1x_get_phase1_peapver ()

const char *
nm_setting_802_1x_get_phase1_peapver (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 1" PEAP version to be used when authenticating with EAP-PEAP as contained in the “phase1-peapver” property. Valid values are NULL (unset), "0" (PEAP version 0), and "1" (PEAP version 1).


nm_setting_802_1x_get_phase1_peaplabel ()

const char *
nm_setting_802_1x_get_phase1_peaplabel
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

whether the "phase 1" PEAP label is new-style or old-style, to be used when authenticating with EAP-PEAP, as contained in the “phase1-peaplabel” property. Valid values are NULL (unset), "0" (use old-style label), and "1" (use new-style label). See the wpa_supplicant documentation for more details.


nm_setting_802_1x_get_phase1_fast_provisioning ()

const char *
nm_setting_802_1x_get_phase1_fast_provisioning
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

whether "phase 1" PEAP fast provisioning should be used, as specified by the “phase1-fast-provisioning” property. See the wpa_supplicant documentation for more details.


nm_setting_802_1x_get_phase2_auth ()

const char *
nm_setting_802_1x_get_phase2_auth (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" non-EAP (ex MD5) allowed authentication method as specified by the “phase2-auth” property.


nm_setting_802_1x_get_phase2_autheap ()

const char *
nm_setting_802_1x_get_phase2_autheap (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" EAP-based (ex TLS) allowed authentication method as specified by the “phase2-autheap” property.


nm_setting_802_1x_get_phase2_ca_cert_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_ca_cert_scheme
                               (NMSetting8021x *setting);

Returns the scheme used to store the "phase 2" CA certificate. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_ca_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_ca_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_ca_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the "phase 2" CA certificate (blob or path)


nm_setting_802_1x_get_phase2_ca_cert_blob ()

GBytes *
nm_setting_802_1x_get_phase2_ca_cert_blob
                               (NMSetting8021x *setting);

Returns the "phase 2" CA certificate blob if the CA certificate is stored using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" CA certificate data.

[transfer none]


nm_setting_802_1x_get_phase2_ca_cert_path ()

const char *
nm_setting_802_1x_get_phase2_ca_cert_path
                               (NMSetting8021x *setting);

Returns the "phase 2" CA certificate path if the CA certificate is stored using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.

Parameters

setting

the NMSetting8021x

 

Returns

path to the "phase 2" CA certificate file


nm_setting_802_1x_get_phase2_ca_cert_uri ()

const char *
nm_setting_802_1x_get_phase2_ca_cert_uri
                               (NMSetting8021x *setting);

Returns the "phase 2" CA certificate URI analogously to nm_setting_802_1x_get_phase2_ca_cert_blob() and nm_setting_802_1x_get_phase2_ca_cert_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_phase2_ca_cert ()

gboolean
nm_setting_802_1x_set_phase2_ca_cert (NMSetting8021x *setting,
                                      const char *value,
                                      NMSetting8021xCKScheme scheme,
                                      NMSetting8021xCKFormat *out_format,
                                      GError **error);

Reads a certificate from disk and sets the “phase2-ca-cert” property with the raw certificate data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" CA certificate file (PEM or DER format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the "phase2" CA certificate.

 

scheme

desired storage scheme for the certificate

 

out_format

on successful return, the type of the certificate added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_phase2_ca_cert_password ()

const char *
nm_setting_802_1x_get_phase2_ca_cert_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used to access the "phase2" CA certificate stored in “phase2-ca-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Since: 1.8


nm_setting_802_1x_get_phase2_ca_cert_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_phase2_ca_cert_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Since: 1.8


nm_setting_802_1x_get_phase2_subject_match ()

const char *
nm_setting_802_1x_get_phase2_subject_match
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “phase2-subject-match” property. This is the substring to be matched against the subject of the "phase 2" authentication server certificate, or NULL no subject verification is to be performed.


nm_setting_802_1x_get_num_phase2_altsubject_matches ()

guint32
nm_setting_802_1x_get_num_phase2_altsubject_matches
                               (NMSetting8021x *setting);

Returns the number of entries in the “phase2-altsubject-matches” property of this setting.

Parameters

setting

the NMSetting8021x

 

Returns

the number of phase2-altsubject-matches entries.


nm_setting_802_1x_get_phase2_altsubject_match ()

const char *
nm_setting_802_1x_get_phase2_altsubject_match
                               (NMSetting8021x *setting,
                                guint32 i);

Returns the "phase 2" altSubjectName match at index i .

Parameters

setting

the NMSettingConnection

 

i

the zero-based index of the array of "phase 2" altSubjectName matches

 

Returns

the "phase 2" altSubjectName match at index i


nm_setting_802_1x_add_phase2_altsubject_match ()

gboolean
nm_setting_802_1x_add_phase2_altsubject_match
                               (NMSetting8021x *setting,
                                const char *phase2_altsubject_match);

Adds an allowed alternate subject name match for "phase 2". Until at least one match is added, the altSubjectName of the "phase 2" remote authentication server is not verified.

Parameters

setting

the NMSetting8021x

 

phase2_altsubject_match

the "phase 2" altSubjectName to allow for this connection

 

Returns

TRUE if the "phase 2" alternative subject name match was successfully added, FALSE if it was already allowed.


nm_setting_802_1x_remove_phase2_altsubject_match ()

void
nm_setting_802_1x_remove_phase2_altsubject_match
                               (NMSetting8021x *setting,
                                guint32 i);

Removes the allowed "phase 2" altSubjectName at the specified index.

Parameters

setting

the NMSetting8021x

 

i

the index of the "phase 2" altSubjectName match to remove

 

nm_setting_802_1x_remove_phase2_altsubject_match_by_value ()

gboolean
nm_setting_802_1x_remove_phase2_altsubject_match_by_value
                               (NMSetting8021x *setting,
                                const char *phase2_altsubject_match);

Removes the allowed "phase 2" altSubjectName phase2_altsubject_match .

Parameters

setting

the NMSetting8021x

 

phase2_altsubject_match

the "phase 2" altSubjectName to remove

 

Returns

TRUE if the alternative subject name match for "phase 2" was found and removed, FALSE if it was not.


nm_setting_802_1x_clear_phase2_altsubject_matches ()

void
nm_setting_802_1x_clear_phase2_altsubject_matches
                               (NMSetting8021x *setting);

Clears all "phase 2" altSubjectName matches.

Parameters

setting

the NMSetting8021x

 

nm_setting_802_1x_get_phase2_domain_suffix_match ()

const char *
nm_setting_802_1x_get_phase2_domain_suffix_match
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “phase2-domain-suffix-match” property.

Since: 1.2


nm_setting_802_1x_get_phase2_domain_match ()

const char *
nm_setting_802_1x_get_phase2_domain_match
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the “phase2-domain-match” property.

Since: 1.24


nm_setting_802_1x_get_phase2_client_cert_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_client_cert_scheme
                               (NMSetting8021x *setting);

Returns the scheme used to store the "phase 2" client certificate. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the "phase 2" client certificate (blob or path)


nm_setting_802_1x_get_phase2_client_cert_blob ()

GBytes *
nm_setting_802_1x_get_phase2_client_cert_blob
                               (NMSetting8021x *setting);

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" client certificate data.

[transfer none]


nm_setting_802_1x_get_phase2_client_cert_path ()

const char *
nm_setting_802_1x_get_phase2_client_cert_path
                               (NMSetting8021x *setting);

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

path to the "phase 2" client certificate file


nm_setting_802_1x_get_phase2_client_cert_uri ()

const char *
nm_setting_802_1x_get_phase2_client_cert_uri
                               (NMSetting8021x *setting);

Returns the "phase 2" client certificate URI analogously to nm_setting_802_1x_get_phase2_ca_cert_blob() and nm_setting_802_1x_get_phase2_ca_cert_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_phase2_client_cert ()

gboolean
nm_setting_802_1x_set_phase2_client_cert
                               (NMSetting8021x *setting,
                                const char *value,
                                NMSetting8021xCKScheme scheme,
                                NMSetting8021xCKFormat *out_format,
                                GError **error);

Reads a certificate from disk and sets the “phase2-client-cert” property with the raw certificate data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the certificate file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" client certificate file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the "phase2" client certificate.

 

scheme

desired storage scheme for the certificate

 

out_format

on successful return, the type of the certificate added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_phase2_client_cert_password ()

const char *
nm_setting_802_1x_get_phase2_client_cert_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used to access the "phase2" client certificate stored in “phase2-client-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Since: 1.8


nm_setting_802_1x_get_phase2_client_cert_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_phase2_client_cert_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Since: 1.8


nm_setting_802_1x_get_password ()

const char *
nm_setting_802_1x_get_password (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used by the authentication method, if any, as specified by the “password” property


nm_setting_802_1x_get_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_password_flags (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “password”


nm_setting_802_1x_get_password_raw ()

GBytes *
nm_setting_802_1x_get_password_raw (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the password used by the authentication method as a UTF-8-encoded array of bytes, as specified by the “password-raw” property.

[transfer none]


nm_setting_802_1x_get_password_raw_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_password_raw_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “password-raw”


nm_setting_802_1x_get_pin ()

const char *
nm_setting_802_1x_get_pin (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the PIN used by the authentication method, if any, as specified by the “pin” property


nm_setting_802_1x_get_pin_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_pin_flags (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “pin”


nm_setting_802_1x_get_private_key_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_private_key_scheme
                               (NMSetting8021x *setting);

Returns the scheme used to store the private key. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the private key (blob or path)


nm_setting_802_1x_get_private_key_blob ()

GBytes *
nm_setting_802_1x_get_private_key_blob
                               (NMSetting8021x *setting);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

WARNING: the private key property is not a "secret" property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.

Parameters

setting

the NMSetting8021x

 

Returns

the private key data.

[transfer none]


nm_setting_802_1x_get_private_key_path ()

const char *
nm_setting_802_1x_get_private_key_path
                               (NMSetting8021x *setting);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

path to the private key file


nm_setting_802_1x_get_private_key_uri ()

const char *
nm_setting_802_1x_get_private_key_uri (NMSetting8021x *setting);

Returns the private key URI analogously to nm_setting_802_1x_get_private_key_blob() and nm_setting_802_1x_get_private_key_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_private_key ()

gboolean
nm_setting_802_1x_set_private_key (NMSetting8021x *setting,
                                   const char *value,
                                   const char *password,
                                   NMSetting8021xCKScheme scheme,
                                   NMSetting8021xCKFormat *out_format,
                                   GError **error);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

This function reads a private key from disk and sets the “private-key” property with the private key file data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private key file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

If password is given, this function attempts to decrypt the private key to verify that password is correct, and if it is, updates the “private-key-password” property with the given password . If the decryption is unsuccessful, FALSE is returned, error is set, and no internal data is changed. If no password is given, the private key is assumed to be valid, no decryption is performed, and the password may be set at a later time.

WARNING: the private key property is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the private key file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the private key.

 

password

password used to decrypt the private key, or NULL if the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.

 

scheme

desired storage scheme for the private key

 

out_format

on successful return, the type of the private key added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_private_key_password ()

const char *
nm_setting_802_1x_get_private_key_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the private key password used to decrypt the private key if previously set with nm_setting_802_1x_set_private_key(), or the “private-key-password” property.


nm_setting_802_1x_get_private_key_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_private_key_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the NMSettingSecretFlags pertaining to the “private-key-password”


nm_setting_802_1x_get_private_key_format ()

NMSetting8021xCKFormat
nm_setting_802_1x_get_private_key_format
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the data format of the private key data stored in the “private-key” property


nm_setting_802_1x_get_phase2_private_key_scheme ()

NMSetting8021xCKScheme
nm_setting_802_1x_get_phase2_private_key_scheme
                               (NMSetting8021x *setting);

Returns the scheme used to store the "phase 2" private key. If the returned scheme is NM_SETTING_802_1X_CK_SCHEME_BLOB, use nm_setting_802_1x_get_client_cert_blob(); if NM_SETTING_802_1X_CK_SCHEME_PATH, use nm_setting_802_1x_get_client_cert_path(); if NM_SETTING_802_1X_CK_SCHEME_PKCS11, use nm_setting_802_1x_get_client_cert_uri().

