Tuesday, January 8, 2019

Configuring 802.1x authentication using wpa_supplicant on Ubiquiti Edgerouter

This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devices running EdgeOS 2.0. Mediatek (Edgerouter-X) procedure is similar, however I do not have such device and could not recompile wpa_supplicant for it.
Copy EAP-TLS certificates and private key in PEM format to /config/auth/
Run sudo chmod -R 0600 /config/auth to secure the credentials.
Copy wpa_supplicant.conf to /config/
If you are using wpa_supplicant.conf generated by a tool in the previous post, modify certificate and key paths to point to /config/auth/
Assuming wpa_supplicant.conf resides in /config/, the router has Internet connectivity and Internet interface that requires wpa_supplicant is eth0, run the following commands in console:
#Remove 1.x repository, add 2.0 Debian repository and install prerequisites
configure
delete system package repository wheezy
set system package repository stretch components 'main contrib'
set system package repository stretch distribution stretch
set system package repository stretch password ''
set system package repository stretch url 'http://http.us.debian.org/debian'
set system package repository stretch username ''
commit
save
exit
sudo apt-get update && sudo apt-get install libpcsclite1
#Download backported Debian Buster wpa_supplicant and install it
curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
cd /tmp/
tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb
#Create symbolic link to wpa_supplicant.conf for eth0
sudo ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
#Disable dbus service and enable wired wpa_supplicant for eth0
sudo systemctl disable wpa_supplicant.service
sudo systemctl enable wpa_supplicant-wired@eth0.service
#Save DEB packages for future use, allow /etc/ubnt/ubnt-rcS/ubnt-rcS.sh to install them
sudo mkdir -p /config/data/firstboot/install-packages &&  cd /config/data/firstboot/install-packages
sudo apt-get download libpcsclite1sudo curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo rm /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
#Recover configuration on EdgeOS upgrade
sudo mkdir -p /config/scripts/firstboot.d/
echo '#!/usr/bin/env bash' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
echo 'ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
echo 'systemctl stop wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
echo 'systemctl disable wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
echo 'systemctl enable wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
echo 'systemctl start wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh
sudo chmod 0744 /config/scripts/firstboot.d/8021x-eth0.sh
reboot

63 comments:

  1. Is this also compatible with the e300 / ER4 router?

    ReplyDelete
  2. This worked for me on ER4, latest firmware (2.0).

    ReplyDelete
    Replies
    1. I gave up on the ER-X and bought an ER4.

      Everything installed great (thanks for the fantastic instructions!) but I still can't get an IP address.

      I have the SFP from AT&T plugged directly into the ER4 (there is no ONT, the NVG595 has an SFP slot).

      Do you know if there is some extra step to make this work?

      Or is this the DHCP issue where it's sent over VLAN 0 and the ER4 can't see it?

      Delete
    2. Try 802.1q VLAN 2 instead of 802.1p (VLAN 0). Your DHCP interface would be something like 'eth0 vif 2'

      Delete
    3. Awesome! That worked immediately, thanks!

      `set interfaces ethernet eth3 vif 2 address dhcp`

      (eth3 is the SFP on the ER4)

      All I had to do then was change the NAT rule to masquerade to eth3.2 and it worked.

      Is there anything special I need to do so it remembers this after a fw update or reboot?

      Delete
    4. Sergey I assume we have to run the command `set interfaces ethernet eth3 vif 0 address dhcp` to get the 802.1p going right?

      These instructions skip over that as well as the mac cloning so that's why I ask.

      Delete
    5. @Wes Could you help give details on the SFP from Att? What's the model#? To my understanding, there is no SFP port in NVG599. If SFP works, I think we just just plug it directly to ER and bypass ONT also. Thanks,

      Delete
    6. @Stone, sorry I missed this. The NVG595 is the one with the SFP slot. If you have AT&T Uverse *fiber* or ABF (AT&T Business Fiber) they will sometimes give you a 595 with the Fiber plugged directly into it...

      Delete
  3. FYI, the ER-X and ER-X-SFP are MIPSEL. Do you know if there is a WPA_Supplicant package wpasupplicant_2.6-21~bpo9+1 compiled for mipsel?

    I'm assuming the regular 2.6.21 from buster won't work.

    ReplyDelete
  4. Sorry, missed this "... [I] could not recompile wpa_supplicant for it"

    Does the wpa_supplicant on 1.10 have the same race condition problem that 2.0 does without using the Buster backport?

    ReplyDelete
  5. Native wheezy wpa_supplicant works just fine in 1.10, but there is a different problem in 1.x - there is no built in mechanism to start it, unlike systemd in 2.0, so you have to start it from a script in /config/scripts/post-config.d/

    Here is a script I've used for ONT on eth0 with 1.x:

    #!/usr/bin/env bash
    #Start EAP-TLS on eth0
    #Check if already running to avoid multiple instances

    PROCESS_NAME=wpa_supplicant
    PROCESS_PATH=/sbin/wpa_supplicant
    PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)

    if [ $PROCESS_COUNT = 0 ]; then
    echo "`date +"%b %d %T"` `hostname` eap-tls: Starting" >> /var/log/messages 2>&1
    if [ -x /sbin/wpa_supplicant ]; then
    echo "`date +"%b %d %T"` `hostname` `/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/config/wpa_supplicant.conf -P/var/run/wpa_supplicant.pid &`" >> /var/log/messages 2>&1
    else
    echo "`date +"%b %d %T"` `hostname` eap-tls: wpa_supplicant is not installed" >> /var/log/messages 2>&1
    fi
    else
    echo "`date +"%b %d %T"` `hostname` eap-tls: wpa_supplicant is already running" >> /var/log/messages 2>&1
    fi

    ReplyDelete
  6. Here is a script that installs wpa_supplicant on 1.x in correct order across 1.x firmware flashes. You would want to download packages into /config/data/install-packages/




    #!/usr/bin/env bash
    # Installs wpa_supplicant after upgrade
    echo "`date +"%b %d %T"` `hostname` install-deb: Starting" >> /var/log/messages 2>&1
    if /usr/bin/dpkg -s libpcsclite1 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libpcsclite1 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libpcsclite1_1.8.4-1+deb7u1_mips.deb`" >> /var/log/messages 2>&1; fi
    if /usr/bin/dpkg -s libreadline5 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libreadline5 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libreadline5_5.2+dfsg-2~deb7u1_mips.deb`" >> /var/log/messages 2>&1; fi
    if /usr/bin/dpkg -s libssl1.0.0 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libssl1.0.0 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libssl1.0.0_1.0.1e-2+deb7u20_mips.deb`" >> /var/log/messages 2>&1; fi
    if /usr/bin/dpkg -s wpasupplicant | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` wpasupplicant is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/wpasupplicant_1.0-3+deb7u3_mips.deb`" >> /var/log/messages 2>&1; fi
    echo "`date +"%b %d %T"` `hostname` install-deb: Done" >> /var/log/messages 2>&1

    ReplyDelete
    Replies
    1. Would you provide URLs for those debs? Having quite some difficulty finding all of them.

      Delete
  7. I also have four helper scripts that monitor for wpa_supplicant crash (in case the link to ONT is not up when router starts, or connection is interrupted), restart wpa_supplicant and subsequently restart dhcp and dhcpv6 clients and radvd. Let me know if you need them.

    On 2.x I was able to decommission all of the scripts - it runs great with just instructions in the post, gracefully handling connection interruptions and late ONT link.

    ReplyDelete
    Replies
    1. Would you be able to share those monitoring scripts?

      Delete
    2. I've shared the scripts under one of the other responses. I recommend using 2.x firmware - it is a lot more stable with wpa_supplicant and does not need external scripts.

