OpenWrt Forum Archive

Topic: WNDR3700 Wired 802.1x PEAP surfnet/Eduroam/securew2 wpa_supplicant

The content of this topic has been archived on 28 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
marstein
7 Aug 2012, 18:26

This guide is made on the basis of these threads: WRT54GL wired 8021x TTLS PAP surfnet/eduroam/securew2 wpa_supplicant & WRT160NL wired 8021x TTLS PAP surfnet/eduroam/securew2 wpa_supplicant. A lot of tips and connection information to be typed in to the wpa.conf file can be found there.

This is the guide for how to connect the WRT160NL to an 802.1x-authenticated network as a client so that your wireless appliances without the need for them to have 802.1x or to connect more units than allowed by the IT-department. Be aware that there might be security issues connected to this and I do not take responsibility to anything that might happen to you after following whole or parts of my guide.

The basis for this guide is WNDR3700 v2 and OpenWRT 10.03.1 and how to install OpenWRT on your router you will find at openwrt.org.
This guide will not work with the WNDR3700 v3. The difference is shown at the same webpage.

How to:
1. Log in to the router with Telnet

telnet root@192.168.1.1
passwd #it will ask you to change router root password
reboot #it will reboot the router, not your pc, if you are in the right shell tongue

2. Log in with SSH and install the following software

ssh root@192.168.1.1
cd /tmp
opkg update
opkg install nano #text editor
opkg install wpa-supplicant

3. Make a wpa-supplicant conf file which contains username and password to authenticate:

nano /etc/config/wpa.conf #opens text editor copy paste code in it

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
        key_mgmt=IEEE8021X
        eap=PEAP
        pairwise=CCMP TKIP
        identity="username@uit.no"
        anonymous_identity="username@uit.no"
        password="password"
        phase2="auth=MSCHAPV2"
        priority=2
}

#identity is just a example for Student Housing Internett, University of Tromsø, Norway
#if your university/institutions use different kind of encryption, please change accordingly.
#ctrl-x save yes and exit

4. Test authentication incase Internet/Authentication server is on WAN port:

wpa_supplicant -D wired -i eth1 -c /etc/config/wpa.conf &
#if it says something like successful press ctrl-c to quit
#try getting a ip-address from the Internet Provider
udhcpc -i eth1
#if authentication fails perform the wpa_supplicant command with -d or -dd for more verbose information

5. Create startup deamon, so you don't have to type all of this in case of the routers power fails or it restarts:

nano /etc/init.d/wpa #opens text editor copy paste code in it

#!/bin/sh /etc/rc.common
# Example script
# Copyright (C) 2007 OpenWrt.org
START=99

start() {
echo start
wpa_supplicant -D wired -i eth1 -c /etc/config/wpa.conf &
}

#ctrl-x save yes and exit
chmod +x /etc/init.d/wpa
chmod 755 /etc/init.d/wpa
/etc/init.d/wpa enable
reboot

6. Finished, setup Wifi/Access-Point wpa2 encryption etc, can be done in web-interface!
If you are not finished because you don't understand step 2 telnet and step 3 ssh, it might be because you have to type these commands into a "shell". For Mac OS X go to Utilities>Terminal for Ubuntu Linux go to Accessories>Terminal for Windows install putty.
I suggest Windows users to download a LiveCD like Ubuntu burn it, boot PC from the LiveCD and perform these steps... it might make more sense...

(Last edited by marstein on 7 Aug 2012, 18:39)

Post #2
valentt
9 Jul 2014, 22:04

Have you tried translating wpa.conf to /etc/config/wireless config format?
OpenWrt uses wpad package which is actually hostap + wpa_supplicant rolled into one package.

To have ttls functions you need to remove wpad-mini and install full version called "wpad" that has ttls features.

I have been trying to use /etc/config/wireless format without success so far sad

Here is how my config looks like:

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11ng'
    option path 'platform/ar933x_wmac'
    option htmode 'HT20'
    list ht_capab 'SHORT-GI-20'
    list ht_capab 'SHORT-GI-40'
    list ht_capab 'RX-STBC1'
    list ht_capab 'DSSS_CCK-40'
    option disabled '0'

config wifi-iface
    option device 'radio0'
    option network 'wan'
    option mode 'sta'
    option ssid 'eduroam'
    option eap_type 'TTLS'
    option phase2 'auth=PAP'
    option identity 'username'
    option password 'password>'
    option ca_cert '/root/deutsche-telekom-root-ca-2.crt'
    option anonymous_identity 'anonymous@uni-greifswald.de'

wpa_supplicant config works without issues, and here is how it looks like:

ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1

network={
   ssid="eduroam"
   key_mgmt=WPA-EAP
   eap=TTLS
   anonymous_identity="anonymous@uni-greifswald.de"
   identity="username"
   password="password"
   ca_cert="/root/deutsche-telekom-root-ca-2.crt"
   phase1="peaplabel=0"
   phase2="auth=PAP"
}

I have also looked into related ticket but didn't find info much helpful:
https://dev.openwrt.org/ticket/2069

Do you have any idea how to use wpad package with OpenWrt /etc/config/wireless config file?

The discussion might have continued from here.