802.1X wired with wpad

maximushugus · January 10, 2021, 8:23pm

Hello everyone,
I'm trying to configure 802.1X on a wired interface, because I'm going to connect an acces point in my garage, and I want to secure the access of the ethernet cable that will go in my garage to keep people from accessing my LAN by just connecting this ethernet to a computer.
802.1X is more secure than mac adresse filtering.

What I want is to configure 802.1X authenticator, and not the supplicant. I only found documentation to configure the supplicant (the client).

I have already read the documentation and this part of the forum but I cannot get it to work.

I tried, with wpad (the full version) this configuration :
/etc/config/network :

config interface 'garage'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.9.1'
	option ifname 'eth0.1 eth0.3'
	option driver 'wired'
	option ieee8021 '1'
	option eap_server '1'
	option eap_user_file "/etc/config/8021X.user"

With 8021X.user containing login / password for client / supplicant 802.1X

From what I understant wpad is hostapd + wpa_supplicant so wpad should support 802.1X as a supplicant ? But does it support wired 802.1X ?

Did someone managed to configure wired 802.1X authenticator on an OpenWrt interface ? And how ?

Many thanks

anon50098793 · January 10, 2021, 9:25pm

where did you get those config parameters from?

maximushugus · January 10, 2021, 10:23pm

I tried to put the hostapd.conf parameters in /etc/network but this doesn't seem to work this way

maximushugus · January 11, 2021, 5:51pm

Does someone know how to configure wired 802.1X ?
It looks as if the wired driver isn't in the default wpad or hostapd : maybe I need to recompile ?

TCB13 · February 18, 2024, 4:27pm

Any updates on this? I've a similar use case... Thanks.

maximushugus · February 18, 2024, 5:48pm

No, I wasn't able to find a way to do this with OpenWrt. I finally installed a managed switch on my homelab with 802.1X.
As said, OpenWrt support supplicant 802.1X but cannot act as authenticator.

jdr85 · February 19, 2024, 6:10am

Interesting to see that this Thread from > 3 yrs ago is active again on the same day that I posted a new topic for this.

Has anyone tried to follow the RedHat Manual? If not, I will try. It should not be rocket science... I hope OpenWRT has everything on board that's needed, but we will have to put the parts together.

TCB13 · February 19, 2024, 12:12pm

I didn't, but I was considering trying a simple wireguard tunnel instead. Something like isolating a bunch of ports on a VLAN and then have only the WG port available on that VLAN.

802.1X would be cleaner from a client/OS perspective but that setup is way harder and has a lot more moving pieces then WG.