IEEE 802.1x + MD5 authorization on OpenWrt
Recently, home network providers among a variety of authorization methods began to appear a method using the IEEE 802.1x standard. The protocol works very simply: until the client has identified itself, only 802.1x packets run on the port. On Windows, you can configure authentication in a few clicks, but more often a wireless router is installed at home that distributes the Internet. This topic will discuss how to establish IEEE 802.1x + MD5 authorization on an OpenWrt compatible device.
There are many ways to install. As a rule, it all boils down to the fact that the firmware image downloaded from the OpenWrt website is uploaded via the router’s web interface, more details can be found on the aforementioned website. Suppose we already have a device with OpenWrt installed: Linksys WRT54GL v1.1 and Kamikaze firmware 8.09.2 will be used as a victim.
So:
And that is not all, because it is necessary to make everything work automatically.
Create the init script /etc/init.d/wpa_signin:
Do not forget to enable it:
Links
There are many ways to install. As a rule, it all boils down to the fact that the firmware image downloaded from the OpenWrt website is uploaded via the router’s web interface, more details can be found on the aforementioned website. Suppose we already have a device with OpenWrt installed: Linksys WRT54GL v1.1 and Kamikaze firmware 8.09.2 will be used as a victim.
So:
- Download the firmware and flash our router.
- We go to it for the first time by telnet root@192.168.1.1 and change the password with the passwd command, after which telnet will be disabled and ssh enabled.
- We need to install a “special” wpa_supplicant, with roboswitch driver support:
ssh root@192.168.1.1
cd /tmp
opkg update
wget www.liacs.nl/~jwitteve/openwrt/8.09/brcm-2.4/packages/wpa-supplicant_0.6.9-2_mipsel.ipk
opkg install wpa-supplicant_0.6.9-2_mipsel.ipk - Create a configuration file for wpa_supplicant, for example /etc/config/wpa_supplicant.conf:
ap_scan = 0 network = { ssid = "" key_mgmt = IEEE8021X eap = MD5 identity = "login" password = "password" }
In addition to MD5, there are other authentication methods, such as TTLS PAP, in which case certificates are required. You can read more about other methods, for example, in man wpa_supplicant - Now you can make a test run. In the case of WRT54GL, the provider’s wire is plugged into the WAN port, which is listed as eth0.1 in the system:
In case everything is ok, we will see:
And now we can get the address:
# wpa_supplicant -dd -D roboswitch -c /etc/config/wpa_supplicant.conf -i eth0.1
Initializing interface 'eth0.1' conf '/etc/config/wpa_supplicant.conf' driver 'roboswitch' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/config/wpa_supplicant.conf' -> '/etc/config/wpa_supplicant.conf'
Reading configuration file '/etc/config/wpa_supplicant.conf'...
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: Supplicant port status: Authorized
...
EAPOL authentication completed successfully# udhcpc -i eth0.1
udhcpc (v1.15.3) started
Sending discover...
Sending select for x.x.x.x...
Lease of x.x.x.x obtained, lease time 21600
And that is not all, because it is necessary to make everything work automatically.
Create the init script /etc/init.d/wpa_signin:
#! / bin / sh /etc/rc.common
START = 99
start () {
/ usr / sbin / wpa_supplicant -i eth0.1 -D roboswitch -B -c /etc/config/wpa_supplicant.conf
}
Do not forget to enable it:
# /etc/init.d/wpa_signin enableLinks
- IEEE 802.1x Wiki Article
- a large selection of OpenWRT
- List of supported OpenWRT devices