OPNsense AT&T GPON Setup

att_authenticate.sh

#!/usr/bin/env sh
#
# CONFIG
# ======
#
# ONT_IF                  Interface connected to the ONT
#
# RG_ETHER_ADDR           MAC address of your assigned Residential Gateway
#
# EAP_SUPPLICANT_IDENTITY Required only with supplicant mode. MAC address associated
#                         with your cert used as your EAP-TLS identity. If you extracted
#                         the cert from your stock issue residential gateway, this is the
#                         same as $RG_ETHER_ADDR.
#
# ELAN_MAC                MAC address configured on the GPON, required for me to get access
#                         to the admin interface after the GPON is online.
#
# GPON_IP                 IP Address of the GPON normally 192.168.1.1 if it's not changed
#
# MGMT_IP                 IP address assigned to the gPON interface to access the admin interface
#

# Required Config
# ===============
ONT_IF='igb7'
RG_ETHER_ADDR='AA:BB:CC:DD:EE:FF'
ELAN_MAC='XX:XX:XX:XX:XX:XX'
GPON_IP='192.168.1.1'
MGMT_IP='192.168.1.2/25'

##### DO NOT EDIT BELOW #################################################################################
/usr/bin/logger -st "opnatt" "starting opnatt..."
/usr/bin/logger -st "opnatt" "configuration:"
/usr/bin/logger -st "opnatt" "  ONT_IF = $ONT_IF"
/usr/bin/logger -st "opnatt" "  RG_ETHER_ADDR = $RG_ETHER_ADDR"

/usr/bin/logger -st "opnatt" "enabling promisc for $ONT_IF and spoofing MAC..."
/sbin/ifconfig ${ONT_IF} ether ${RG_ETHER_ADDR} -vlanhwtag -vlanhwfilter pcp 0
/sbin/ifconfig ${ONT_IF} up promisc

/usr/bin/logger -st "opnatt" "starting wpa_supplicant..."

WPA_DAEMON_CMD="/conf/wpa/opn_wpa_supplicant-d114ac638c389bfd1f7029ec22f47efc -B -Dwired -i${ONT_IF} -c/conf/wpa/wpa_supplicant.conf -C/var/run/wpa_supplicant"

# kill any existing wpa_supplicant process
PID=$(pgrep -f "wpa_supplicant")
if [ ${PID} > 0 ];
then
  /usr/bin/logger -st "opnatt" "terminating existing wpa_supplicant on PID ${PID}..."
  RES=$(kill ${PID})
fi

# start wpa_supplicant daemon
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant")
/usr/bin/logger -st "opnatt" "wpa_supplicant running on PID ${PID}..."

# wait until wpa_cli has authenticated.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ${ONT_IF} | grep 'inet\ ' | cut -d' ' -f2"

/usr/bin/logger -st "opnatt" "waiting EAP for authorization..."

while true;
do
  WPA_STATUS=$(eval ${WPA_STATUS_CMD})
  if [ X${WPA_STATUS} = X"Authorized" ];
  then
    /usr/bin/logger -st "opnatt" "EAP authorization completed..."
    break
  else
    sleep 1
  fi
done

# Setup access to ONT
/usr/bin/logger -st "opnatt" "Setup access to ODI mgmt interface..."
/sbin/ifconfig ${ONT_IF} alias ${MGMT_IP}
/usr/sbin/arp -s ${GPON_IP} ${ELAN_MAC}

/usr/bin/logger -st "opnatt" "You should now be available to configure your WAN..."

wpa_supplicant.conf

eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/conf/wpa/ca.pem"
        client_cert="/conf/wpa/client.pem"
        eap=TLS
        eapol_flags=0
        identity="AA:BB:CC:DD:EE:FF" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/conf/wpa/private.pem"
}