This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devices running EdgeOS 2.0. Mediatek (Edgerouter-X) procedure is similar, however I do not have such device and could not recompile wpa_supplicant for it.
Copy EAP-TLS certificates and private key in PEM format to /config/auth/
Run sudo chmod -R 0600 /config/auth to secure the credentials.
Copy wpa_supplicant.conf to /config/
If you are using wpa_supplicant.conf generated by a tool in the previous post, modify certificate and key paths to point to /config/auth/
Copy EAP-TLS certificates and private key in PEM format to /config/auth/
Run sudo chmod -R 0600 /config/auth to secure the credentials.
Copy wpa_supplicant.conf to /config/
If you are using wpa_supplicant.conf generated by a tool in the previous post, modify certificate and key paths to point to /config/auth/
Assuming wpa_supplicant.conf resides in /config/, the router has Internet connectivity and Internet interface that requires wpa_supplicant is eth0, run the following commands in console:
#Remove 1.x repository, add 2.0 Debian repository and install prerequisites configure delete system package repository wheezy set system package repository stretch components 'main contrib' set system package repository stretch distribution stretch set system package repository stretch password '' set system package repository stretch url 'http://http.us.debian.org/debian' set system package repository stretch username '' commit save exit sudo apt-get update && sudo apt-get install libpcsclite1 #Download backported Debian Buster wpa_supplicant and install it curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz cd /tmp/ tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb #Create symbolic link to wpa_supplicant.conf for eth0 sudo ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf #Disable dbus service and enable wired wpa_supplicant for eth0 sudo systemctl disable wpa_supplicant.service sudo systemctl enable wpa_supplicant-wired@eth0.service #Save DEB packages for future use, allow /etc/ubnt/ubnt-rcS/ubnt-rcS.sh to install them sudo mkdir -p /config/data/firstboot/install-packages && cd /config/data/firstboot/install-packages sudo apt-get download libpcsclite1sudo curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz sudo tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz sudo rm /config/data/firstboot/install-packages/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz #Recover configuration on EdgeOS upgrade sudo mkdir -p /config/scripts/firstboot.d/ echo '#!/usr/bin/env bash' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh echo 'ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh echo 'systemctl stop wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh echo 'systemctl disable wpa_supplicant.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh echo 'systemctl enable wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh echo 'systemctl start wpa_supplicant-wired@eth0.service' | sudo tee -a /config/scripts/firstboot.d/8021x-eth0.sh sudo chmod 0744 /config/scripts/firstboot.d/8021x-eth0.sh reboot
Is this also compatible with the e300 / ER4 router?
ReplyDeleteThis worked for me on ER4, latest firmware (2.0).
ReplyDeleteI gave up on the ER-X and bought an ER4.
DeleteEverything installed great (thanks for the fantastic instructions!) but I still can't get an IP address.
I have the SFP from AT&T plugged directly into the ER4 (there is no ONT, the NVG595 has an SFP slot).
Do you know if there is some extra step to make this work?
Or is this the DHCP issue where it's sent over VLAN 0 and the ER4 can't see it?
Try 802.1q VLAN 2 instead of 802.1p (VLAN 0). Your DHCP interface would be something like 'eth0 vif 2'
DeleteAwesome! That worked immediately, thanks!
Delete`set interfaces ethernet eth3 vif 2 address dhcp`
(eth3 is the SFP on the ER4)
All I had to do then was change the NAT rule to masquerade to eth3.2 and it worked.
Is there anything special I need to do so it remembers this after a fw update or reboot?
Sergey I assume we have to run the command `set interfaces ethernet eth3 vif 0 address dhcp` to get the 802.1p going right?
DeleteThese instructions skip over that as well as the mac cloning so that's why I ask.
err i mean eth0 in my case
Delete@Wes Could you help give details on the SFP from Att? What's the model#? To my understanding, there is no SFP port in NVG599. If SFP works, I think we just just plug it directly to ER and bypass ONT also. Thanks,
Delete@Stone, sorry I missed this. The NVG595 is the one with the SFP slot. If you have AT&T Uverse *fiber* or ABF (AT&T Business Fiber) they will sometimes give you a 595 with the Fiber plugged directly into it...
DeleteFYI, the ER-X and ER-X-SFP are MIPSEL. Do you know if there is a WPA_Supplicant package wpasupplicant_2.6-21~bpo9+1 compiled for mipsel?