      Delete
  8. Buster and Sid packages don't work out of the box on Stretch or Wheezy due to dependency on newer glibc. You would need to recompile them on Stretch box so that it links with older glibc.
    If you would like to backport to MediaTek, use these two guides:
    https://wiki.debian.org/Schroot
    Use schroot and debootstrap to create a build environment on usb drive or network share, so that you don't have to install extra packages to the router filesystem.
    Once the build environment is up, use this guide to backport the package:
    https://wiki.debian.org/SimpleBackportCreation

    ReplyDelete
    Replies
    1. There doesn't seem to be a reasonable way to compile this for the ER-X/ER-X-SFP. There's no USB and I don't have access to network storage.

      Do you know if the newer wpasupplicant for Stretch fixes the issue you described?
      2.4-1+deb9u2

      What is the problem with it?

      Delete
    2. It is missing "wpa_supplicant-wired@.service". You could add the missing file manually from source. See details here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871488

      Delete
  9. Could I use this guide for a Ubiquiti USG-XG, assuming eth0 is connected to the ONT?

    ReplyDelete
    Replies
    1. You likely could. I don't have a USG-XG to test with, but it is based on the same (but more powerful) Cavium platform, so the instructions should work with minimum changes. I am not following the software development cycle for USG products, but if it is using the same Debian Stretch as EdgeOS counterparts, it should work. If it uses Wheezy, see my comments above for 1.x EdgeOS.

      Delete
    2. When I SSH into the USG, it says EdgeOS, but I don't think it is totally like what is on the Edgerouters. I'm moving to the house with ATT Fiber at the end of April, so I'll give it a shot then and report back.

      Thanks for this awesome work! It has been such an interesting rabbit hole to explore!

      Delete
    3. Looks like my USG-XG-8 uses wheezy. Could you please share your helper scripts from 1.x?

      Delete
    4. I've uploaded the scripts here. It's a quick and dirty hack for 1.x, I have not really spent much time refining them, since I've moved to 2.0 almost right away. The scripts assume that ONT is on eth0 https://mega.nz/#!rr4E2SbS!GBQK9pEcYZdtAd1e0wDgeCh9Sr48qWNFRAO0QI-6nwA

      Set permissions to 755, download the DEBs to /config/data/install-packages and add the following two commands to config:

      set system task-scheduler task eap-tls crontab-spec '* * * * *'
      set system task-scheduler task eap-tls executable path /config/scripts/restart-eap-tls

      Delete
    5. Thank you for this, it is very appreciated!

      Delete
  10. Has anyone had any success in utilizing a static block of addresses in addition to the DHCP one that is handed via wpa_supplicant? I can't figure out how the provider is routing the static block back to their network?

    ReplyDelete
    Replies
    1. I set it up the same way you would on the RG essentially, though strictly speaking, I'm not sure it's necessary. I have the smallest block with IP addressing like so - 99.xx.xx.200/29. I assigned what they would call the "gateway" address from that block to a LAN interface on my router (an ER12) -- 99.xx.xx.206/29, then I have the end devices with static IPs use that as the gateway in their setup. Then I have a DNAT rule in my WAN_IN firewall config that sits above 'allow established/related' but below 'drop invalid state' for each static IP that is in actual use which forwards all protocols to the static address. It will work this way as is, but the static devices will be seen externally as the DHCP WAN address so to fix that I added an SNAT exclude rule for the entire block in the NAT section which masquerades to the WAN VLAN. Not sure if this is the 'right way' exactly but it has been working just fine for me. Clear as mud? lol. Hope that helps some.

      Delete
  11. Has anyone gotten this to run on a usg pro4?

    ReplyDelete
    Replies
    1. Nevermind got it working by looking through comments

      Delete
  12. Created symlink /etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service -> /lib/s ystemd/system/wpa_supplicant.service.
    Created symlink /etc/systemd/system/multi-user.target.wants/wpa_supplicant.servi ce -> /lib/systemd/system/wpa_supplicant.service.
    Job for wpa_supplicant.service failed because a fatal signal was delivered to th e control process.
    See "systemctl status wpa_supplicant.service" and "journalctl -xe" for details.
    wpa_supplicant.service couldn't start.


    Get that when I set up wpa_supplicant on an edgerouter lite running edgeos 2.0.1. What am i missing here?

    ReplyDelete
  13. I have the regular USG. Will this work?

    ReplyDelete
  14. While I've been having authentication issues with this on my USG3, that doesn't appear to be an issue on my ER4. Although it seems authentication is successful, I'm not getting an IP address.


    ubnt@ubnt:~$ sudo journalctl -u wpa_supplicant-wired@eth0.service -b
    -- Logs begin at Thu 2016-11-03 17:16:43 UTC, end at Fri 2019-04-12 12:40:30 UTC. --
    Nov 03 17:16:46 ubnt systemd[1]: Started WPA supplicant daemon (interface- and wired driver-specific version).
    Apr 12 12:37:00 ubnt wpa_supplicant[274]: Successfully initialized wpa_supplicant
    Apr 12 12:37:01 ubnt wpa_supplicant[274]: eth0: Associated with xx:xx:xx:xx:xx:xx
    Apr 12 12:37:01 ubnt wpa_supplicant[274]: WMM AC: Missing IEs
    Apr 12 12:37:01 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
    Apr 12 12:37:33 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    Apr 12 12:37:33 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-CONNECTED - Connection to xx:xx:xx:xx:xx:xx completed [id=0 id_str=]


    I've ensured that eth0.0 is spoofing the mac address specified in wpa_supplicant.conf:


    ubnt@ubnt# show interfaces ethernet eth0
    duplex auto
    speed auto
    vif 0 {
    address dhcp
    description Internet
    firewall {
    in {
    ipv6-name WANv6_IN
    name WAN_IN
    }
    local {
    ipv6-name WANv6_LOCAL
    name WAN_LOCAL
    }
    }
    mac yy:yy:yy:yy:yy:yy
    }



    Is there perhaps another step I may have missed?

    ReplyDelete
    Replies
    1. I had to spoof the mac both on eth0 and eth0.0 I am not sure if others are also doing this in there config. I'm a noob and was not able to pull the IP either until I had both vlan and eth0 set the same mac #.

      Delete
    2. what were the steps that you did to get it working if you don't mind.

      Delete
    3. Did anyone ever resolve this? I have eth0 and eth0.0 spoofing the MAC, my wpa_supplicant logs show successful auth, but I can never pull an IP with DHCP.

      Delete
    4. Make sure DHCP request is originating from eth0.0 and not eth0. Try doing a packet capture to confirm that DHCP is properly encapsulated in 802.1p frame. Some people had success with setting VLAN tag to 2.

      Delete
    5. I tried vlan 0 and 2 last night, no luck. I'm no expert at tcpdump, so if you have a better command I'd be happy to try again, but this is what I came up with.

      $ /usr/sbin/tcpdump -i eth0 -Uw - | /usr/sbin/tcpdump -en -r - vlan 2

      20:34:00.787224 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
      20:34:08.755932 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
      20:34:20.375800 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300

      $ /usr/sbin/tcpdump -i eth0 -Uw - | /usr/sbin/tcpdump -en -r - vlan 0

      20:41:28.915914 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
      20:41:32.924037 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
      20:41:41.965711 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300

      Delete
  15. THANK YOU SO MUCH! Got it working on my ER-4 and my god finally getting fiber speeds! I did not realize how much of a freaking rabbit hole this was going to turn into. I had the BGW210 gateway but I could never get my upload to get above 400 mbps but at&t web test showed I was getting 1gig to my gateway.

    Tried the eap_proxy improved speeds by roughly 100 for both upload and download just not enough. USG wasn't able to do it for me and had to switch to er-4 and now I am finally getting my full speed!

    Thank you for making the work public and accessible! I'd send you some beer/intoxicant funds.

    ReplyDelete
  16. Wow. I am definitely going share this with a few of my friends. Very cool information.
    24 hour locksmith

    ReplyDelete
  17. If anyone has steps for getting this to work on USG, I would appreciate this. I'm trying to piece together the comments and other details I am finding scattered around.

    I've got the certificates and my wpa_supplicant.conf file. So I'm getting close! (^_^)

    ReplyDelete
  18. This information is meaningful and magnificent which you have shared here about the Ubiquiti Edgerouter. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Ubiquiti Router Thailand

    ReplyDelete
  19. Anyone had any luck compiling wpa_supplicant for ER-X?

    Also, the link for wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz is now broken, thanks to the new ubnt community site.

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. I found that https://mirror.internex.at/debian/pool/main/w/wpa/wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+1_mips.deb is a good substitute for the broken link.

    ReplyDelete
    Replies
    1. Thank you so much for the link, and it works!

      Delete
  22. I know this is an old post, but I spent some time trying to get this to work on my usg-pro-4 in a way that I could be happy with and decided to share it here.

    My USG is using EdgeOS 1.x, so I downloaded the helpful scripts in the posts above. I followed the instructions to set up my config folder as described, and used google to find the appropriate .deb files as identified in the scripts.

    The scripts themselves refer to eth0. My USG is using eth2 for the wan, so I did a find/replace on them to swap out the interfaces.

    On my controller (was using a cloudkey, but recently migrated to an ubuntu vm after the cloudkey lost its settings without notice) I put a file with the name "config.gateway.json" in my /data/sites/default folder with the following contents:
    {
    "system": {
    "task-scheduler": {
    "task": {
    "eap-tls": {
    "crontab-spec": "* * * * *",
    "executable": {
    "path": "/config/scripts/restart-eap-tls"
    }
    }
    }
    }
    },
    "interfaces": {
    "ethernet": {
    "eth2": {
    "mac": ""
    }
    }
    }
    }

    Next, I attempted to set vlan0 on my wan interface but the UI wouldn't let me. The api the UI is calling however does allow you to set it. I used the chrome debug window to capture the post, and then used curl to change it. I blanked out my values, but if you want to follow along you could see for yourself by using the UI with the chrome debugger on.

    ## Request
    curl -X "PUT" "https://CONTROLLER_IP:8443/api/s/default/rest/networkconf/SOME_ID" \
    -H 'Cookie: unifises=VALUE FROM CHROM; csrf_token=VALUE FROM CHROME' \
    -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36' \
    -H 'X-Csrf-Token: VALUE FROM CHROME' \
    -H 'Content-Type: application/json; charset=utf-8' \
    -d $'{
    "wan_type_v6": "dhcpv6",
    "wan_vlan_enabled": true,
    "attr_hidden_id": "WAN",
    "wan_type": "dhcp",
    "wan_dhcpv6_pd_size": 60,
    "report_wan_event": true,
    "wan_vlan": 0,
    "wan_smartq_enabled": false,
    "wan_load_balance_type": "failover-only",
    "purpose": "wan",
    "wan_networkgroup": "WAN",
    "wan_egress_qos": "",
    "wan_load_balance_weight": 50,
    "_id": "FROM CHROME CAPTURE",
    "site_id": "FROM CHROME CAPTURE",
    "name": "WAN",
    "attr_no_delete": true
    }'

    After things settled down a bit, I forced a provision from the controller, and everything came up. I am now able to make changes to most values without overwriting the config and the USG behaves as it did before.

    I like this solution better because it should scale across firmware upgrades, and I don't have to mess with any of the NAT rules as the controller takes care of that for me.

    ReplyDelete
  23. Is vlan required? In my own setup(ER-X), I didn't setup the vlan and it just works.

    ReplyDelete
    Replies
    1. I was getting intermittent connectivity without the vlan. Worked well after adding VLAN 0. I don't use any other prio levels, but the default modem sends certain traffic on different priority levels (i.e. DNS prio 3) and SIP traffic is higher as well.

      Delete
  24. Thanks for the great set of instructions and tools! I installed the upstream wpa_supplicant and copied your -wired systemd file in.

    Suggestions on disabling the time check or ignoring the check completely? I recently ran into a "certificate is not yet valid" error due to the edgerouter 2.x ER-X defaulting to 11/2016 on boot (as it doesn't have a real time clock).

    I followed https://superuser.com/questions/732224/make-wpa-supplicant-ignore-server-certificate-trust and commented out the `ca_cert`, but then received an "unknown CA".

    Note: when wpa_supplicant fails, it sends a "FATAL" to the ONT which locks it for some period of time and/or power cycles. Even the original equipment will not register until it clears.

    Also, after enabling the upstream repos and using apt-get, it ate all of the free space on the edgerouter. Don't forget to clear out the directories after you are done:
    /var/cache/apt/*
    /var/lib/apt/lists/*

    also, deleting the unused system image can give back a lot of space with `delete system image`

    ReplyDelete
    Replies
    1. Looks like the edgerouter will "save" the time on graceful reboot to use on next boot, but I guess I never gracefully rebooted, so it defaulted to the value which came with the firmware. This is no longer an issue (assuming you don't leave it unplugged well past the next certificate rotation.

      Delete
  25. I just ordered a ER4. Did some googling and ended up here. I really tried to understand the steps above. Not clear. Could this be translated int a step by step guide.

    ReplyDelete
  26. For anyone else looking to do this on an ER-X I repackaged the upstream "wpasupplicant_2.4-1+deb9u4_mipsel.deb" with the missing "wpa_supplicant-wired@.service" and confirmed it works.

    You can download the repackaged deb from here:
    https://mega.nz/file/LIIkxA5a#bnVWaRtb9miEw7cbmcJDYWkSdk4FqFsgbhFMYYKrLyI

    Just transfer the deb to your ER-X and run "sudo dpkg -i wpasupplicant_2.4-1+deb9u4_mipsel.deb" to install it.
    Follow the original instructions in this guide and always substitute the deb with this one and it should work.

    ReplyDelete
  27. Hmm I stuck on a bunch of dependencies while installing wpa_supplicant on my USG:

    Selecting previously unselected package wpasupplicant.
    (Reading database ... 33053 files and directories currently installed.)
    Unpacking wpasupplicant (from wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+1_mips.deb) ...
    dpkg: dependency problems prevent configuration of wpasupplicant:
    wpasupplicant depends on libc6 (>= 2.15); however:
    Version of libc6:mips on system is 2.13-38+deb7u11.
    wpasupplicant depends on libdbus-1-3 (>= 1.9.14); however:
    Version of libdbus-1-3:mips on system is 1.6.8-1+deb7u6.
    wpasupplicant depends on libpcsclite1 (>= 1.0.0); however:
    Package libpcsclite1 is not installed.
    wpasupplicant depends on libreadline7 (>= 6.0); however:
    Package libreadline7 is not installed.
    wpasupplicant depends on libssl1.1 (>= 1.1.0); however:
    Package libssl1.1 is not installed.

    dpkg: error processing wpasupplicant (--install):
    dependency problems - leaving unconfigured
    Errors were encountered while processing:
    wpasupplicant


    Any tips? Thanks!

    ReplyDelete
    Replies
    1. You could either configure repositories and install wpa_supplicant while your router has a valid internet connection, so it could pull the prerequisites, or you could manually download the prerequisites from a Debian mirror and install manually offline.

      Delete
  28. Any ideas what causes this wpa_supplicant error? I can't figure this out.

    May 22 10:49:21 ubnt wpa_supplicant[21081]: supp-global-ctrl-iface-init(/var/run/wpa_supplicant.ctrl) (will try fixup): bind(PF_UNIX): Permission denied
    May 22 10:49:21 ubnt wpa_supplicant[21081]: Could not unlink existing ctrl_iface socket '/var/run/wpa_supplicant.ctrl': No such file or directory
    May 22 10:49:21 ubnt wpa_supplicant[21081]: Failed to initialize wpa_supplicant

    ReplyDelete
    Replies
    1. Are you running wpa_supplicant as root? Try prefixing 'sudo ' in front of wpa_supplicant command line.

