Last active
April 15, 2024 23:21
-
-
Save physhster/ed0ce1d776e09fd5047c7a7c1c7bcd62 to your computer and use it in GitHub Desktop.
Complete-ish guide to WPA Supplicant bypass on AT&T U-verse Fiber with Unifi USG
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*Important note to pay attention to* | |
You'll most likely use eth0 on a USG and eth2 or eth3 on a USG-Pro, edit the files accordingly. Do not run the supplicant on virtual interfaces (e.g. eth0.0), as it will not work. | |
*Pre-requisites* | |
Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file | |
In the archive generated by the tool, edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files: | |
network={ | |
ca_cert="/config/auth/CA_xxxxxx.pem" | |
client_cert="/config/auth/Client_xxxxxx.pem" | |
eap=TLS | |
eapol_flags=0 | |
identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address | |
key_mgmt=IEEE8021X | |
phase1="allow_canned_success=1" | |
private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem" | |
} | |
Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip | |
Create wpa_supplicant.sh and make sure it matches your WAN port | |
#!/usr/bin/env bash | |
#Start EAP-TLS on eth0 | |
#Check if already running to avoid multiple instances | |
IF_WAN=eth0 | |
PROCESS_NAME=wpa_supplicant | |
PROCESS_PATH=/config/scripts/wpa_supplicant | |
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME) | |
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then | |
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid | |
fi | |
SCP into usg and drop the following files into the following locations: | |
/config/scripts/wpa_supplicant (the binary file from 2.) | |
/config/scripts/post-config.d/wpa_supplicant.sh | |
/config/scripts/wpa_supplicant.conf | |
3 certificate PEM files to /config/auth | |
Run the following commands: | |
sudo chmod +x /config/scripts/wpa_supplicant | |
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh | |
sudo chmod -R 0600 /config/auth | |
Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0. | |
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the interface and MAC address are updated: | |
{ | |
"interfaces":{ | |
"ethernet":{ | |
"eth0":{ | |
"mac":”AA:AA:AA:AA:AA:AA" | |
} | |
} | |
} | |
} | |
Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2 | |
Reboot the gateway. | |
Monitor logs on the gateway by running | |
tail -n 50 -f /var/log/messages |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Couple of notes:
Here's a one-liner for making the wpa_supplicant.sh
Backup your router config
mca-ctrl -t dump-cfg > /root/config_orig.txt
Enable Legacy mode on your controller.
https://support.hostifi.com/en/articles/6240303-unifi-how-to-change-between-unifi-interface-versions
After you have Legacy mode enabled, then you can set your VLAN ID to 0 on WAN. Save, and let the USG provision.
Here is how to change the MAC and set VLAN via command line.
Manually call the script like this:
/config/scripts/wpa_supplicant -s -B -Dwired -ieth0 -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
Backup your new config:
mca-ctrl -t dump-cfg > /root/config_new.txt
On the controller do:
find / -name "config.gateway.json"
If you're not using multi-site you may not find one or even a sites directory. To make it, do the following. If you are using multi-site, change
default
to reflect the**siteID**
found in url for the dashboardhttps://127.0.0.1:8443/manage/s/**siteID**/dashboard
Ubuntu cloud controllers:
mkdir /usr/lib/unifi/data/sites/default
ormkdir /usr/lib/unifi/data/sites/**siteID**
Cloud key controllers:
mkdir /srv/unifi/data/sites/default
ormkdir /srv/unifi/data/sites/**siteID**
To make your
config.gateway.json
edit the mac and the path respectively:Then set ownership of the directories and file. Change the path respectively.
chown -R unifi:unifi /usr/lib/unifi/data/sites