Actions
Feature #5474
openAdd 802.1x configuration to wired interfaces.
Status:
New
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
11/17/2015
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Description
pfSense already contains wpa_supplicant, which can also be used for wired interface 802.1x client authentication. This feature request is to add wpa supplication configuration on the interface configuration page for that purpose.
Please see https://www.reddit.com/r/PFSENSE/comments/2n41pk/wan_authentication_with_8021x/ for additional information.
Updated by Doug Dimick over 8 years ago
Here's a hacked-together shell script that can be used in the meantime:
#!/usr/bin/env sh # I use this on pfSense to make wired 802.1x authentication work on startup. # A good location to put this is in /conf, as that directory is retained during upgrades. # You can use the shellcmd package to execute upon boot, like "nohup /conf/yourscript.sh &". # To create password hash do "echo -n your_password | iconv -t utf16le | openssl md4" PASSWORD="hash:<redacted>" IDENTITY="<redacted>" INTERFACE="vmx2" PARAMS="\ ap_scan 0,\ eapol_flags 0,\ add_network,\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 eap PEAP,\ set_network 0 eapol_flags 0,\ set_network 0 phase2 \\\"auth=MSCHAPV2\\\",\ set_network 0 identity \\\"${IDENTITY}\\\",\ set_network 0 password ${PASSWORD},\ enable_network 0\ " ################################################################################ logger -s "WPA (${INTERFACE}): Beginning WPA authorization process." WPA_DAEMON_CMD="wpa_supplicant -D wired -i ${INTERFACE} -C /var/run/wpa_supplicant -B" # Kill any existing wpa_supplicant process. PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}") if [ ${PID} > 0 ]; then logger -s "WPA (${INTERFACE}): Terminating existing supplicant on PID ${PID}." RES=$(kill ${PID}) fi # Start wpa_supplicant daemon. RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*${INTERFACE}") logger -s "WPA (${INTERFACE}): Supplicant running on PID ${PID}." # Set WPA configuration parameters. logger -s "WPA (${INTERFACE}): Setting network configuration." IFS="," for STR in ${PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # Wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" IP_STATUS_CMD="ifconfig ${INTERFACE} | grep 'inet\ ' | cut -d' ' -f2" logger -s "WPA (${INTERFACE}): Waiting for authorization." while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then logger -s "WPA (${INTERFACE}): Authorization completed." IP_STATUS=$(eval ${IP_STATUS_CMD}) if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then logger -s "WPA (${INTERFACE}): No IP address assigned, force restarting DHCP." RES=$(eval /etc/rc.d/dhclient forcerestart ${INTERFACE}) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi logger -s "WPA (${INTERFACE}): IP address is ${IP_STATUS}." break else sleep 1 fi done logger -s "WPA (${INTERFACE}): Process complete, exiting."
Actions