本文主要介绍如何使用基于OpenWrt的路由器进行802.1X有线网登录验证（即作为802.1X 客户端）。
This post tells my experience on trying to connect to a wired network at Singapore University of Technology and Design (SUTD) by using a OpenWrt-powered router (a modified TPLink WR-703n).

Prerequisites

What you need is a router which runs OpenWrt (or other unix-based OS like dd-wrt). For me I have a hardware-hacked TPLink Wr703n (technically it was a WR-702n but their mainboards are same). My modified router has 64 MB ram and 8MB ROM, which allows me to install and run OpenWrt (currently version 14.04) and some necessary apps.
You should know the fundamental about OpenWrt. If not, please visit https://wiki.openwrt.org/  for help.

Steps

Before start, please do not power off your device unless it’s requested explicitly.
First, build up a SSH connection to your router, for me on Windows, I connect my router (192.168.1.1) via Putty.
If this is the first time that you log in via SSH terminal, you should firstly set up the root password at http://192.168.1.1/ on your internet browser (this IP address might vary on different devices)

Remove wpad-mini

We will have to remove the mini version of wpad (wpad = wpa_supplicant + hostapd) since it is not powerful enough to handle a 802.1X authentication. So on your SSH terminal, after you’ve successfully logged in, type this

opkg remove wpad-mini

Install wpad

Then install the full version of wpad, you may download it from

https://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/wpad_2014-06-03.1-3_ar71xx.ipk

and you must find a way to transfer it to your router. For me I choose HFS (http://www.rejetto.com/hfs/) to build a small http file server on my personal computer. and then I use the ‘wget’ commend to download the file

cd /tmp
wget http://YOUR_HFS_SERVER_IP/wpad_2014-06-03.1-3_ar71xx.ipk

then install it

opkg install wpad_2014-06-03.1-3_ar71xx.ipk

OR if you have Internet connection on your router (oh you must be kidding) you can directly type

opkg update
opkg install wpad

Configuration

(For wr-703n only)

You may need to set up a wireless connection on your router first, please search on Google to enable your WiFi port. Or you may explore the ‘Network’ –> ‘Wifi’ page, it’s easy to get started!
By default, OpenWrt uses the only ethernet port on the little wr-703n as a LAN port, buy in this time we need to set it to a WAN port. It means that we’ll use an Ethernet wire to connect the world, and use the wireless signal to connect your devices, e.g. your laptops, cellphones, pads…
[INTERNET]  <—-wired conn.—> [ROUTER] <—-wireless conn.—-> [DEVICES]
This configuration can be easily done on OpenWrt’s web interface, visit http://YOUR_ROUTER’s_IP/ (for me it is 192.168.1.1 ) on your browser and enter your password.
Then go to ‘Networks’ –> ‘Interfaces’, there should be only one interface called ‘LAN’. And we need to add the ‘wan’ interface. so click on the button ‘Add new interface’ below 
Then set it as follow:
and click ‘submit’.
Next, we need to cease the bond between port eth0 and interface LAN. Turn back to the interface page, and click the ‘Edit’ on LAN interface.
Then click on the ‘Physical Settings’ page 
and set the physical ports binding as follow (Un-tick ‘eth0’ and tick wireless network):

then click on ‘Save and Apply’ button in the bottom.
Then restart your router.
NOTICE: From now on you can only connect your router through wireless connection, the Ethernet port is set as a WAN port.

wpa_supplicant

The next step is to set up 802.1X authentication.
The wpa_supplicant module will be used to maintain the authentication process, so we need a configuration file first.
Type these in your monitor to start vi (a built-in text editor):

vi /etc/config/wpa.conf

then key in ‘i’ to start the insert mode. Copy the following text

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
        key_mgmt=IEEE8021X
        eap=MSCHAPV2   #THIS LINE IS IMPORTANT!
        eapol_flags=0
        identity="YOUR USERNAME"
        password="YOUR PASSWORD"
        phase1="peaplabel=1"
        phase2="auth=MSCHAPV2"  #THIS LINE MAYBE USELESS
}

and then, on your puppy terminal, use the right button of your mouse to paste them into vi text editor. Next, press ‘Ese’ button on your keyboard and input :wq to quit vi editor with the file written to your router.

Connection

Finally it’s time to build up connection, first unplug your Ethernet wire from the router if you’ve did so.
Then in the putty terminal, type

killall wpa_supplicant # Kill all wpa_supplicant programs on-the-run
wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &

The second line is the key, it tries to authenticate with the server using your configuration file on the wired port eth0.
And now please plug your Ethernet wire into the router, then the best part starts like this…

Once you see ‘SUCCESS’ in those output you may press the Enter key to resume from shell execution.
It’s done.
In case you may encounter some error in the process, try change the parameters in your configuration file because not all 802.1x are the same. I once faced the credential error then found out that it’s the bad parameter in the ‘EAP’ setting.

#eap=PEAP # It was PEAP but turns out to be a failure
eap=MSCHAPV2 # This is the right thing to bypass credentials

Enable Service Autostart

Here are the scripts to auto-startup the 802.1x auth after the router finished booting. In your puppy terminal, type

vi /etc/init.d/wpa

Then push ‘I’ button on the keyboard to insert

#!/bin/sh /etc/rc.common
START=99
start() {
    echo start
    wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &
}

and push ‘Esc’, and type in :wq to quit the editor.
Back to the command terminal, type in

chmod +x /etc/init.d/wpa
chmod 755 /etc/init.d/wpa
/etc/init.d/wpa enable # Enable autostart

 

References

• WRT160NL Wired 802.1x PEAP surfnet/Eduroam/securew2 wpa_supplicant 
• TL-WR703N路由刷DD-WRT自制系统登录802.1X
• 无线路由器上安装OpenWRT，在需要标准802.1x认证的网络中无线上网
• Init Scripts
• Google keywords: OpenWrt eduroam 802.1x MSCHAP