{"id":1698,"date":"2015-11-13T00:18:10","date_gmt":"2015-11-12T16:18:10","guid":{"rendered":"http:\/\/boweihe.me\/?p=1698"},"modified":"2015-11-13T00:18:10","modified_gmt":"2015-11-12T16:18:10","slug":"use-an-openwrt-router-to-log-in-802-1x-mschapv2-wired-network-at-sutd","status":"publish","type":"post","link":"https:\/\/dayandcarrot.space\/?p=1698","title":{"rendered":"Use an OpenWrt Router to log in 802.1x (MSCHAPV2) wired network at SUTD (eduroam)"},"content":{"rendered":"

\u672c\u6587\u4e3b\u8981\u4ecb\u7ecd\u5982\u4f55\u4f7f\u7528\u57fa\u4e8eOpenWrt\u7684\u8def\u7531\u5668\u8fdb\u884c802.1X\u6709\u7ebf\u7f51\u767b\u5f55\u9a8c\u8bc1\uff08\u5373\u4f5c\u4e3a802.1X \u5ba2\u6237\u7aef\uff09\u3002
\nThis post tells my experience on trying to connect to a wired network at Singapore University of Technology and Design (SUTD) by using a OpenWrt-powered router (a modified TPLink WR-703n).<\/p>\n

Prerequisites<\/h1>\n

What you need is a router which runs OpenWrt<\/strong> (or other unix-based OS like dd-wrt). For me I have a hardware-hacked TPLink Wr703n (technically it was a WR-702n but their mainboards are same). My modified router has 64 MB ram and 8MB ROM, which allows me to install and run OpenWrt (currently version 14.04) and some necessary apps.
\nYou should know the fundamental about OpenWrt. If not, please visit\u00a0https:\/\/wiki.openwrt.org\/ <\/a>\u00a0for help.<\/p>\n

Steps<\/h1>\n

Before start, please do not power off your device unless it’s requested explicitly.
\nFirst, build up a SSH connection to your router, for me on Windows, I connect my router (192.168.1.1) via Putty<\/a>.
\nIf this is the first time that you log in via SSH terminal, you should firstly set up the root password at http:\/\/192.168.1.1\/ on your internet browser (this IP\u00a0address might vary on different devices)<\/p>\n

Remove wpad-mini<\/h2>\n

We will have to remove the mini version of wpad (wpad = wpa_supplicant + hostapd) since it is not powerful enough to handle a 802.1X authentication. So on your SSH terminal, after you’ve successfully logged in, type this<\/p>\n

opkg remove wpad-mini<\/pre>\n
Install wpad<\/h2>\n
Then install the full version of wpad, you may download it from<\/p>\n
https:\/\/downloads.openwrt.org\/barrier_breaker\/14.07\/ar71xx\/generic\/packages\/base\/wpad_2014-06-03.1-3_ar71xx.ipk<\/pre>\n
and you must find a way to transfer it to your router. For me I choose HFS (http:\/\/www.rejetto.com\/hfs\/) to build a small http file server on my personal computer. and then I use the ‘wget’ commend to download the file<\/p>\n
cd \/tmp\nwget http:\/\/YOUR_HFS_SERVER_IP\/wpad_2014-06-03.1-3_ar71xx.ipk<\/pre>\n
then install it<\/p>\n
opkg install wpad_2014-06-03.1-3_ar71xx.ipk<\/pre>\n
OR\u00a0<\/strong>if you have Internet connection on your router (oh you must be kidding) you can directly type<\/p>\n
opkg update\nopkg install wpad<\/pre>\n
Configuration<\/h2>\n
(For wr-703n only)<\/h3>\n
You may need to set up a wireless connection on your router first, please search on Google to enable your WiFi port. Or you may explore the ‘Network’ –> ‘Wifi’ page, it’s easy to get started!<\/span>
\nBy default, OpenWrt uses the only ethernet port on the little wr-703n as a LAN port, buy in this time we need to set it to a WAN port. It means that we’ll use an Ethernet wire to connect the world, and use the wireless signal to connect your devices, e.g. your laptops, cellphones, pads…
\n[INTERNET] \u00a0<—-wired conn.—> [ROUTER] <—-wireless conn.—-> [DEVICES]
\nThis configuration can be easily done on OpenWrt’s web interface, visit\u00a0http:\/\/YOUR_ROUTER’s_IP\/ (for me it is 192.168.1.1 ) on your browser and enter your password.<\/span>
\nThen go to ‘Networks’ –> ‘Interfaces’, there should be only one interface called ‘LAN’. And we need to add the ‘wan’ interface. so click on the button ‘Add new interface’ below\u00a0\"openwrt_add_new_interface\"<\/a>
\nThen set it as follow:\"openwrt_add_wan_interface\"<\/a>
\nand click ‘submit’.
\nNext, we need to cease the bond between port eth0<\/em> and interface LAN.\u00a0<\/em>Turn back to the interface page, and click the ‘Edit’\u00a0\"openwrt_edit_interface\"<\/a>on LAN<\/strong> interface.
\nThen click on the ‘Physical Settings’ page\u00a0\"openwrt_interface_lan\"<\/a>
\nand set the physical ports binding as follow (Un-tick ‘eth0’ and tick wireless network):
\n\"openwrt_wr703_lan_phy\"<\/a>
\nthen click on ‘Save and Apply’ button in the bottom.\"openwrt_saveandapply\"<\/a>
\nThen restart your router.
\nNOTICE: From now on you can only connect your router through wireless connection, the Ethernet port is set as a WAN port.<\/span><\/p>\n
wpa_supplicant<\/h3>\n
The next step is to set up 802.1X authentication.
\nThe wpa_supplicant module will be used to maintain the authentication process, so we need a configuration file first.
\nType these in your monitor to start vi (a built-in text editor):<\/p>\n
vi \/etc\/config\/wpa.conf<\/pre>\n
then key in ‘i’ to start the insert mode. Copy the following text<\/p>\n
ctrl_interface=\/var\/run\/wpa_supplicant\nctrl_interface_group=root\nap_scan=0\nnetwork={\n        key_mgmt=IEEE8021X\n        eap=MSCHAPV2   #THIS LINE IS IMPORTANT!\n        eapol_flags=0\n        identity=\"YOUR USERNAME\"\n        password=\"YOUR PASSWORD\"\n        phase1=\"peaplabel=1\"\n        phase2=\"auth=MSCHAPV2\"  #THIS LINE MAYBE USELESS\n}\n<\/pre>\n
and then, on your puppy terminal, use the right button of your mouse to paste them into vi text editor. Next, press ‘Ese’ button on your keyboard and input :wq<\/span> <\/strong>to quit vi editor with the file written to your router.<\/p>\n
Connection<\/h1>\n
Finally it’s time to build up connection, first un<\/strong>plug your Ethernet wire from the router if you’ve did so.
\nThen in the putty terminal, type<\/p>\n
killall wpa_supplicant # Kill all wpa_supplicant programs on-the-run\nwpa_supplicant -D wired -i eth0 -c \/etc\/config\/wpa.conf &<\/pre>\n
The second line is the key, it tries to authenticate with the server using your configuration file on the wired port eth0<\/em>.
\nAnd now please plug<\/strong> your Ethernet wire into the router, then the best part starts like this…
\n\"wr703-8021x-conn\"<\/a>
\nOnce you see ‘SUCCESS’ in those output you may press the Enter key to resume from shell execution.
\nIt’s done.
\nIn case you may encounter some error in the process, try change the parameters in your configuration file because not all 802.1x are the same. I once faced the credential error then found out that it’s the bad parameter in the ‘EAP’ setting.<\/p>\n
#eap=PEAP # It was PEAP but turns out to be a failure\neap=MSCHAPV2 # This is the right thing to bypass credentials<\/pre>\n
Enable Service Autostart<\/h1>\n
Here are the scripts to auto-startup the 802.1x auth after the router finished booting. In your puppy terminal, type<\/p>\n
vi \/etc\/init.d\/wpa<\/pre>\n
Then push ‘I’ button on the keyboard to insert<\/p>\n
#!\/bin\/sh \/etc\/rc.common\nSTART=99\nstart() {\n    echo start\n    wpa_supplicant -D wired -i eth0 -c \/etc\/config\/wpa.conf &\n}<\/pre>\n
and push ‘Esc’, and type in :wq <\/span><\/strong>to quit the editor.<\/span>
\nBack to the command terminal, type in<\/p>\n
chmod +x \/etc\/init.d\/wpa\nchmod 755 \/etc\/init.d\/wpa\n\/etc\/init.d\/wpa enable # Enable autostart<\/pre>\n
 <\/p>\n
References<\/h1>\n