ReplyDeleteI'm assuming the regular 2.6.21 from buster won't work.
Sorry, missed this "... [I] could not recompile wpa_supplicant for it"
ReplyDeleteDoes the wpa_supplicant on 1.10 have the same race condition problem that 2.0 does without using the Buster backport?
Native wheezy wpa_supplicant works just fine in 1.10, but there is a different problem in 1.x - there is no built in mechanism to start it, unlike systemd in 2.0, so you have to start it from a script in /config/scripts/post-config.d/
ReplyDeleteHere is a script I've used for ONT on eth0 with 1.x:
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/sbin/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
if [ $PROCESS_COUNT = 0 ]; then
echo "`date +"%b %d %T"` `hostname` eap-tls: Starting" >> /var/log/messages 2>&1
if [ -x /sbin/wpa_supplicant ]; then
echo "`date +"%b %d %T"` `hostname` `/sbin/wpa_supplicant -s -B -Dwired -ieth0 -c/config/wpa_supplicant.conf -P/var/run/wpa_supplicant.pid &`" >> /var/log/messages 2>&1
else
echo "`date +"%b %d %T"` `hostname` eap-tls: wpa_supplicant is not installed" >> /var/log/messages 2>&1
fi
else
echo "`date +"%b %d %T"` `hostname` eap-tls: wpa_supplicant is already running" >> /var/log/messages 2>&1
fi
Here is a script that installs wpa_supplicant on 1.x in correct order across 1.x firmware flashes. You would want to download packages into /config/data/install-packages/
ReplyDelete#!/usr/bin/env bash
# Installs wpa_supplicant after upgrade
echo "`date +"%b %d %T"` `hostname` install-deb: Starting" >> /var/log/messages 2>&1
if /usr/bin/dpkg -s libpcsclite1 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libpcsclite1 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libpcsclite1_1.8.4-1+deb7u1_mips.deb`" >> /var/log/messages 2>&1; fi
if /usr/bin/dpkg -s libreadline5 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libreadline5 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libreadline5_5.2+dfsg-2~deb7u1_mips.deb`" >> /var/log/messages 2>&1; fi
if /usr/bin/dpkg -s libssl1.0.0 | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` libssl1.0.0 is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/libssl1.0.0_1.0.1e-2+deb7u20_mips.deb`" >> /var/log/messages 2>&1; fi
if /usr/bin/dpkg -s wpasupplicant | grep -lq "Status: install ok installed"; then echo "`date +"%b %d %T"` `hostname` wpasupplicant is already installed" >> /var/log/messages 2>&1; else echo "`date +"%b %d %T"` `hostname` `/usr/bin/dpkg --no-force-all -i /config/data/install-packages/wpasupplicant_1.0-3+deb7u3_mips.deb`" >> /var/log/messages 2>&1; fi
echo "`date +"%b %d %T"` `hostname` install-deb: Done" >> /var/log/messages 2>&1
Would you provide URLs for those debs? Having quite some difficulty finding all of them.
DeleteI also have four helper scripts that monitor for wpa_supplicant crash (in case the link to ONT is not up when router starts, or connection is interrupted), restart wpa_supplicant and subsequently restart dhcp and dhcpv6 clients and radvd. Let me know if you need them.
ReplyDeleteOn 2.x I was able to decommission all of the scripts - it runs great with just instructions in the post, gracefully handling connection interruptions and late ONT link.
Would you be able to share those monitoring scripts?
DeleteI've shared the scripts under one of the other responses. I recommend using 2.x firmware - it is a lot more stable with wpa_supplicant and does not need external scripts.
DeleteBuster and Sid packages don't work out of the box on Stretch or Wheezy due to dependency on newer glibc. You would need to recompile them on Stretch box so that it links with older glibc.
ReplyDeleteIf you would like to backport to MediaTek, use these two guides:
https://wiki.debian.org/Schroot
Use schroot and debootstrap to create a build environment on usb drive or network share, so that you don't have to install extra packages to the router filesystem.
Once the build environment is up, use this guide to backport the package:
https://wiki.debian.org/SimpleBackportCreation
There doesn't seem to be a reasonable way to compile this for the ER-X/ER-X-SFP. There's no USB and I don't have access to network storage.
DeleteDo you know if the newer wpasupplicant for Stretch fixes the issue you described?
2.4-1+deb9u2
What is the problem with it?
