Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenWrt-router as 802.1x-client

OpenWrt-router as 802.1x-client

This use-case is a pretty rare one, but in some circumstances, it can be very helpful. For example when you live in a student dormatory which only offers one 802.1x-encrypted LAN-port in your room, but you want to run your own wifi-network to be online with other clients, too, like your laptop or smartphone. In this case, normal routers with stock firmware won't help you out because most don't support this networking protocol. OpenWrt on the other hand offers you the possibility to connect your router (you could buy this one if you don't already have a suiting router) to the 802.1x-network via WAN and enable you to have an own, independent network. Here's how.

Important: before you attempt to do this, it is NECESSARY to ask your network admin if he/she is okay with your usage scenario. This can cause some trouble if you do it without permission, as many 802.1x-networks aim to prevent this exact use-case.

So here's the deal. At first, you will need to establish an internet connection that does not rely on the network you're trying to connect to.
Example: use your smartphone with data plan as a mobile hotspot. After having activated the hotspot, connect your router to the hotspot
in LuCI: Network > Wireless > Scan

Next, update the packages and install a good editor like Nano if you haven't done that already, then remove the package wpad-mini and install wpad which is capable of 802.1x-authentification:

opkg update
opkg install nano
opkg remove wpad-mini
opkg install wpad
nano /etc/config/wpa.conf

In wpa.conf, your access data for the network is stored. This example assumes the network uses PEAP for outer auth and MSCHAPV2 for inner auth (when in doubt ask your network admin):

ctrl_interface=/var/run/wpa_supplicant
network={
    key_mgmt=IEEE8021X
    eap=PEAP
    phase2="auth=MSCHAPV2"
    identity="IDENTITY_HERE"
    password="PASSWORD_HERE"
}

Now, hook up your desired LAN-port (probably eth0) to this config file to enable the 802.1x-auth:

wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf

The following script is necessary to automatically bring up your configuration on boot (we call it wpa-autostart):

nano /etc/init.d/wpa-autostart
#!/bin/sh /etc/rc.common 
# Copyright (C) 2007 OpenWrt.org
START=99

start() {
echo start
wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &
}

Finally, give rights to the script:

chmod +x /etc/init.d/wpa-autostart
/etc/init.d/wpa-autostart enable
/etc/init.d/wpa-autostart start

That's it. Have fun!


Reference: This tutorial is a shorter version of this one here. Check the link if you need more detailed instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment