[SOLVED] Connect to WPA2-Enterprise


#1

Hi, I have a BT HH5 Powered by LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) / OpenWrt 18.06.1 r7258-5eb055306f | xRX200 rev 1.2

And what I want to do is to connect to a WPA2-Enterprise (WPA2 - 802.1X) using my username and password and repeat the signal through lan or wifi.
The problem is, when I go to Luci>Network>Wireless>Scan I can see that network but there is no WPA2-Enterprise option in dropdown menu.
Any idea what can I do?


#2

I don't know exactly what WPA2 Enterprise 802.1x network you're connecting to, but it's very likely that it will block sharing of that connection.

802.1x is a AAA mechanism to ensure that access can be controlled and audited, meaning that the administrator knows who is accessing the network, where and when. Connecting an AP to that network without extending the 802.1x to its own network would bypass that. We see this often on the network I work on, with students in halls of residence trying to connect their own APs to our 802.1x network to connect devices that aren't .1x capable or that they don't want the hassle of configuring for .1x connections

If you really want to try this, though, you'll need to get a .1x supplicant running on the WLAN port of your router and configure it to connect to your enterprise network in client mode with the credentials or certificate you've been provided by your network administrator. It's very unlikely that you'll be able to configure your device as a repeater in this configuration (again, your network admin should be blocking it), you'll instead need to NAT connections from your other wired and wireless interfaces through the WLAN port connected to the .1x network.

This isn't a standard OpenWrt configuration and is going to require a lot of research on your part to get it working (it, indeed, it's possible with your enterprise network configuration).

Good luck!


#3

#4

I did the following:

opkg update
opkg remove wpad-mini
opkg install wpad

now scan on "Qualcomm Atheros QCA9880 802.11nac" is not working
so I scanned on Generic "MAC80211 802.11bgn" found network > join network > Interface Configuration > Wireless Security > Encryption WPA2-EAP, Cipher Auto, EAP-Method PEAP, Authentication EAP-MSCHAPV2, Identity my username, Password my password

now the router is connected to internet, I can update/install packages
I just need a way to share this connection and I am ptretty shure there is one.


#5

Did you assign the wwan in the WAN firewall zone?
Are all the other interfaces in LAN firewall zone?


#6


this is what I have


#7

Did you install wpad (full)?


#8

Yes, I removed wpad-mini and installed wpad


#9

It is not visible here. Better log in with SSH and run these commands in one line, then post the output here.
cat /etc/config/network; cat /etc/config/wireless; cat /etc/config/firewall; ip -4 addr; ip -4 ro; ip -4 ru;


#10
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2d:7139:9086::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:3b:a2:f2'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option type 'bridge'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '40:f2:01:3b:a2:f3'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'wwan'
        option proto 'dhcp'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option disabled '0'
        option channel '100'
        option country 'GB'
        option legacy_rates '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option disabled '0'
        option channel '6'
        option country 'GB'
        option legacy_rates '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface
        option ssid 'ENTERPRISE-NETWORK'
        option device 'radio1'
        option mode 'sta'
        option bssid '3A:43:1D:39:7D:3E'
        option eap_type 'peap'
        option auth 'EAP-MSCHAPV2'
        option identity 'MYID'
        option password 'MYPASSWORD'
        option encryption 'wpa2'
        option network 'wwan wan wan6 lan'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wwan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet XX.XX.XX.XX/26 brd XX.XX.XX.XX scope global wlan1
       valid_lft forever preferred_lft forever
default via XX.XX.XX.XX dev wlan1  src XX.XX.XX.XX
XX.XX.XX.XX/26 dev wlan1 scope link  src XX.XX.XX.XX
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default


#11

WWAN must be in WAN zone, not LAN.

I don't understand why is the wifi attacheded to all those interfaces, it should be only to wwan.
Also unbridge the wan and wan6 interfaces.


#12
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wwan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option disabled '0'
        option channel '100'
        option country 'GB'
        option legacy_rates '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option disabled '0'
        option channel '6'
        option country 'GB'
        option legacy_rates '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface
        option ssid 'ENTERPRISE-NETWORK'
        option device 'radio1'
        option mode 'sta'
        option bssid '3A:43:1D:39:7D:3E'
        option eap_type 'peap'
        option auth 'EAP-MSCHAPV2'
        option identity 'MYID'
        option password 'MYPASS'
        option encryption 'wpa2'
        option network 'wwan'

I fixed that but now is no longer connecting.
" Wireless is not associated"


#13

Since HH5 have 2,4ghz and 5ghz I think it should be simple to connect with one of them to Enterprise and share this connection to the other one. But I don't know how to do it :grin:


#14

You have posted twice the wireless config, once with your user-pass. Fix that and add the new network config. We'll see what can still be wrong.


#15

Thank you

here is new network config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2d:7139:9086::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:3b:a2:f2'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option type 'bridge'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '40:f2:01:3b:a2:f3'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'wwan'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option type 'bridge'


#16

Why is eth0.2 bridged with radio1 in wwan interface?


#17

I removed eth0.2 an now is only radio1.network2 which is Wireless Network: Client "ENTERPRISE_NETWORK"
But still same prob. When I go to Wireless I get SSID: ENTERPRISE-NETWORK | Mode: Client
Wireless is not associated

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2d:7139:9086::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:3b:a2:f2'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option type 'bridge'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '40:f2:01:3b:a2:f3'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'wwan'
        option proto 'dhcp'
        option type 'bridge'


#18

I need to open a small parenthesis here. Yesterday in your post the wwan was different:

config interface 'wwan'
        option proto 'dhcp'

and since no one else advised you here to change that it should be the same.
Which brings us to the conclusion that you are experimenting yourself with the settings. And I am totally fine with that, as long as you let us know what you have done, or at least revert the changes since they didn't work.
I don't dare to think what else have you changed there while we are trying to find the mistake in different configuration files.
Therefore if you want us to continue helping you, you need to apply the changes suggested and only these. Is that fine with you?


#19

I am sorry and to be honest I have no idea how I modified that option. I really appreciate your help, and if will be more easier I can reset entire router and start from scratch, or I will be more than happy to apply only your suggested settings.


#20

Alright, the safest way is to start from scratch then. Factory default, install the wpad full, add the new WWAN client interface to the WAN firewall zone, verify everything works as expected and we'll see what else can be done to add the access point for your LAN.
By the end post these to be on the same page:
cat /etc/config/network; cat /etc/config/wireless; cat /etc/config/firewall; ip -4 addr; ip -4 ro; ip -4 ru;