It is missing "wpa_supplicant-wired@.service". You could add the missing file manually from source. See details here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871488
DeleteCould I use this guide for a Ubiquiti USG-XG, assuming eth0 is connected to the ONT?
ReplyDeleteYou likely could. I don't have a USG-XG to test with, but it is based on the same (but more powerful) Cavium platform, so the instructions should work with minimum changes. I am not following the software development cycle for USG products, but if it is using the same Debian Stretch as EdgeOS counterparts, it should work. If it uses Wheezy, see my comments above for 1.x EdgeOS.
DeleteWhen I SSH into the USG, it says EdgeOS, but I don't think it is totally like what is on the Edgerouters. I'm moving to the house with ATT Fiber at the end of April, so I'll give it a shot then and report back.
DeleteThanks for this awesome work! It has been such an interesting rabbit hole to explore!
Looks like my USG-XG-8 uses wheezy. Could you please share your helper scripts from 1.x?
DeleteI've uploaded the scripts here. It's a quick and dirty hack for 1.x, I have not really spent much time refining them, since I've moved to 2.0 almost right away. The scripts assume that ONT is on eth0 https://mega.nz/#!rr4E2SbS!GBQK9pEcYZdtAd1e0wDgeCh9Sr48qWNFRAO0QI-6nwA
DeleteSet permissions to 755, download the DEBs to /config/data/install-packages and add the following two commands to config:
set system task-scheduler task eap-tls crontab-spec '* * * * *'
set system task-scheduler task eap-tls executable path /config/scripts/restart-eap-tls
Thank you for this, it is very appreciated!
DeleteHas anyone had any success in utilizing a static block of addresses in addition to the DHCP one that is handed via wpa_supplicant? I can't figure out how the provider is routing the static block back to their network?
ReplyDeleteI set it up the same way you would on the RG essentially, though strictly speaking, I'm not sure it's necessary. I have the smallest block with IP addressing like so - 99.xx.xx.200/29. I assigned what they would call the "gateway" address from that block to a LAN interface on my router (an ER12) -- 99.xx.xx.206/29, then I have the end devices with static IPs use that as the gateway in their setup. Then I have a DNAT rule in my WAN_IN firewall config that sits above 'allow established/related' but below 'drop invalid state' for each static IP that is in actual use which forwards all protocols to the static address. It will work this way as is, but the static devices will be seen externally as the DHCP WAN address so to fix that I added an SNAT exclude rule for the entire block in the NAT section which masquerades to the WAN VLAN. Not sure if this is the 'right way' exactly but it has been working just fine for me. Clear as mud? lol. Hope that helps some.
DeleteIt's funny that @jhax01 and I are using almost the exact same configuration. I'm sure you've solved it by now, but for anyone else that comes searching, this is super easy.
DeleteLet the vlan interface you set up (vif on eth0.0, eth3.2, etc.) continue to receive the IP from AT&T via DHCP.
Assign the "gateway" that AT&T gives you from your block of 5 to another interface (ie. 12.x.x.246/29 - the top usable address that's not the "broadcast" address). That's for a network of 12.x.x.240/29 with usable addresses of 12.x.x.241-245, really 6 usable if you count the gateway.
Create a firewall rule on WAN_IN (which should be on the interface for the VLAN on eth0.0 for ethernet or eth3.2, eth5.2, eth11.2 for SFP) and accept traffic for the destination address of the static IP network ie. 12.x.x.240/29.
That should do it.
@testguy I forgot to say make sure that any of the static IP hosts you use are downstream from the interface with the static block gateway (12.x.x.246 from my example) and that they use 12.x.x.246 as their gateway to the Internet.
DeleteHas anyone gotten this to run on a usg pro4?
ReplyDeleteNevermind got it working by looking through comments
DeleteCreated symlink /etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service -> /lib/s ystemd/system/wpa_supplicant.service.
ReplyDeleteCreated symlink /etc/systemd/system/multi-user.target.wants/wpa_supplicant.servi ce -> /lib/systemd/system/wpa_supplicant.service.
Job for wpa_supplicant.service failed because a fatal signal was delivered to th e control process.
See "systemctl status wpa_supplicant.service" and "journalctl -xe" for details.
wpa_supplicant.service couldn't start.
Get that when I set up wpa_supplicant on an edgerouter lite running edgeos 2.0.1. What am i missing here?
I have the regular USG. Will this work?
