Skip to content

Instantly share code, notes, and snippets.

@LupusArgentum

LupusArgentum/openwrt-8021x.md

Last active April 21, 2024 11:43
Show Gist options
  • Star 29 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save LupusArgentum/0a03106c0484480376b5878ca4f30761 to your computer and use it in GitHub Desktop.
Save LupusArgentum/0a03106c0484480376b5878ca4f30761 to your computer and use it in GitHub Desktop.
Download ZIP
OpenWrt-router as 802.1x-client
Raw
openwrt-8021x.md

OpenWrt-router as 802.1x-client

This use-case is a pretty rare one, but in some circumstances, it can be very helpful. For example when you live in a student dormatory which only offers one 802.1x-encrypted LAN-port in your room, but you want to run your own wifi-network to be online with other clients, too, like your laptop or smartphone. In this case, normal routers with stock firmware won't help you out because most don't support this networking protocol. OpenWrt on the other hand offers you the possibility to connect your router (you could buy this one if you don't already have a suiting router) to the 802.1x-network via WAN and enable you to have an own, independent network. Here's how.

Important: before you attempt to do this, it is NECESSARY to ask your network admin if he/she is okay with your usage scenario. This can cause some trouble if you do it without permission, as many 802.1x-networks aim to prevent this exact use-case.

So here's the deal. At first, you will need to establish an internet connection that does not rely on the network you're trying to connect to.
Example: use your smartphone with data plan as a mobile hotspot. After having activated the hotspot, connect your router to the hotspot
in LuCI: Network > Wireless > Scan

Next, update the packages and install a good editor like Nano if you haven't done that already, then remove the package wpad-mini and install wpad which is capable of 802.1x-authentification:

opkg update
opkg install nano
opkg remove wpad-mini
opkg install wpad
nano /etc/config/wpa.conf

In wpa.conf, your access data for the network is stored. This example assumes the network uses PEAP for outer auth and MSCHAPV2 for inner auth (when in doubt ask your network admin):

ctrl_interface=/var/run/wpa_supplicant
network={
    key_mgmt=IEEE8021X
    eap=PEAP
    phase2="auth=MSCHAPV2"
    identity="IDENTITY_HERE"
    password="PASSWORD_HERE"
}

Now, hook up your desired LAN-port (probably eth0) to this config file to enable the 802.1x-auth:

wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf

The following script is necessary to automatically bring up your configuration on boot (we call it wpa-autostart):

nano /etc/init.d/wpa-autostart

#!/bin/sh /etc/rc.common 
# Copyright (C) 2007 OpenWrt.org
START=99

start() {
echo start
wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &
}

Finally, give rights to the script:

chmod +x /etc/init.d/wpa-autostart
/etc/init.d/wpa-autostart enable
/etc/init.d/wpa-autostart start

That's it. Have fun!

Reference: This tutorial is a shorter version of this one here. Check the link if you need more detailed instructions.

@masscream
Copy link

masscream commented May 5, 2022
edited

Hello, great tutorial. I've been using this method for some time, but recently, after the update from the version 19 to 21, it stopped suddenly working. Looks like there is a conflict in choosing the right method of EAP to authenticate.... Opened openwrt/openwrt#9836

@artgerecht
Copy link

First of all, a big thank you. The instructions were very helpful.

In addition, I would recommend the following steps:

Restrict permissions

Since our credentials are stored in plaintext and also the hash could be reused the file should have restricted permissions and owner.

chown root:root /etc/config/wpa.conf
chmod 600 /etc/config/wpa.conf

Disable ap scan

Unless you want to use a wireless interface, disable scanning. It may avoid unwanted errors and fastens the connection establishment.

# add to: /etc/config/wpa.conf
ap_scan=0

Hash password

This depending on your version may fail and tell that the credentials are empty. To avoid unnecessary debugging, try this after the plaintext approach was successful.

Instead of storing the plaintext password, you can also hash it. Especially if you share the OpenWrt device with others.

Security note:
If an attacker has access to the file it is possible to reuse the hash and authenticate via 802.1x as well.
However, you gain more security if the same password is used in other applications (which is often the case in a university context).
With a hashed password, the attacker would still have to calculate the matching plaintext - what might work better in this case, since the used hash algorithm (NT-HASH) does not use salt. Thus, the password should be as strong as possible... as always.

@masscream
Copy link

masscream commented Jun 10, 2022
edited

Thank you for the tips. Anyway as stated in the openwrt/openwrt#9836 , the issue was probably in packages reverting to the default state. Replacing wpad with wpad-openssl fixed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment