IEEE 802.1x + MD5 authorization on OpenWrt
Recently, home networking providers have begun to use the IEEE 802.1x standard among a variety of authorization methods. The protocol works extremely simply: until the client has identified itself, only 802.1x packets run on the port. In Windows, you can set up authentication with a few clicks, but more often a wireless router is installed at home that distributes the Internet. This topic will discuss how to establish IEEE 802.1x + MD5 authorization on an OpenWrt compatible device.
There are lots of ways to install. As a rule, it all boils down to the fact that the firmware image downloaded from the OpenWrt site is uploaded through the web interface of the router, you can read more about this on the above site. Suppose that we already have a device with OpenWrt installed: Linksys WRT54GL v1.1 and Kamikaze 8.09.2 firmware will be used as a victim.
So:
And that's not all, because you need to make sure that everything works automagically.
Create the init script /etc/init.d/wpa_signin:
Do not forget to enable it:
Links
There are lots of ways to install. As a rule, it all boils down to the fact that the firmware image downloaded from the OpenWrt site is uploaded through the web interface of the router, you can read more about this on the above site. Suppose that we already have a device with OpenWrt installed: Linksys WRT54GL v1.1 and Kamikaze 8.09.2 firmware will be used as a victim.
So:
- Download the firmware and flash our router.
- We go to it for the first time by telnet root@192.168.1.1 and change the password with the passwd command, after which telnet will be disabled and ssh enabled.
- We need to install a “special” wpa_supplicant, with support for the roboswitch driver:
ssh root@192.168.1.1
cd /tmp
opkg update
wget www.liacs.nl/~jwitteve/openwrt/8.09/brcm-2.4/packages/wpa-supplicant_0.6.9-2_mipsel.ipk
opkg install wpa-supplicant_0.6.9-2_mipsel.ipk - Create a configuration file for wpa_supplicant, for example /etc/config/wpa_supplicant.conf:
ap_scan = 0 network = { ssid = "" key_mgmt = IEEE8021X eap = MD5 identity = "login" password = "password" }
In addition to MD5, there are other authentication methods, such as TTLS PAP, in the case of which certificates are required. You can read more about other ways, for example, in man wpa_supplicant - Now you can make a test run. In the case of the WRT54GL, the provider's wire is plugged into the WAN port, which in the system is listed as interface eth0.1:
# wpa_supplicant -dd -D roboswitch -c /etc/config/wpa_supplicant.conf -i eth0.1
Initializing interface 'eth0.1' conf '/etc/config/wpa_supplicant.conf' driver 'roboswitch' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/config/wpa_supplicant.conf' -> '/etc/config/wpa_supplicant.conf'
Reading configuration file '/etc/config/wpa_supplicant.conf'
In case everything is fine, we will see:...
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: Supplicant port status: Authorized
...
EAPOL authentication completed successfully
And now you can get the address:# udhcpc -i eth0.1
udhcpc (v1.15.3) started
Sending discover...
Sending select for xxxx..
Lease of xxxx obtained, lease time 21600
And that's not all, because you need to make sure that everything works automagically.
Create the init script /etc/init.d/wpa_signin:
#! / bin / sh /etc/rc.common
START = 99
start () {
/ usr / sbin / wpa_supplicant -i eth0.1 -D roboswitch -B -c /etc/config/wpa_supplicant.conf
}
Do not forget to enable it:
# /etc/init.d/wpa_signin enableLinks
')
Source: https://habr.com/ru/post/91015/
All Articles