ReplyDeleteWhile I've been having authentication issues with this on my USG3, that doesn't appear to be an issue on my ER4. Although it seems authentication is successful, I'm not getting an IP address.
ReplyDeleteubnt@ubnt:~$ sudo journalctl -u wpa_supplicant-wired@eth0.service -b
-- Logs begin at Thu 2016-11-03 17:16:43 UTC, end at Fri 2019-04-12 12:40:30 UTC. --
Nov 03 17:16:46 ubnt systemd[1]: Started WPA supplicant daemon (interface- and wired driver-specific version).
Apr 12 12:37:00 ubnt wpa_supplicant[274]: Successfully initialized wpa_supplicant
Apr 12 12:37:01 ubnt wpa_supplicant[274]: eth0: Associated with xx:xx:xx:xx:xx:xx
Apr 12 12:37:01 ubnt wpa_supplicant[274]: WMM AC: Missing IEs
Apr 12 12:37:01 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Apr 12 12:37:33 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Apr 12 12:37:33 ubnt wpa_supplicant[274]: eth0: CTRL-EVENT-CONNECTED - Connection to xx:xx:xx:xx:xx:xx completed [id=0 id_str=]
I've ensured that eth0.0 is spoofing the mac address specified in wpa_supplicant.conf:
ubnt@ubnt# show interfaces ethernet eth0
duplex auto
speed auto
vif 0 {
address dhcp
description Internet
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
mac yy:yy:yy:yy:yy:yy
}
Is there perhaps another step I may have missed?
I had to spoof the mac both on eth0 and eth0.0 I am not sure if others are also doing this in there config. I'm a noob and was not able to pull the IP either until I had both vlan and eth0 set the same mac #.
Deletewhat were the steps that you did to get it working if you don't mind.
DeleteDid anyone ever resolve this? I have eth0 and eth0.0 spoofing the MAC, my wpa_supplicant logs show successful auth, but I can never pull an IP with DHCP.
DeleteMake sure DHCP request is originating from eth0.0 and not eth0. Try doing a packet capture to confirm that DHCP is properly encapsulated in 802.1p frame. Some people had success with setting VLAN tag to 2.
DeleteI tried vlan 0 and 2 last night, no luck. I'm no expert at tcpdump, so if you have a better command I'd be happy to try again, but this is what I came up with.
Delete$ /usr/sbin/tcpdump -i eth0 -Uw - | /usr/sbin/tcpdump -en -r - vlan 2
…
20:34:00.787224 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
20:34:08.755932 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
20:34:20.375800 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 2, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
$ /usr/sbin/tcpdump -i eth0 -Uw - | /usr/sbin/tcpdump -en -r - vlan 0
…
20:41:28.915914 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
20:41:32.924037 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
20:41:41.965711 0c:ea:c9:b0:d2:41 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 0c:ea:c9:b0:d2:41, length 300
Were you able to resolve this? I see the same behavior where it's not getting an IP address via DHCP after successful authentication via wpa_supplicant. But it works just fine with the same network config using eap_proxy (even without reboot). I use a USG and Pace 5268AC RG.
DeleteTHANK YOU SO MUCH! Got it working on my ER-4 and my god finally getting fiber speeds! I did not realize how much of a freaking rabbit hole this was going to turn into. I had the BGW210 gateway but I could never get my upload to get above 400 mbps but at&t web test showed I was getting 1gig to my gateway.
ReplyDeleteTried the eap_proxy improved speeds by roughly 100 for both upload and download just not enough. USG wasn't able to do it for me and had to switch to er-4 and now I am finally getting my full speed!
Thank you for making the work public and accessible! I'd send you some beer/intoxicant funds.
Wow. I am definitely going share this with a few of my friends. Very cool information.
ReplyDelete24 hour locksmith
If anyone has steps for getting this to work on USG, I would appreciate this. I'm trying to piece together the comments and other details I am finding scattered around.
ReplyDeleteI've got the certificates and my wpa_supplicant.conf file. So I'm getting close! (^_^)
This information is meaningful and magnificent which you have shared here about the Ubiquiti Edgerouter. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Ubiquiti Router Thailand
ReplyDeleteAnyone had any luck compiling wpa_supplicant for ER-X?
ReplyDeleteAlso, the link for wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz is now broken, thanks to the new ubnt community site.
This comment has been removed by the author.
