Automatic 802.1x authentication at wired WAN port

the WAN more of my wd-mynet750 router is connected via an ethernet cable to my ISP’s fiber ONT. the router is expected to authenticate before the fiber ONT assigns dchp address and allows normal communication. Somebody has made instructions for doing this on the edgerouter X. it works perfectly.
I was able to do something similar on openwrt. I ssh into the router and manually invoke wpa_supplicant to do the authentication. The internet then starts working. However, I'm not sure how to automate the process. The instructions here show how to do it at boot time (of the openwrt router). But, don't I need to invoke wpa_supplicant even if somebody reboots the ISP's fiber ONT device but not the router? Does the wpa_supplicant process keep running as a daemon and keep doing the authentication whenever necessary? If not, those instructions don't seem robust.

  • procd service with hotplug handler
  • pservice with hotplug handler
  • altered watchcat should the above not catch dissassoc

sky is the limit... not much different to 'wan monitoring'...

what events do you see in logread upon auth termination?

I have never seen any auth termination event so far.
I get events like eth2 (my WAN interface) is up or down. Probably the 802.x authentication needs to run whenever eth2 is up.
I guess that is what the snippet below (copied from here) is doing for Edgerouter ERX (eth0 was WAN in that setup)

sudo ln -s /config/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
#Disable dbus service and enable wired wpa_supplicant for eth0
sudo systemctl disable wpa_supplicant.service
sudo systemctl enable wpa_supplicant-wired@eth0.service 

How can I do the same in OpenWRT?

1 Like

search the forum for posts regarding hotplug iface up events... you'll need a little more knowledge on the process itself to be nice and clean about it... ( end/start vs sigusr etc )...

-d = increase debugging verbosity (-dd even more)

or you could try using wpa-cli for connection info...

there are also procd network > ucitrack / style reloads / events but they are a little less 'user friendly'...

from what i can see... you haven't fully interrogated the process for events / status yet... but brute force hotplug stop start would likely still work... depending on how the auth server likes this unclean behavior...

( love to see this ability as a default feature on wired interfaces... )

pservice might work.

  • procd hotplug: iface ifup and net add don’t happen until after wpa_supplicant has authenticated, so hotplug can’t be used to launch wpa_supplicant.
  • watchcat: That’s a pretty extreme response to restart just a single service.

On my router, the example config file that comes with pservice fails because it initializes wpa_supplicant too early. But it seems to work if I use pservice to launch a small script that sleeps for some amount of time and then execs wpa_supplicant.

sleep 30
exec /usr/sbin/wpa_supplicant -s -Dwired -ieth2 -c/etc/wpa_supplicant/wpa_supplicant.conf

There’s no need to wait to launch the DHCP client.

If you don’t want to deal with shell scripts and/or pservice, then the good news is that wpa_supplicant can work in the background (flag -B). You can launch it using rc.local which is accessible in LuCI as System->Startup->Local Startup. As long as you don’t /etc/init.d/network restart (that kills wpa_supplicant) then restarting the ONT shouldn’t cause it to fail.

Note the lack of -B in the small script: pservice is a thin wrapper for procd, which interprets the fork-and-quit of wpa_supplicant going into the background as the program crashing. If we use procd to launch and quit wpa_supplicant, then we don’t want it to hide in the background.

1 Like