physhster/USG WPA Supplicant Config for AT&T Fiber

## USG WPA Supplicant Config for AT&T Fiber
The entirety of this guide assumes your WAN port is eth0. Make sure to adjust accordingly.


Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file
Edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files, and make sure the MAC address matches the one you're going to spoof:

---
network={
        ca_cert="/config/auth/CA_xxxxxx.pem"
        client_cert="/config/auth/Client_xxxxxx.pem"
        eap=TLS
        eapol_flags=0
        identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem"
}
---

Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip
Create wpa_supplicant.sh and make sure it matches your WAN port

---
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances

IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)

if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
  $PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
---

SCP into usg and drop the following files into the following locations:
/config/scripts/wpa_supplicant (the binary file from 2.)
/config/scripts/post-config.d/wpa_supplicant.sh
/config/wpa_supplicant.conf
3 certificate PEM files to /config/auth
Run the following commands:

---
sudo chmod +x /config/scripts/wpa_supplicant
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh
sudo chmod -R 0600 /config/auth
---

Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0.
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the values of "eth" and "mac" updated:

---
{
   "interfaces":{
      "ethernet":{
         "eth0":{
            "mac":”AA:AA:AA:AA:AA:AA"
         }
      }
   }
}
---

Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2
Reboot the gateway.
Monitor logs on the gateway by running

---
tail -n 50 -f /var/log/messages
---
	The entirety of this guide assumes your WAN port is eth0. Make sure to adjust accordingly.


	Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_.pem, Client_.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file
	Edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files, and make sure the MAC address matches the one you're going to spoof:

	---
	network={
	ca_cert="/config/auth/CA_xxxxxx.pem"
	client_cert="/config/auth/Client_xxxxxx.pem"
	eap=TLS
	eapol_flags=0
	identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address
	key_mgmt=IEEE8021X
	phase1="allow_canned_success=1"
	private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem"
	}
	---

	Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip
	Create wpa_supplicant.sh and make sure it matches your WAN port

	---
	#!/usr/bin/env bash
	#Start EAP-TLS on eth0
	#Check if already running to avoid multiple instances

	IF_WAN=eth0
	PROCESS_NAME=wpa_supplicant
	PROCESS_PATH=/config/scripts/wpa_supplicant
	PROCESS_COUNT=$(ps -A \| grep $PROCESS_NAME \| egrep -v "grep\|$(basename $0)" \| grep -c $PROCESS_NAME)

	if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
	$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
	fi
	---

	SCP into usg and drop the following files into the following locations:
	/config/scripts/wpa_supplicant (the binary file from 2.)
	/config/scripts/post-config.d/wpa_supplicant.sh
	/config/wpa_supplicant.conf
	3 certificate PEM files to /config/auth
	Run the following commands:

	---
	sudo chmod +x /config/scripts/wpa_supplicant
	sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh
	sudo chmod -R 0600 /config/auth
	---

	Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0.
	Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the values of "eth" and "mac" updated:

	---
	{
	"interfaces":{
	"ethernet":{
	"eth0":{
	"mac":”AA:AA:AA:AA:AA:AA"
	}
	}
	}
	}
	---

	Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2
	Reboot the gateway.
	Monitor logs on the gateway by running

	---
	tail -n 50 -f /var/log/messages
	---