Parameters

setting

the NMSetting8021x

 

Returns

scheme used to store the "phase 2" private key (blob or path)


nm_setting_802_1x_get_phase2_private_key_blob ()

GBytes *
nm_setting_802_1x_get_phase2_private_key_blob
                               (NMSetting8021x *setting);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

WARNING: the phase2 private key property is not a "secret" property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.

Parameters

setting

the NMSetting8021x

 

Returns

the "phase 2" private key data.

[transfer none]


nm_setting_802_1x_get_phase2_private_key_path ()

const char *
nm_setting_802_1x_get_phase2_private_key_path
                               (NMSetting8021x *setting);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

Parameters

setting

the NMSetting8021x

 

Returns

path to the "phase 2" private key file


nm_setting_802_1x_get_phase2_private_key_uri ()

const char *
nm_setting_802_1x_get_phase2_private_key_uri
                               (NMSetting8021x *setting);

Returns the "phase 2" private key URI analogously to nm_setting_802_1x_get_phase2_private_key_blob() and nm_setting_802_1x_get_phase2_private_key_path().

Currently, it's limited to PKCS11 URIs ('pkcs11' scheme as defined by RFC 7512), but may be extended to other schemes in future (such as 'file' URIs for local files and 'data' URIs for inline certificate data).

Parameters

setting

the NMSetting8021x

 

Returns

the URI string

Since: 1.6


nm_setting_802_1x_set_phase2_private_key ()

gboolean
nm_setting_802_1x_set_phase2_private_key
                               (NMSetting8021x *setting,
                                const char *value,
                                const char *password,
                                NMSetting8021xCKScheme scheme,
                                NMSetting8021xCKFormat *out_format,
                                GError **error);

Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the "phase 1" or "phase 2" 802.1x authentication method.

This function reads a private key from disk and sets the “phase2-private-key” property with the private key file data if using the NM_SETTING_802_1X_CK_SCHEME_BLOB scheme, or with the path to the private key file if using the NM_SETTING_802_1X_CK_SCHEME_PATH scheme.

If password is given, this function attempts to decrypt the private key to verify that password is correct, and if it is, updates the “phase2-private-key-password” property with the given password . If the decryption is unsuccessful, FALSE is returned, error is set, and no internal data is changed. If no password is given, the private key is assumed to be valid, no decryption is performed, and the password may be set at a later time.

WARNING: the "phase2" private key property is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.

Parameters

setting

the NMSetting8021x

 

value

when scheme is set to either NM_SETTING_802_1X_CK_SCHEME_PATH or NM_SETTING_802_1X_CK_SCHEME_BLOB, pass the path of the "phase2" private key file (PEM, DER, or PKCS#12 format). The path must be UTF-8 encoded; use g_filename_to_utf8() to convert if needed. Passing NULL with any scheme clears the private key.

 

password

password used to decrypt the private key, or NULL if the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.

 

scheme

desired storage scheme for the private key

 

out_format

on successful return, the type of the private key added

 

error

on unsuccessful return, an error

 

Returns

TRUE if the operation succeeded, FALSE if it was unsuccessful


nm_setting_802_1x_get_phase2_private_key_password ()

const char *
nm_setting_802_1x_get_phase2_private_key_password
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the private key password used to decrypt the private key if previously set with nm_setting_802_1x_set_phase2_private_key() or the “phase2-private-key-password” property.


nm_setting_802_1x_get_phase2_private_key_password_flags ()

NMSettingSecretFlags
nm_setting_802_1x_get_phase2_private_key_password_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

nm_setting_802_1x_get_phase2_private_key_format ()

NMSetting8021xCKFormat
nm_setting_802_1x_get_phase2_private_key_format
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the data format of the "phase 2" private key data stored in the “phase2-private-key” property


nm_setting_802_1x_get_phase1_auth_flags ()

NMSetting8021xAuthFlags
nm_setting_802_1x_get_phase1_auth_flags
                               (NMSetting8021x *setting);

Parameters

setting

the NMSetting8021x

 

Returns

the authentication flags for "phase 1".

Since: 1.8


nm_setting_802_1x_get_auth_timeout ()

int
nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting);

Returns the value contained in the “auth-timeout” property.

