802.1x authentication at wired WAN port

abhishek · August 30, 2020, 5:38am

the WAN more of my gli-inet1300 router will be connected via an ethernet cable to my ISP’s fiber ONT. the router is expected to authenticate before the fiber ONT assigns dchp address and allows normal communication. Somebody has made instructions for doing this on the edgerouter X. it works perfectly. I am considering moving to gli-inet1300. Can someone please describe how to do the same for gli-inet1300 (preferably with the firmware supplied by openwrt)?
I tried running wpa_supplicant on eth1, but it did not work.

there has been some discussion doing something similar for wireless, but I see nothing for wired.

alzhao · August 31, 2020, 4:13am

I want to understand better, in the settings (e.g. on edgeroute), after everything is done:

Your router will broadcast a psk wifi network? or
It will broadcast 802.1x network. When you device connect to the router’s wifi it will ask for username and password.

For option 1 it is not common and I don’t know how to do that.
For option 2 it is generally done by the operator. I guess this is not what you mean.

abhishek · August 31, 2020, 5:27am

there is no wifi involved.
my edgerouter erx is only a wired router.
only after authentication is done, will the fiber ONT (connected connected to the router’s WAN ethernet port) will assign a dhcp address (public IP) to the router. Until then, the WAN link doesnt work and there is no internet.

See here for an example in the openwrt world.

abhishek · August 31, 2020, 5:43am

I plugged in a usb ethernet adapter and set it (eth2) as wan (and connected it to my ISP’s fiber ONT box). Then i ran wpa_supplicant on eth2 and authentication suceeded. But the authentication process does not even begin when using the builtin eth1 as wan.

alzhao · August 31, 2020, 8:33am

Do you mean that it is working for you when you use usb ethernet adapter? Can you confirm?

maybe it is because of vlan seetings.

abhishek · August 31, 2020, 11:44am

Yes, it is working with usb ethernet adapter.

hansome · August 31, 2020, 1:48pm

Do you use openwrt firmware and what version?Have you tried eth0 as wan?

abhishek · August 31, 2020, 2:16pm

I am using OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363

# ISP fiber ONT connected to WAN port on router
root@OpenWrt:~# wpa_supplicant -i eth0 -D wired -c /root/certs/wpa_supplicant.conf -dd -t
1598846249.803703: Successfully initialized wpa_supplicant
1598846249.947239: eth0: Associated with 01:80:c2:00:00:03
1598846249.947357: eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
^C1598846251.249338: eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
1598846251.328346: eth0: CTRL-EVENT-TERMINATING 
root@OpenWrt:~# wpa_supplicant -i eth1 -D wired -c /root/certs/wpa_supplicant.conf -dd -t
1598846254.368487: Successfully initialized wpa_supplicant
1598846254.529454: eth1: Associated with 01:80:c2:00:00:03
1598846254.530336: eth1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
^C1598846308.857982: eth1: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
1598846308.957309: eth1: CTRL-EVENT-TERMINATING 
# ISP fiber ONT connected to the usb ethernet adapter (eth2)
root@OpenWrt:~# wpa_supplicant -i eth2 -D wired -c /root/certs/wpa_supplicant.conf -dd -t
1598846369.466557: Successfully initialized wpa_supplicant
1598846369.629068: eth2: Associated with 01:80:c2:00:00:03
1598846369.629942: eth2: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
1598846371.543513: eth2: CTRL-EVENT-EAP-STARTED EAP authentication started
1598846371.797949: eth2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
1598846371.833479: eth2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
1598846371.980234: eth2: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='C=US, ST=xxx, L=xxx, O=xxxx, OU=xxxxx, CN=xxxxxxxxx' hash=3xxxxx
1598846372.195958: eth2: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
1598846372.197744: eth2: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]

(xxx: redacted)

I have not tried eth0 as wan. I did try running wpa_supplicant on eth0 when the WAN port of the router was connected to the fiber ONT via ethernet cable; that did not work (as expected). I can try to do that when the ONT is connected to a LAN port. But that would make the other LAN port almost unusable unless I use VLAN, which would be inefficient (LAN packets would go through the CPU and not just the switch):

abhishek · August 31, 2020, 2:19pm

with my wd-mynet750 router running openwrt, running wpa_supplicant on the WAN interface works fine.

abhishek · August 31, 2020, 2:55pm

related question: If I use a good gigabit usb3 adapter, would it be at least as fast as using the WAN interface? Would I be able to get gigabit speeds if my ISP provides so?

hansome · September 2, 2020, 1:38pm

I test a gigabit usb3 adapter, got the throughput:
iperf3 tcp performance
download: 510 Mbits/sec
upload: 532 Mbits/sec
The adapter driver is ax88179_178a, that not as fast as eth0/eth1 with throughtput of 940Mbit/sec.

Please delete wan setting in network and have a try,

cp /etc/config/network /root/
uci delete network.wan6
uci delete network.wan
uci commit network
/etc/init.d/network restart

I failed to setup a 802.1x server to make eth2 work with.
If you don’t mind, you can pm me a tcpdump of packet of your eth2 normal authentication for analysis.