So my campus decided to employ 802.1X protocol for authentication over the wired network in the dormatories at Michigan Tech. This is all great except for the part that normal switches can’t participate in the authentication because of the EAPOL frames exchanged before DHCP at layer 2.
What we will need to do is connect directly to the wall port while running a program called wpa_supplicant which will take care of the authentication then we will use dhclient to talk to a dhcp server and get an IP addy.

Here we go..
NOTE: Run everything following as root (don’t have to for creating the config)

1) First we have to install wpa_supplicant. It should be available via your package manger so depending on your operating environment, go ahead and search for it. If you have any recent operating system (last 5 yaers), it will probably already contain this program.

2) Now we have to make our configuration file for wpa_supplicant. It doesn’t matter where we do this so make a file anywhere on your operating system. For example we will use /etc/wpa as our file. Copy and paste the following into the file editing only the identity and password fields.

apscan=0 fastreauth=1 network={ keymgmt=IEEE8021X eap=PEAP identity="username" password="password" eapolflags=0 phase1="peaplabel=1" phase2="auth=MSCHAPV2" }

3) Make sure the config file you made is saved. We can now run wpa_supplicant. I recommend running this in a screen session to make things easier. Here’s what I used to run it:

[email protected]:# wpa_supplicant -ieth0 -c/etc/wpa -dd -Dwired

4) Go ahead and plug in your ethernet cable. wpa_supplicant should do it’s magic and authenticate you. It will be very verbose about what its doing. I would wait probably about 30 seconds and if you don’t automatically get an IP address, go ahead and run the following to contact the dhcp server to get one.

[email protected]:# dhclient -nw eth0

You may have to wait a few seconds but you should eventually get an IP address from the pool and be on your way.

After authentication, you can Ctrl+C out of wpasupplicant and get on with your life. You can also check out the wpasupplicant man page to see how to make it run in the background if you don’t want it to bother you.

Hopefully this helps. Done on Debian Lenny 2.6.26-2-amd64

Sources

http://www.examplenow.com/wpasupplicant/ http://www.nowiressecurity.com/articles/configure8021xauthenticationinlinux.htm http://www.lsi.upc.edu/lclsi/Manuales/wireless/files/wpasupplicant.conf http://www.oreillynet.com/etel/blog/2004/03/peapsupportonlinuxwithxsu.html http://en.wikipedia.org/wiki/IEEE802.1X http://en.wikipedia.org/wiki/Wpasupplicant http://en.wikipedia.org/wiki/Wpasupplicant http://linux.die.net/man/5/wpa_supplicant.conf

Working on Debian 5 and 6 with varied NIC’s (some onboard, some expansion)..This should work for you!

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview