Skip to content

Instantly share code, notes, and snippets.

@physhster

physhster/USG WPA Supplicant Config for AT&T Fiber

Last active April 15, 2024 23:21
Show Gist options
  • Save physhster/ed0ce1d776e09fd5047c7a7c1c7bcd62 to your computer and use it in GitHub Desktop.
Save physhster/ed0ce1d776e09fd5047c7a7c1c7bcd62 to your computer and use it in GitHub Desktop.
Download ZIP
Complete-ish guide to WPA Supplicant bypass on AT&T U-verse Fiber with Unifi USG
Raw
USG WPA Supplicant Config for AT&T Fiber
*Important note to pay attention to*
You'll most likely use eth0 on a USG and eth2 or eth3 on a USG-Pro, edit the files accordingly. Do not run the supplicant on virtual interfaces (e.g. eth0.0), as it will not work.
*Pre-requisites*
Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file
In the archive generated by the tool, edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files:
network={
ca_cert="/config/auth/CA_xxxxxx.pem"
client_cert="/config/auth/Client_xxxxxx.pem"
eap=TLS
eapol_flags=0
identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem"
}
Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip
Create wpa_supplicant.sh and make sure it matches your WAN port
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
SCP into usg and drop the following files into the following locations:
/config/scripts/wpa_supplicant (the binary file from 2.)
/config/scripts/post-config.d/wpa_supplicant.sh
/config/scripts/wpa_supplicant.conf
3 certificate PEM files to /config/auth
Run the following commands:
sudo chmod +x /config/scripts/wpa_supplicant
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh
sudo chmod -R 0600 /config/auth
Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0.
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the interface and MAC address are updated:
{
"interfaces":{
"ethernet":{
"eth0":{
"mac":”AA:AA:AA:AA:AA:AA"
}
}
}
}
Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2
Reboot the gateway.
Monitor logs on the gateway by running
tail -n 50 -f /var/log/messages
@phelpsjackson
Copy link

On line 33, wpa_supplicant.conf is at /config/scripts/, but on line 39, it is at /config/.

@physhster
Copy link
Author

On line 33, wpa_supplicant.conf is at /config/scripts/, but on line 39, it is at /config/.

Fixed

@urgodfather
Copy link

Couple of notes:

Here's a one-liner for making the wpa_supplicant.sh

cat <<EOF > /config/scripts/post-config.d/wpa_supplicant.sh
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
  
IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
  
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
  $PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
EOF

Backup your router config
mca-ctrl -t dump-cfg > /root/config_orig.txt

Enable Legacy mode on your controller.
https://support.hostifi.com/en/articles/6240303-unifi-how-to-change-between-unifi-interface-versions

After you have Legacy mode enabled, then you can set your VLAN ID to 0 on WAN. Save, and let the USG provision.

Here is how to change the MAC and set VLAN via command line.

configure
set interfaces ethernet eth0 vif 0
set interfaces ethernet eth0 mac XX:XX:XX:XX:XX:XX
commit
save
exit

Manually call the script like this:
/config/scripts/wpa_supplicant -s -B -Dwired -ieth0 -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid

Backup your new config:
mca-ctrl -t dump-cfg > /root/config_new.txt

On the controller do:
find / -name "config.gateway.json"

If you're not using multi-site you may not find one or even a sites directory. To make it, do the following. If you are using multi-site, change default to reflect the **siteID** found in url for the dashboard https://127.0.0.1:8443/manage/s/**siteID**/dashboard
Ubuntu cloud controllers: mkdir /usr/lib/unifi/data/sites/default or mkdir /usr/lib/unifi/data/sites/**siteID**
Cloud key controllers: mkdir /srv/unifi/data/sites/default or mkdir /srv/unifi/data/sites/**siteID**

To make your config.gateway.json edit the mac and the path respectively:

cat <<EOF > /usr/lib/unifi/data/sites/default/config.gateway.json
{
   "interfaces":{
      "ethernet":{
         "eth0":{
            "mac":”XX:XX:XX:XX:XX:XX"
         }
      }
   }
}
EOF

Then set ownership of the directories and file. Change the path respectively.

chown -R unifi:unifi /usr/lib/unifi/data/sites

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment