Connect router (Archer C50) to a 802.1X EAP network

Hi to all,
I wanted to put my Archer C50 behind a 802.1X EAP network (my faculty).
To be clear we have an ethernet network which is protected by authentification with 802.1X (username & password) and I want to put my router behind it and then create my own network with my own wifi.
But now I don't find what can I do to authenticate my router to this ethernet network...
I don't find it in the stock firmware neither in the openwrt...

Thx

I think if you install the "wpad" package (that's the full package with all features) you can use it to do 802.1x client mode... not sure if it's something you can configure in LuCI or not.

Try searching the forum for what people have done already: Setting Up Wired 802.1X

seems to be all I can find where something like a working config sort of got done.

Okay, you talk about the last post right ? with this link https://oldwiki.archive.openwrt.org/doc/howto/wireless.security.8021x
If yes it definitely seems that I have to use openwrt firmware.
This links help him but he face to some issues apparenty with wired 802.1X...

New URL: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

The old page is for archival purposes only and does not receive updates any more.

wpa_supplicant (wpad) should also be able to authenticate wired IEEE 802.1X ethernet links, but I've never seen it being used in practice and don't know if this particular use case is covered in netifd.

Okay i found something and the was an issue then i remove libubox...bad idea apparently.
The only thing i can do now is connect throught ssh but impossible to install anything or flash the firmware...
Repaired now :wink: I just deplace all libubox from .bin firm to the router with scp & perfom a sysupgrade with clean openwrt firmware.

Okay so now something happened the router won't reboot... power is on during 2 seconds while all leds turn on for 0.5s then 0.5s off then on & then all leds turn off and this in loop...

Now all leds turn on once then turn off excpet power.
Tftp doesn't seems to work, it uploaded the firm then nothing...

https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

I need to enter in recovery for reinstall the firmware... I tried to use tftp the upload worked then nothing after. I saw someone said "Archer C50 AC1200 V4 bricked" to modify the firmware but it doesn't works with me or I'm doing sth wrong.

  • Which firmware did you try for recovery?
  • Did you have a look at this https://openwrt.org/toh/tp-link/archer-c50 under Debricking? If you try to recovey by stock firmware, note the line about cutting out the first 512 bytes. Note: I haven't tried it; just bringing the page to your attention.
  • In all cases, whether flashing stock or OpenWrt firmware, make sure you are using the image intended for the same hardware version. For example, if your device is V3, don't use V4 image.
    This is unlikely to work with your router, but it wouldn't harm to try https://www.tp-link.com/us/support/faq/1482/

I would also advise you to check your faculty network policy and consult IT admin if mandated before installing a router on their network.

Done using this link : https://patchwork.ozlabs.org/patch/1019620/ !
So I'm back with a running router ahah.

I tried to uninstall wpad-mini but it says me "no package found" so i tried to install wpad but it says me

* check_data_file_clashes: Package libubox20170601 wants to install file /lib/libubox.so
	But that file is already provided by package  * libubox
 * opkg_install_cmd: Cannot install package wpad.

So my wpasupplicant.conf can't be updated because it's 802.1X which isn't provide in wpad-mini package...

# The directory that will be created for UNIX domain sockets
ctrl_interface=/var/run/wpa_supplicant

# Access control for the control interface
ctrl_interface_group=0

# IEEE 802.1X/EAPOL version
eapol_version=2

# This mode must be used when using wired Ethernet drivers
ap_scan=0

network={
	key_mgmt=IEEE8021X
	eap=TTLS
	phase1=""
	phase2="auth=PAP"
	identity="email@domain.hr"
	password="pass"
	eapol_flags=0
}

There is an 18.06.2 release build for the V3, and if you have a V4 there are snapshot builds. Start from one of those rather than build your own. The release builds do have wpad-mini which you then remove.

Yes this is important, it is a serious security issue to have someone do what you're intending to do. For one thing, your 802.1x credentials will be stored in plain text in the router's flash.

Okay remove done now.
But still this issue when tried to "opgk install wpad"

* check_data_file_clashes: Package libubox20170601 wants to install file /lib/libubox.so
	But that file is already provided by package  * libubox
 * opkg_install_cmd: Cannot install package wpad.

What build are you running? This looks like a mismatch of the OS vs the package repository.

It could make sense to also remove libubox then let it reinstall as a dependency of wpad. But that seems likely to crash the router since libubox does a lot of basic tasks.

When you remove libubox the router become a brick for real x) impossible to use majority of fetures neither opkg.
Done now by do it throught Lucy !

eth0.2: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
eth0.2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
eth0.2: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='C=**, ST=***, L=***, O=***, OU=***, CN=*****' 
hash=651f0b157a4d07c3e0c71a14f669129edfcd56ea813f5549e22178c83db64226
eth0.2: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
eth0.2: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]

Then router stuck there by now nothing happens next...

After authentication completes, your end is ready. At the other end of the cable, the enterprise switch should have unblocked your port's access to the network. This may require restarting dhcp to get an IP address.

mmmh i don't understand why :thinking:
Router is like computer (with simply mac adress to the switch which is behind). Why do i need to do sth on the other end of cable ?

Not that you need to do something but rather that something should have been done which now let's your router do DHCP... So basically your router should initiate DHCP

with the command :
udhcpc -i eth0.2

Works fine now :smiley: Thank you very much to all :stuck_out_tongue:

Can you post the config here so others can see how to do it?

Of course.
First install openwrt firmware
Connect you by cable in ssh to your router (port LAN1)
Connect port WAN to Internet (there you can use another computer to share the connection received by wifi from exemple throught ethernet port of the PC then connect it to WAN on the router)
then perform:

opkg update
opkg remove wpad-basic

For some reasons install of wpad package didn't works throught ssh.
Then connect your computer to the router throught lucy (192.168.1.1) tab System/Software
Then you can install wpad by simply search it in the "Download and install package:" field.
Then active your wifi which is disabled by default. Tab Network/Wireless then click enable.
For me it's like this : N auto 20MHz
Add security if you want, and be sure you can add WPA2 security on it which comfirms that wpad package is correclty installed.
Now connect your computer to the router back in ssh.

Then create a new folder :
mkdir config
then:
wpasupplicant.conf

This is my wpasupplicant.conf where you need to replace of cours email & password:

# The directory that will be created for UNIX domain sockets
ctrl_interface=/var/run/wpa_supplicant

# Access control for the control interface
ctrl_interface_group=0

# IEEE 802.1X/EAPOL version
eapol_version=2

# This mode must be used when using wired Ethernet drivers
ap_scan=0

network={
	key_mgmt=IEEE8021X
	eap=TTLS
	phase1=""
	phase2="auth=PAP"
	identity="email@domain.hr"
	password="pass"
	eapol_flags=0
}

Save it (escape then type :wq)
Then type command:
wpa_supplicant -i eth0.2 -D wired -c /root/config/wpasupplicant.conf -dd -t
Finally:
udhcpc -i eth0.2

And now everything should works fine
For automate this at boot create a file wpasupplicant.init:

#!/bin/sh /etc/rc.common

START=50
STOP=15

start() {
	sleep 20
	wpa_supplicant -i eth0.2 -D wired -c /root/config/wpasupplicant.conf -dd -t -B
	sleep 10
	udhcpc -i eth0.2
	sleep 5
}

stop() {
	killall wpa_supplicant
	sleep 2
}

put it in /etc/init.d/ folder then the full path is /etc/init.d/wpasupplicant.init
Now enter the command:

sed -i -e 's/\r//g' /etc/init.d/wpasupplicant.init
chmod +x /etc/init.d/wpasupplicant.init
/etc/init.d/wpasupplicant.init enable
2 Likes