From 9fd5f53bbe70fc5efcb611b0ec460a8ebd1dad80 Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson Date: Thu, 17 Feb 2022 19:28:32 -0500 Subject: T4245: interface-eapol: Update for VyOS 1.4 PKI changes and parent CA behavior Signed-off-by: Andrew Gunnerson --- docs/_include/interface-eapol.txt | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) (limited to 'docs/_include/interface-eapol.txt') diff --git a/docs/_include/interface-eapol.txt b/docs/_include/interface-eapol.txt index 68e5073d..640fc6e3 100644 --- a/docs/_include/interface-eapol.txt +++ b/docs/_include/interface-eapol.txt @@ -7,31 +7,35 @@ EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter. .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} eapol ca-cert-file + {{ var5 }} {{ var6 }} eapol ca-certificate - SSL :abbr:`CA (Certificate Authority)` x509 PEM file used afor authentication - of the remote side. + Set the name of the SSL :abbr:`CA (Certificate Authority)` PKI entry used for + authentication of the remote side. If an intermediate CA certificate is + specified, then all parent CA certificates that exist in the PKI, such as the + root CA or additional intermediate CAs, will automatically be used during + certificate validation to ensure that the full chain of trust is available. - .. code-block:: none - - set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-cert-file /config/auth/ca.pem - -.. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} eapol cert-file - - SSL/x509 public certificate file provided by the client to authenticate - against the 802.1x system. + Example: .. code-block:: none - set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol cert-file /config/auth/public.pem + set pki ca eapol-server-intermediate-ca + set pki ca eapol-server-root-ca + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-certificate eapol-server-intermediate-ca .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} - {{ var5 }} {{ var6 }} eapol key-file + {{ var5 }} {{ var6 }} eapol certificate + + Set the name of the x509 client keypair used to authenticate against the + 802.1x system. All parent CA certificates of the client certificate, such as + intermediate and root CAs, will be sent as part of the EAP-TLS handshake. - SSL/x509 private certificate file provided by the client to authenticate - against the 802.1x system. + Example: .. code-block:: none - set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol key-file /config/auth/private.key + set pki ca eapol-client-intermediate-ca + set pki ca eapol-client-root-ca + set pki certificate eapol-client certificate + set pki certificate eapol-client private key + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol certificate eapol-client -- cgit v1.2.3