ReplyDeleteI found that https://mirror.internex.at/debian/pool/main/w/wpa/wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+1_mips.deb is a good substitute for the broken link.
ReplyDeleteThank you so much for the link, and it works!
DeleteI know this is an old post, but I spent some time trying to get this to work on my usg-pro-4 in a way that I could be happy with and decided to share it here.
ReplyDeleteMy USG is using EdgeOS 1.x, so I downloaded the helpful scripts in the posts above. I followed the instructions to set up my config folder as described, and used google to find the appropriate .deb files as identified in the scripts.
The scripts themselves refer to eth0. My USG is using eth2 for the wan, so I did a find/replace on them to swap out the interfaces.
On my controller (was using a cloudkey, but recently migrated to an ubuntu vm after the cloudkey lost its settings without notice) I put a file with the name "config.gateway.json" in my /data/sites/default folder with the following contents:
{
"system": {
"task-scheduler": {
"task": {
"eap-tls": {
"crontab-spec": "* * * * *",
"executable": {
"path": "/config/scripts/restart-eap-tls"
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth2": {
"mac": ""
}
}
}
}
Next, I attempted to set vlan0 on my wan interface but the UI wouldn't let me. The api the UI is calling however does allow you to set it. I used the chrome debug window to capture the post, and then used curl to change it. I blanked out my values, but if you want to follow along you could see for yourself by using the UI with the chrome debugger on.
## Request
curl -X "PUT" "https://CONTROLLER_IP:8443/api/s/default/rest/networkconf/SOME_ID" \
-H 'Cookie: unifises=VALUE FROM CHROM; csrf_token=VALUE FROM CHROME' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36' \
-H 'X-Csrf-Token: VALUE FROM CHROME' \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{
"wan_type_v6": "dhcpv6",
"wan_vlan_enabled": true,
"attr_hidden_id": "WAN",
"wan_type": "dhcp",
"wan_dhcpv6_pd_size": 60,
"report_wan_event": true,
"wan_vlan": 0,
"wan_smartq_enabled": false,
"wan_load_balance_type": "failover-only",
"purpose": "wan",
"wan_networkgroup": "WAN",
"wan_egress_qos": "",
"wan_load_balance_weight": 50,
"_id": "FROM CHROME CAPTURE",
"site_id": "FROM CHROME CAPTURE",
"name": "WAN",
"attr_no_delete": true
}'
After things settled down a bit, I forced a provision from the controller, and everything came up. I am now able to make changes to most values without overwriting the config and the USG behaves as it did before.
I like this solution better because it should scale across firmware upgrades, and I don't have to mess with any of the NAT rules as the controller takes care of that for me.
Is vlan required? In my own setup(ER-X), I didn't setup the vlan and it just works.
ReplyDeleteI was getting intermittent connectivity without the vlan. Worked well after adding VLAN 0. I don't use any other prio levels, but the default modem sends certain traffic on different priority levels (i.e. DNS prio 3) and SIP traffic is higher as well.
DeleteThanks for the great set of instructions and tools! I installed the upstream wpa_supplicant and copied your -wired systemd file in.
ReplyDeleteSuggestions on disabling the time check or ignoring the check completely? I recently ran into a "certificate is not yet valid" error due to the edgerouter 2.x ER-X defaulting to 11/2016 on boot (as it doesn't have a real time clock).
I followed https://superuser.com/questions/732224/make-wpa-supplicant-ignore-server-certificate-trust and commented out the `ca_cert`, but then received an "unknown CA".
Note: when wpa_supplicant fails, it sends a "FATAL" to the ONT which locks it for some period of time and/or power cycles. Even the original equipment will not register until it clears.
Also, after enabling the upstream repos and using apt-get, it ate all of the free space on the edgerouter. Don't forget to clear out the directories after you are done:
/var/cache/apt/*
/var/lib/apt/lists/*
also, deleting the unused system image can give back a lot of space with `delete system image`
Looks like the edgerouter will "save" the time on graceful reboot to use on next boot, but I guess I never gracefully rebooted, so it defaulted to the value which came with the firmware. This is no longer an issue (assuming you don't leave it unplugged well past the next certificate rotation.
DeleteI just ordered a ER4. Did some googling and ended up here. I really tried to understand the steps above. Not clear. Could this be translated int a step by step guide.