      Delete
    2. Yes, running as root does work. Can this be put in the .sh file to start wpa_supplicant on boot? Current wpa_supplicant.sh looks like this:

      #!/usr/bin/env bash
      #Start EAP-TLS on eth0
      #Check if already running to avoid multiple instances
        
      IF_WAN=eth0
      PROCESS_NAME=wpa_supplicant
      PROCESS_PATH=/config/scripts/wpa_supplicant
      PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
        
      if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
        $PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
      fi

      Delete
  29. I was able to install wpa_supplicant v2.8 on my Edgerouter X with FW 2.0.8 with the stretch-backports repo and everything is working as described except ONT interruptions (e.g. power outages/blips).

    wpa_cli status//wpa_supplicant will still say authenticated but no connectivity is happening. eth0 - the ethernet cable from my ONT is down and up for a couple of seconds (Unfortunately, I can't put the ONT on a UPS like the edgerouter).

    I saw your monitoring scripts for EdgeOS 1.x, but they seem to rely on wpa_cli status to report a status != authenticated - do you have an idea on how to handles these outages? How is that handled for you on EdgeOS 2.x ?

    ReplyDelete
    Replies
    1. Take a look at my other post on 802.1x on EdgeRouter. In EdgeOS 2.x you would want to use native systemd functionality. Unfortunately, wpa_supplicant package that comes with EdgeOS 2.x (Or Debian Stretch) is missing the systemd file for wired interfaces. You could backport a later wpa_supplicant version, or just copy over the required text file, 'wpa_supplicant-wired@.servicee' on top of existing version. The file is part of newer Debian versions and is also available in wpa_supplicant source code. It allows 802.1x to re-authenticate on interface flaps.

      Delete
  30. Thanks very much for all the work that went into this and write-up.

    Through a lot of trial and error, I've managed to get about 99% of the way there with this method. My ER4 is successfully authenticating via wpa_supplicant and I'm getting an IP address from my ONT.

    The super frustrating part is that the router isn't passing local network traffic out to the WAN and I can't figure out why.

    I was previously using the eap_proxy method and already had a VLAN 0 setup on eth0.0. I'm not sure if this is what's causing the problem.

    I've tried disabling the eth0.0 interface and utilizing eth0 as my WAN and setting masquerade to use eth0 as well, but still no luck. I'm sure I'm missing something trivial in my config, but haven't been able to figure it out.

    Any help on this would be greatly appreciated!

    ReplyDelete
  31. In case anyone is trying this on an ER-X FW v2.0.8 hotfix1 and needs a wpasupplicant link that isn't broken:

    Replace this part of the instructions:
    ##########################
    #Download backported Debian Buster wpa_supplicant and install it
    curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
    cd /tmp/
    tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
    sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb
    ##########################

    With this:
    ##########################
    curl http://ftp.us.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+2_mipsel.deb -o /tmp/wpasupplicant_2.7_mipsel.deb
    curl http://ftp.us.debian.org/debian/pool/main/libn/libnl3/libnl-route-3-200_3.4.0-1~bpo9+1_mipsel.deb -o /tmp/libnl-route-3-200_mipsel.deb
    curl http://ftp.us.debian.org/debian/pool/main/libn/libnl3/libnl-3-200_3.4.0-1~bpo9+1_mipsel.deb -o /tmp/libnl-3-200_mipsel.deb
    sudo dpkg -i /tmp/libnl-3-200_mipsel.deb
    sudo dpkg -i /tmp/libnl-route-3-200_mipsel.deb
    sudo dpkg -i /tmp/wpasupplicant_2.7_mipsel.deb
    ##########################

    ReplyDelete

Statement on fraudulent DMCA complaints

It came to my attention that someone pretending to be me is sending DMCA takedown requests for several GitHub repositories, claiming the...