IEEE 802.1x + MD5 authorization on OpenWrt

Published on April 14, 2010

IEEE 802.1x + MD5 authorization on OpenWrt

    Recently, home network providers among a variety of authorization methods began to appear a method using the IEEE 802.1x standard. The protocol works very simply: until the client has identified itself, only 802.1x packets run on the port. On Windows, you can configure authentication in a few clicks, but more often a wireless router is installed at home that distributes the Internet. This topic will discuss how to establish IEEE 802.1x + MD5 authorization on an OpenWrt compatible device.


    There are many ways to install. As a rule, it all boils down to the fact that the firmware image downloaded from the OpenWrt website is uploaded via the router’s web interface, more details can be found on the aforementioned website. Suppose we already have a device with OpenWrt installed: Linksys WRT54GL v1.1 and Kamikaze firmware 8.09.2 will be used as a victim.
    So:
    1. Download the firmware and flash our router.
    2. We go to it for the first time by telnet root@192.168.1.1 and change the password with the passwd command, after which telnet will be disabled and ssh enabled.
    3. We need to install a “special” wpa_supplicant, with roboswitch driver support:
      ssh root@192.168.1.1
      cd /tmp
      opkg update
      wget www.liacs.nl/~jwitteve/openwrt/8.09/brcm-2.4/packages/wpa-supplicant_0.6.9-2_mipsel.ipk
      opkg install wpa-supplicant_0.6.9-2_mipsel.ipk

    4. Create a configuration file for wpa_supplicant, for example /etc/config/wpa_supplicant.conf:
      ap_scan = 0
      network = {
          ssid = ""
          key_mgmt = IEEE8021X
          eap = MD5
          identity = "login"
          password = "password"
      }
      

      In addition to MD5, there are other authentication methods, such as TTLS PAP, in which case certificates are required. You can read more about other methods, for example, in man wpa_supplicant
    5. Now you can make a test run. In the case of WRT54GL, the provider’s wire is plugged into the WAN port, which is listed as eth0.1 in the system: In case everything is ok, we will see: And now we can get the address:
      # wpa_supplicant -dd -D roboswitch -c /etc/config/wpa_supplicant.conf -i eth0.1
      Initializing interface 'eth0.1' conf '/etc/config/wpa_supplicant.conf' driver 'roboswitch' ctrl_interface 'N/A' bridge 'N/A'
      Configuration file '/etc/config/wpa_supplicant.conf' -> '/etc/config/wpa_supplicant.conf'
      Reading configuration file '/etc/config/wpa_supplicant.conf'


      ...
      EAPOL: SUPP_PAE entering state AUTHENTICATED
      EAPOL: Supplicant port status: Authorized
      ...
      EAPOL authentication completed successfully


      # udhcpc -i eth0.1
      udhcpc (v1.15.3) started
      Sending discover...
      Sending select for x.x.x.x...
      Lease of x.x.x.x obtained, lease time 21600



    And that is not all, because it is necessary to make everything work automatically.
    Create the init script /etc/init.d/wpa_signin:
    #! / bin / sh /etc/rc.common
    START = 99
    start () {
            / usr / sbin / wpa_supplicant -i eth0.1 -D roboswitch -B -c /etc/config/wpa_supplicant.conf
    }
    

    Do not forget to enable it:
    # /etc/init.d/wpa_signin enable

    Links