Project

General

Profile

Feature #5474

Add 802.1x configuration to wired interfaces.

Added by Doug Dimick almost 5 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
11/17/2015
Due date:
% Done:

0%

Estimated time:

Description

pfSense already contains wpa_supplicant, which can also be used for wired interface 802.1x client authentication. This feature request is to add wpa supplication configuration on the interface configuration page for that purpose.

Please see https://www.reddit.com/r/PFSENSE/comments/2n41pk/wan_authentication_with_8021x/ for additional information.

History

#1 Updated by Chris Buechler over 4 years ago

  • Category set to Interfaces

#2 Updated by Doug Dimick over 4 years ago

Here's a hacked-together shell script that can be used in the meantime:

#!/usr/bin/env sh

# I use this on pfSense to make wired 802.1x authentication work on startup.
# A good location to put this is in /conf, as that directory is retained during upgrades.
# You can use the shellcmd package to execute upon boot, like "nohup /conf/yourscript.sh &".

# To create password hash do "echo -n your_password | iconv -t utf16le | openssl md4" 
PASSWORD="hash:<redacted>" 
IDENTITY="<redacted>" 
INTERFACE="vmx2" 

PARAMS="\
  ap_scan 0,\
  eapol_flags 0,\
  add_network,\
  set_network 0 key_mgmt IEEE8021X,\
  set_network 0 eap PEAP,\
  set_network 0 eapol_flags 0,\
  set_network 0 phase2 \\\"auth=MSCHAPV2\\\",\
  set_network 0 identity \\\"${IDENTITY}\\\",\
  set_network 0 password ${PASSWORD},\
  enable_network 0\
" 

################################################################################

logger -s "WPA (${INTERFACE}): Beginning WPA authorization process." 

WPA_DAEMON_CMD="wpa_supplicant -D wired -i ${INTERFACE} -C /var/run/wpa_supplicant -B" 

# Kill any existing wpa_supplicant process.
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
if [ ${PID} > 0 ];
then
  logger -s "WPA (${INTERFACE}): Terminating existing supplicant on PID ${PID}." 
  RES=$(kill ${PID})
fi

# Start wpa_supplicant daemon.
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}")
logger -s "WPA (${INTERFACE}): Supplicant running on PID ${PID}." 

# Set WPA configuration parameters.
logger -s "WPA (${INTERFACE}): Setting network configuration." 
IFS="," 
for STR in ${PARAMS};
do
  STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" 
  RES=$(eval wpa_cli ${STR})
done

# Wait until wpa_cli has authenticated.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" 
IP_STATUS_CMD="ifconfig ${INTERFACE} | grep 'inet\ ' | cut -d' ' -f2" 

logger -s "WPA (${INTERFACE}): Waiting for authorization." 

while true;
do
  WPA_STATUS=$(eval ${WPA_STATUS_CMD})
  if [ X${WPA_STATUS} = X"Authorized" ];
  then
    logger -s "WPA (${INTERFACE}): Authorization completed." 

    IP_STATUS=$(eval ${IP_STATUS_CMD})

    if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
    then
      logger -s "WPA (${INTERFACE}): No IP address assigned, force restarting DHCP." 
      RES=$(eval /etc/rc.d/dhclient forcerestart ${INTERFACE})
      IP_STATUS=$(eval ${IP_STATUS_CMD})
    fi
    logger -s "WPA (${INTERFACE}): IP address is ${IP_STATUS}." 
    break
  else
    sleep 1
  fi
done

logger -s "WPA (${INTERFACE}): Process complete, exiting." 

Also available in: Atom PDF