ReplyDeleteFor anyone else looking to do this on an ER-X I repackaged the upstream "wpasupplicant_2.4-1+deb9u4_mipsel.deb" with the missing "wpa_supplicant-wired@.service" and confirmed it works.
ReplyDeleteYou can download the repackaged deb from here:
https://mega.nz/file/LIIkxA5a#bnVWaRtb9miEw7cbmcJDYWkSdk4FqFsgbhFMYYKrLyI
Just transfer the deb to your ER-X and run "sudo dpkg -i wpasupplicant_2.4-1+deb9u4_mipsel.deb" to install it.
Follow the original instructions in this guide and always substitute the deb with this one and it should work.
Hmm I stuck on a bunch of dependencies while installing wpa_supplicant on my USG:
ReplyDeleteSelecting previously unselected package wpasupplicant.
(Reading database ... 33053 files and directories currently installed.)
Unpacking wpasupplicant (from wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+1_mips.deb) ...
dpkg: dependency problems prevent configuration of wpasupplicant:
wpasupplicant depends on libc6 (>= 2.15); however:
Version of libc6:mips on system is 2.13-38+deb7u11.
wpasupplicant depends on libdbus-1-3 (>= 1.9.14); however:
Version of libdbus-1-3:mips on system is 1.6.8-1+deb7u6.
wpasupplicant depends on libpcsclite1 (>= 1.0.0); however:
Package libpcsclite1 is not installed.
wpasupplicant depends on libreadline7 (>= 6.0); however:
Package libreadline7 is not installed.
wpasupplicant depends on libssl1.1 (>= 1.1.0); however:
Package libssl1.1 is not installed.
dpkg: error processing wpasupplicant (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
wpasupplicant
Any tips? Thanks!
You could either configure repositories and install wpa_supplicant while your router has a valid internet connection, so it could pull the prerequisites, or you could manually download the prerequisites from a Debian mirror and install manually offline.
DeleteOK thanks!
ReplyDeleteAny ideas what causes this wpa_supplicant error? I can't figure this out.
ReplyDeleteMay 22 10:49:21 ubnt wpa_supplicant[21081]: supp-global-ctrl-iface-init(/var/run/wpa_supplicant.ctrl) (will try fixup): bind(PF_UNIX): Permission denied
May 22 10:49:21 ubnt wpa_supplicant[21081]: Could not unlink existing ctrl_iface socket '/var/run/wpa_supplicant.ctrl': No such file or directory
May 22 10:49:21 ubnt wpa_supplicant[21081]: Failed to initialize wpa_supplicant
Are you running wpa_supplicant as root? Try prefixing 'sudo ' in front of wpa_supplicant command line.
DeleteYes, running as root does work. Can this be put in the .sh file to start wpa_supplicant on boot? Current wpa_supplicant.sh looks like this:
Delete#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
I was able to install wpa_supplicant v2.8 on my Edgerouter X with FW 2.0.8 with the stretch-backports repo and everything is working as described except ONT interruptions (e.g. power outages/blips).
ReplyDeletewpa_cli status//wpa_supplicant will still say authenticated but no connectivity is happening. eth0 - the ethernet cable from my ONT is down and up for a couple of seconds (Unfortunately, I can't put the ONT on a UPS like the edgerouter).
I saw your monitoring scripts for EdgeOS 1.x, but they seem to rely on wpa_cli status to report a status != authenticated - do you have an idea on how to handles these outages? How is that handled for you on EdgeOS 2.x ?
Take a look at my other post on 802.1x on EdgeRouter. In EdgeOS 2.x you would want to use native systemd functionality. Unfortunately, wpa_supplicant package that comes with EdgeOS 2.x (Or Debian Stretch) is missing the systemd file for wired interfaces. You could backport a later wpa_supplicant version, or just copy over the required text file, 'wpa_supplicant-wired@.servicee' on top of existing version. The file is part of newer Debian versions and is also available in wpa_supplicant source code. It allows 802.1x to re-authenticate on interface flaps.
DeleteThanks very much for all the work that went into this and write-up.
ReplyDeleteThrough a lot of trial and error, I've managed to get about 99% of the way there with this method. My ER4 is successfully authenticating via wpa_supplicant and I'm getting an IP address from my ONT.
The super frustrating part is that the router isn't passing local network traffic out to the WAN and I can't figure out why.
I was previously using the eap_proxy method and already had a VLAN 0 setup on eth0.0. I'm not sure if this is what's causing the problem.
