This use-case is a pretty rare one, but in some circumstances, it can be very helpful. For example when you live in a student dormatory which only offers one 802.1x-encrypted LAN-port in your room, but you want to run your own wifi-network to be online with other clients, too, like your laptop or smartphone. In this case, normal routers with stock firmware won't help you out because most don't support this networking protocol. OpenWrt on the other hand offers you the possibility to connect your router (you could buy this one if you don't already have a suiting router) to the 802.1x-network via WAN and enable you to have an own, independent network. Here's how.
Important: before you attempt to do this, it is NECESSARY to ask your network admin if he/she is okay with your usage scenario. This can cause some trouble if you do it without permission, as many 802.1x-networks aim to prevent this exact use-case.
So here's the deal. At first, you will need to establish an internet connection that does not rely on the network you're trying to connect to.
Example: use your smartphone with data plan as a mobile hotspot. After having activated the hotspot, connect your router to the hotspot
in LuCI: Network > Wireless > Scan
Next, update the packages and install a good editor like Nano if you haven't done that already, then remove the package wpad-mini
and install wpad
which is capable of 802.1x-authentification:
opkg update
opkg install nano
opkg remove wpad-mini
opkg install wpad
nano /etc/config/wpa.conf
In wpa.conf, your access data for the network is stored. This example assumes the network uses PEAP for outer auth and MSCHAPV2 for inner auth (when in doubt ask your network admin):
ctrl_interface=/var/run/wpa_supplicant
network={
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="IDENTITY_HERE"
password="PASSWORD_HERE"
}
Now, hook up your desired LAN-port (probably eth0
) to this config file to enable the 802.1x-auth:
wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf
The following script is necessary to automatically bring up your configuration on boot (we call it wpa-autostart):
nano /etc/init.d/wpa-autostart
#!/bin/sh /etc/rc.common
# Copyright (C) 2007 OpenWrt.org
START=99
start() {
echo start
wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &
}
Finally, give rights to the script:
chmod +x /etc/init.d/wpa-autostart
/etc/init.d/wpa-autostart enable
/etc/init.d/wpa-autostart start
That's it. Have fun!
Reference: This tutorial is a shorter version of this one here. Check the link if you need more detailed instructions.
First of all, a big thank you. The instructions were very helpful.
In addition, I would recommend the following steps:
Restrict permissions
Since our credentials are stored in plaintext and also the hash could be reused the file should have restricted permissions and owner.
Disable ap scan
Unless you want to use a wireless interface, disable scanning. It may avoid unwanted errors and fastens the connection establishment.
Hash password
Instead of storing the plaintext password, you can also hash it. Especially if you share the OpenWrt device with others.
Security note:
If an attacker has access to the file it is possible to reuse the hash and authenticate via 802.1x as well.
However, you gain more security if the same password is used in other applications (which is often the case in a university context).
With a hashed password, the attacker would still have to calculate the matching plaintext - what might work better in this case, since the used hash algorithm (NT-HASH) does not use salt. Thus, the password should be as strong as possible... as always.