Parameters

setting

the NMSetting8021x

 

Returns

the configured authentication timeout in seconds. Zero means the global default value.

Since: 1.8


nm_setting_802_1x_get_optional ()

gboolean
nm_setting_802_1x_get_optional (NMSetting8021x *setting);

Returns the value contained in the “optional” property.

Parameters

setting

the NMSetting8021x

 

Returns

TRUE if the activation should proceed even when the 802.1X authentication fails; FALSE otherwise

Since: 1.22

Types and Values

NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH

#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PATH   "file://"

NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11

#define NM_SETTING_802_1X_CERT_SCHEME_PREFIX_PKCS11 "pkcs11:"

enum NMSetting8021xCKFormat

NMSetting8021xCKFormat values indicate the general type of a certificate or private key

Members

NM_SETTING_802_1X_CK_FORMAT_UNKNOWN

unknown file format

 

NM_SETTING_802_1X_CK_FORMAT_X509

file contains an X.509 format certificate

 

NM_SETTING_802_1X_CK_FORMAT_RAW_KEY

file contains an old-style OpenSSL PEM or DER private key

 

NM_SETTING_802_1X_CK_FORMAT_PKCS12

file contains a PKCS#12 certificate and private key

 

enum NMSetting8021xCKScheme

NMSetting8021xCKScheme values indicate how a certificate or private key is stored in the setting properties, either as a blob of the item's data, or as a path to a certificate or private key file on the filesystem

Members

NM_SETTING_802_1X_CK_SCHEME_UNKNOWN

unknown certificate or private key scheme

 

NM_SETTING_802_1X_CK_SCHEME_BLOB

certificate or key is stored as the raw item data

 

NM_SETTING_802_1X_CK_SCHEME_PATH

certificate or key is stored as a path to a file containing the certificate or key data

 

NM_SETTING_802_1X_CK_SCHEME_PKCS11

certificate or key is stored as a URI of an object on a PKCS11 token

 

enum NMSetting8021xAuthFlags

NMSetting8021xAuthFlags values indicate which authentication settings should be used.

Before 1.22, this was wrongly marked as a enum and not as a flags type.

Members

NM_SETTING_802_1X_AUTH_FLAGS_NONE

No flags

 

NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE

Disable TLSv1.0

 

NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE

Disable TLSv1.1

 

NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE

Disable TLSv1.2

 

NM_SETTING_802_1X_AUTH_FLAGS_ALL

All supported flags

 

Since: 1.8


NM_SETTING_802_1X_SETTING_NAME

#define NM_SETTING_802_1X_SETTING_NAME "802-1x"

NM_SETTING_802_1X_EAP

#define NM_SETTING_802_1X_EAP                               "eap"

NM_SETTING_802_1X_IDENTITY

#define NM_SETTING_802_1X_IDENTITY                          "identity"

NM_SETTING_802_1X_ANONYMOUS_IDENTITY

#define NM_SETTING_802_1X_ANONYMOUS_IDENTITY                "anonymous-identity"

NM_SETTING_802_1X_PAC_FILE

#define NM_SETTING_802_1X_PAC_FILE                          "pac-file"

NM_SETTING_802_1X_CA_CERT

#define NM_SETTING_802_1X_CA_CERT                           "ca-cert"

NM_SETTING_802_1X_CA_CERT_PASSWORD

#define NM_SETTING_802_1X_CA_CERT_PASSWORD                  "ca-cert-password"

NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS

#define NM_SETTING_802_1X_CA_CERT_PASSWORD_FLAGS            "ca-cert-password-flags"

NM_SETTING_802_1X_CA_PATH

#define NM_SETTING_802_1X_CA_PATH                           "ca-path"

NM_SETTING_802_1X_SUBJECT_MATCH

#define NM_SETTING_802_1X_SUBJECT_MATCH                     "subject-match"

NM_SETTING_802_1X_ALTSUBJECT_MATCHES

#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES                "altsubject-matches"

NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH

#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH               "domain-suffix-match"

NM_SETTING_802_1X_DOMAIN_MATCH

#define NM_SETTING_802_1X_DOMAIN_MATCH                      "domain-match"

NM_SETTING_802_1X_CLIENT_CERT

#define NM_SETTING_802_1X_CLIENT_CERT                       "client-cert"

NM_SETTING_802_1X_CLIENT_CERT_PASSWORD

#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD              "client-cert-password"

NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS

#define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS        "client-cert-password-flags"

NM_SETTING_802_1X_PHASE1_PEAPVER

#define NM_SETTING_802_1X_PHASE1_PEAPVER                    "phase1-peapver"

NM_SETTING_802_1X_PHASE1_PEAPLABEL

#define NM_SETTING_802_1X_PHASE1_PEAPLABEL                  "phase1-peaplabel"

NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING

#define NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING          "phase1-fast-provisioning"

NM_SETTING_802_1X_PHASE1_AUTH_FLAGS

#define NM_SETTING_802_1X_PHASE1_AUTH_FLAGS                 "phase1-auth-flags"

NM_SETTING_802_1X_PHASE2_AUTH

#define NM_SETTING_802_1X_PHASE2_AUTH                       "phase2-auth"

NM_SETTING_802_1X_PHASE2_AUTHEAP

#define NM_SETTING_802_1X_PHASE2_AUTHEAP                    "phase2-autheap"

NM_SETTING_802_1X_PHASE2_CA_CERT

#define NM_SETTING_802_1X_PHASE2_CA_CERT                    "phase2-ca-cert"

NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD

#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD           "phase2-ca-cert-password"

NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS

#define NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS     "phase2-ca-cert-password-flags"

NM_SETTING_802_1X_PHASE2_CA_PATH

#define NM_SETTING_802_1X_PHASE2_CA_PATH                    "phase2-ca-path"

NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH

#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH              "phase2-subject-match"

NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES

#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES         "phase2-altsubject-matches"

NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH

#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH        "phase2-domain-suffix-match"

NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH

#define NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH               "phase2-domain-match"

NM_SETTING_802_1X_PHASE2_CLIENT_CERT

#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT                "phase2-client-cert"

NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD

#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD       "phase2-client-cert-password"

NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS

#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags"

NM_SETTING_802_1X_PASSWORD

#define NM_SETTING_802_1X_PASSWORD                          "password"

NM_SETTING_802_1X_PASSWORD_FLAGS

#define NM_SETTING_802_1X_PASSWORD_FLAGS                    "password-flags"

NM_SETTING_802_1X_PASSWORD_RAW

#define NM_SETTING_802_1X_PASSWORD_RAW                      "password-raw"

NM_SETTING_802_1X_PASSWORD_RAW_FLAGS

#define NM_SETTING_802_1X_PASSWORD_RAW_FLAGS                "password-raw-flags"

NM_SETTING_802_1X_PRIVATE_KEY

#define NM_SETTING_802_1X_PRIVATE_KEY                       "private-key"

NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD

#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD              "private-key-password"

NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS

#define NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS        "private-key-password-flags"

NM_SETTING_802_1X_PHASE2_PRIVATE_KEY

#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY                "phase2-private-key"

NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD

#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD       "phase2-private-key-password"

NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS

#define NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS "phase2-private-key-password-flags"

NM_SETTING_802_1X_PIN

#define NM_SETTING_802_1X_PIN                               "pin"

NM_SETTING_802_1X_PIN_FLAGS

#define NM_SETTING_802_1X_PIN_FLAGS                         "pin-flags"

NM_SETTING_802_1X_SYSTEM_CA_CERTS

#define NM_SETTING_802_1X_SYSTEM_CA_CERTS                   "system-ca-certs"

NM_SETTING_802_1X_AUTH_TIMEOUT

#define NM_SETTING_802_1X_AUTH_TIMEOUT                      "auth-timeout"

NM_SETTING_802_1X_OPTIONAL

#define NM_SETTING_802_1X_OPTIONAL                          "optional"

NMSetting8021x

typedef struct _NMSetting8021x NMSetting8021x;

IEEE 802.1x Authentication Settings

Property Details

The “altsubject-matches” property

  “altsubject-matches”       GStrv

List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.

Owner: NMSetting8021x

Flags: Read / Write


The “anonymous-identity” property

  “anonymous-identity”       char *

Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “auth-timeout” property

  “auth-timeout”             int

A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.

Owner: NMSetting8021x

Flags: Read / Write

Allowed values: >= 0

Default value: 0

Since: 1.8


The “ca-cert” property

  “ca-cert”                  GBytes *

Contains the CA certificate if used by the EAP method specified in the “eap” property.

Certificate data is specified using a "scheme"; three are currently supported: blob, path and pkcs11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_ca_cert() function instead.

Owner: NMSetting8021x

Flags: Read / Write


The “ca-cert-password” property

  “ca-cert-password”         char *

The password used to access the CA certificate stored in “ca-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.8


The “ca-cert-password-flags” property

  “ca-cert-password-flags”   NMSettingSecretFlags

Flags indicating how to handle the “ca-cert-password” property.

Owner: NMSetting8021x

Flags: Read / Write

Since: 1.8


The “ca-path” property

  “ca-path”                  char *

UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the “ca-cert” property.

If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “client-cert” property

  “client-cert”              GBytes *

Contains the client certificate if used by the EAP method specified in the “eap” property.

Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_client_cert() function instead.

Owner: NMSetting8021x

Flags: Read / Write


The “client-cert-password” property

  “client-cert-password”     char *

The password used to access the client certificate stored in “client-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.8


The “client-cert-password-flags” property

  “client-cert-password-flags” NMSettingSecretFlags

Flags indicating how to handle the “client-cert-password” property.

Owner: NMSetting8021x

Flags: Read / Write

Since: 1.8


The “domain-match” property

  “domain-match”             char *

Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.24


The “domain-suffix-match” property

  “domain-suffix-match”      char *

Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.2


The “eap” property

  “eap”                      GStrv

The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.

Owner: NMSetting8021x

Flags: Read / Write


The “identity” property

  “identity”                 char *

Identity string for EAP authentication methods. Often the user's user or login name.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “optional” property

  “optional”                 gboolean

Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.

Owner: NMSetting8021x

Flags: Read / Write

Default value: FALSE

Since: 1.22


The “pac-file” property

  “pac-file”                 char *

UTF-8 encoded file path containing PAC for EAP-FAST.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “password” property

  “password”                 char *

UTF-8 encoded password used for EAP authentication methods. If both the “password” property and the “password-raw” property are specified, “password” is preferred.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “password-flags” property

  “password-flags”           NMSettingSecretFlags

Flags indicating how to handle the “password” property.

Owner: NMSetting8021x

Flags: Read / Write


The “password-raw” property

  “password-raw”             GBytes *

Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the “password” property and the “password-raw” property are specified, “password” is preferred.

Owner: NMSetting8021x

Flags: Read / Write


The “password-raw-flags” property

  “password-raw-flags”       NMSettingSecretFlags

Flags indicating how to handle the “password-raw” property.

Owner: NMSetting8021x

Flags: Read / Write


The “phase1-auth-flags” property

  “phase1-auth-flags”        guint

Specifies authentication flags to use in "phase 1" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.

Owner: NMSetting8021x

Flags: Read / Write

Default value: 0

Since: 1.8


The “phase1-fast-provisioning” property

  “phase1-fast-provisioning” char *

Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the “eap” property. Recognized values are "0" (disabled), "1" (allow unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase1-peaplabel” property

  “phase1-peaplabel”         char *

Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new PEAP label. See the wpa_supplicant documentation for more details.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase1-peapver” property

  “phase1-peapver”           char *

Forces which PEAP version is used when PEAP is set as the EAP method in the “eap” property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase2-altsubject-matches” property

  “phase2-altsubject-matches” GStrv

List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.

Owner: NMSetting8021x

Flags: Read / Write


The “phase2-auth” property

  “phase2-auth”              char *

Specifies the allowed "phase 2" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the “eap” property. For TTLS this property selects one of the supported non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while “phase2-autheap” selects an EAP inner method. For PEAP this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both “phase2-auth” and “phase2-autheap” cannot be specified.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase2-autheap” property

  “phase2-autheap”           char *

Specifies the allowed "phase 2" inner EAP-based authentication method when TTLS is specified in the “eap” property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase2-ca-cert” property

  “phase2-ca-cert”           GBytes *

Contains the "phase 2" CA certificate if used by the EAP method specified in the “phase2-auth” or “phase2-autheap” properties.

Certificate data is specified using a "scheme"; three are currently supported: blob, path and pkcs11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_ca_cert() function instead.

Owner: NMSetting8021x

Flags: Read / Write


The “phase2-ca-cert-password” property

  “phase2-ca-cert-password”  char *

The password used to access the "phase2" CA certificate stored in “phase2-ca-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.8


The “phase2-ca-cert-password-flags” property

  “phase2-ca-cert-password-flags” NMSettingSecretFlags

Flags indicating how to handle the “phase2-ca-cert-password” property.

Owner: NMSetting8021x

Flags: Read / Write

Since: 1.8


The “phase2-ca-path” property

  “phase2-ca-path”           char *

UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the “phase2-ca-cert” property.

If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase2-client-cert” property

  “phase2-client-cert”       GBytes *

Contains the "phase 2" client certificate if used by the EAP method specified in the “phase2-auth” or “phase2-autheap” properties.

Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_client_cert() function instead.

Owner: NMSetting8021x

Flags: Read / Write


The “phase2-client-cert-password” property

  “phase2-client-cert-password” char *

The password used to access the "phase2" client certificate stored in “phase2-client-cert” property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.8


The “phase2-client-cert-password-flags” property

  “phase2-client-cert-password-flags” NMSettingSecretFlags

Flags indicating how to handle the “phase2-client-cert-password” property.

Owner: NMSetting8021x

Flags: Read / Write

Since: 1.8


The “phase2-domain-match” property

  “phase2-domain-match”      char *

Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.24


The “phase2-domain-suffix-match” property

  “phase2-domain-suffix-match” char *

Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL

Since: 1.2


The “phase2-private-key” property

  “phase2-private-key”       GBytes *

Contains the "phase 2" inner private key when the “phase2-auth” or “phase2-autheap” property is set to "tls".

Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the “phase2-private-key-password” property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the “phase2-private-key-password” property must be set to the password used to decode the PKCS#12 private key and certificate.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_phase2_private_key() function instead.

Owner: NMSetting8021x

Flags: Read / Write


The “phase2-private-key-password” property

  “phase2-private-key-password” char *

The password used to decrypt the "phase 2" private key specified in the “phase2-private-key” property when the private key either uses the path scheme, or is a PKCS#12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by the nm_setting_802_1x_set_phase2_private_key() function.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “phase2-private-key-password-flags” property

  “phase2-private-key-password-flags” NMSettingSecretFlags

Flags indicating how to handle the “phase2-private-key-password” property.

Owner: NMSetting8021x

Flags: Read / Write


The “phase2-subject-match” property

  “phase2-subject-match”     char *

Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:phase2-domain-suffix-match.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “pin” property

  “pin”                      char *

PIN used for EAP authentication methods.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “pin-flags” property

  “pin-flags”                NMSettingSecretFlags

Flags indicating how to handle the “pin” property.

Owner: NMSetting8021x

Flags: Read / Write


The “private-key” property

  “private-key”              GBytes *

Contains the private key when the “eap” property is set to "tls".

Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the “private-key-password” property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the "private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate.

Setting this property directly is discouraged; use the nm_setting_802_1x_set_private_key() function instead.

WARNING: “private-key” is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.

Owner: NMSetting8021x

Flags: Read / Write


The “private-key-password” property

  “private-key-password”     char *

The password used to decrypt the private key specified in the “private-key” property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by the nm_setting_802_1x_set_private_key() function.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “private-key-password-flags” property

  “private-key-password-flags” NMSettingSecretFlags

Flags indicating how to handle the “private-key-password” property.

Owner: NMSetting8021x

Flags: Read / Write


The “subject-match” property

  “subject-match”            char *

Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:domain-suffix-match.

Owner: NMSetting8021x

Flags: Read / Write

Default value: NULL


The “system-ca-certs” property

  “system-ca-certs”          gboolean

When TRUE, overrides the “ca-path” and “phase2-ca-path” properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the “ca-cert” and “phase2-ca-cert” properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides “ca-cert” and “phase2-ca-cert” properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).

Owner: NMSetting8021x

Flags: Read / Write

Default value: FALSE