I've tried disabling the eth0.0 interface and utilizing eth0 as my WAN and setting masquerade to use eth0 as well, but still no luck. I'm sure I'm missing something trivial in my config, but haven't been able to figure it out.
Any help on this would be greatly appreciated!
In case anyone is trying this on an ER-X FW v2.0.8 hotfix1 and needs a wpasupplicant link that isn't broken:
ReplyDeleteReplace this part of the instructions:
##########################
#Download backported Debian Buster wpa_supplicant and install it
curl https://community.ubnt.com/ubnt/attachments/ubnt/EdgeMAX/235525/1/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz -o /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
cd /tmp/
tar -xvf ./wpasupplicant_2.6-21~bpo9+1_mips.deb.tar.gz
sudo dpkg -i /tmp/wpasupplicant_2.6-21~bpo9+1_mips.deb
##########################
With this:
##########################
curl http://ftp.us.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.7+git20190128+0c1e29f-4~bpo9+2_mipsel.deb -o /tmp/wpasupplicant_2.7_mipsel.deb
curl http://ftp.us.debian.org/debian/pool/main/libn/libnl3/libnl-route-3-200_3.4.0-1~bpo9+1_mipsel.deb -o /tmp/libnl-route-3-200_mipsel.deb
curl http://ftp.us.debian.org/debian/pool/main/libn/libnl3/libnl-3-200_3.4.0-1~bpo9+1_mipsel.deb -o /tmp/libnl-3-200_mipsel.deb
sudo dpkg -i /tmp/libnl-3-200_mipsel.deb
sudo dpkg -i /tmp/libnl-route-3-200_mipsel.deb
sudo dpkg -i /tmp/wpasupplicant_2.7_mipsel.deb
##########################
I want to use wpa supplicant on an existing Debian.
ReplyDeleteWhere do I find some help, please?
You should be able to install wpa_supplicant from default Debian package repository
Delete@Sergey. I would really like to set this up to remove the BGW210 from my network and replace my dream machine. However, could you provide a step by step guide? I am not terribly familiar with the language
ReplyDeleteYou may want to check the threads on DSL reports, Reddit or GitHub. There is no universal guide since there are nuances that depend on the device you are planning to use for authentication. I could help with functionality of my tool, however I just don't have bandwidth to document all the possible configurations outside of what I am using myself on ER-4, which is documented in this thread post. I also cannot provide any assistance with rooting the BGW210 or any other gateway.
DeleteIs anyone out there working on a solution that still enables the ability to use ATT Voice services?
ReplyDeleteThis comment has been removed by the author.
ReplyDeletehas anyone tried upgrading to ER-X FW v2.0.9 yet?
ReplyDeleteI upgraded my firmware beforehand, but it worked when I followed Sergey's steps in the blog post, using the modifications that AJ commented here on Aug 4th.
Deleteah, i followed AJ's steps and everything else and then tried the upgrade and i'm having issues getting the edgerouter x to boot. will need to investigate further.
Deleteno worries, i reset'd to factory / uploaded last config / updated packages, and now i'm good.
Deleteas for uap-pro / beacons, i have to stay at firmware v4.0.80 in order for my ssd vlans to work.
Are you still up, Sergey?
ReplyDeleteWhile frustrating, as the saying oft-goes: "No news, is good news." :)
This comment has been removed by the author.
ReplyDeleteevery time i update the firmware i have to reinstall packages.
ReplyDeletemaybe etc/ubnt/ubnt-rcS/ubnt-rcS.sh isn't able to install them?
Thank you for the guide on getting wpa_supplicant to work. I got mine to work on the Edgerouter X. I wasn't able to get it working at first because wpa_supplicant.service did not install with wpasupplicant_2.4-1+deb9u6_mipsel.deb in the repos. I was only able to get it running after installing wpa_supplicant.service from the Stretch-backports wpasupplicant_2.7+git20190128+0c1e29f-4_bpo9+2_mipsel.deb by extracting the deb. The service was located in \lib\systemd\system\ in the .deb file. I was then able to transfer to my edgerouter using WinSCP and place it in the \lib\systemd\system\ location of the edgerouter. First I had to "sudo chown ubnt -R \lib\systemd\system\" before it let me put the service file into folder. Hope this helps anyone else trying to get their ER-X running. Thank you to the Author!
ReplyDeletecheck out AJ's comment above, it would have saved you a number of those steps.
Delete