i3roly
WPA2 Enterprise
I am wondering if you could offer me suggestions on how to make WPA2-EAP (aka Enterprise, 802.1x, Eduroam) function correctly. In OpenWrt it does work if a person installs wpad-wolfssl and attached is a screenshot of the additional fields needed for login.
The specific information that needs to be specified is: EAP-Method: PEAP, Authentication: EAP-MSCHAPv2, Identity: Username, and Password: Password. None of these options are available for any of the WPAx-EAP choices on ddwrt.
hi,
wpa2 enterprise is a bit of a sophisticated feature.
if you're still around i'd be iwlling to work with you to get it functional. i have all of the programs but no user has ever had the equipment/setup to test it.
I never was able to make it work on ddwrt when I wanted the router to log into the AP using WPA2 Enterprise. I did get it to work using OpenWrt but not when I was using OpenVPN. OpenVPN would work on ddwrt if I was connected with ethernet.
A little confused (sorry writing from my BlackBerry Passport so there'll be lots of needless metadata because apparently nothing wants to parse their break properly).
So with wpad-ssl everything worked? Without it you couldn't get it to work?
I'm trying to understand whether the issue is my build or how dd-wrt offers eap.
And I assume with wpad-ssl it works with openvpn too? You should try the latest builds just in case some of these issues were fixed in config by the joker.
It's my intention to have eap fully working so I'd like to get this right.
From: brooksbUWO Sent: Tuesday, 25 October 2022 10:17 AM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
I never was able to make it work on ddwrt when I wanted the router to log into the AP using WPA2 Enterprise. I did get it to work using OpenWrt but not when I was using OpenVPN. OpenVPN would work on ddwrt if I was connected with ethernet.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1290820986, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEGZOR3UYH4GFP2PDK4DWFAB2DANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
The router I was using was D-Link DIR-2640 A1.
So with wpad-ssl everything worked? Without it you couldn't get it to work?
It works with wpad-wolfssl with OpenWRT. It is suppose to work with wpad-ssl (on OpenWRT) and for some people it did, but it didn't have the correct options to select like wpad-wolfssl.
I'm trying to understand whether the issue is my build or how dd-wrt offers eap. And I assume with wpad-ssl it works with openvpn too?
I don't think it is your build. I think it is the way dd-wrt offers eap.
OpenVPN would not work with either wpad-ssl or wpad-wolfssl on OpenWRT. I could get the router to connect to the WPA2 Enterprise AP and devices could connect to the internet using the router's ethernet ports if I was not using VPN.
You should try the latest builds just in case some of these issues were fixed in config by the joker. It's my intention to have eap fully working so I'd like to get this right.
I can try again, but it won't be until later this week. I tried to get official support for the D-Link DIR-2640 A1. I asked about it in the dd-wrt forum and they requested I upload a default firmware dump. Then whoever was in charge of the forum blocked my ability to upload the default firmware dump. It appeared they wanted nothing to do with this router so I continued to use OpenWRT.
That's not a problem.
If you can tell me how to add the right features or fields to the eap section I'd be willing to do that. I want this working.
Yes on the dd-wrt forums you may get banned or squelched for mentioning this build. They claim I'm violating GPL but if I am, then brainslayer definitely is.
In reality I'm almost certain that there was huge pressure on BS to remove me from the forums (his external funders).
Most people hate these routers with OpenWrt or stock because openwrt:s mt76, quite frankly, sucks. And stock doesn't offer what people want.
All I know is i'm pretty sure these routers on my firmware are competitive with wifi6 offerings . I'm using a 2012 mac pro with a decent wifi card and I hit 500/500. And it's not a 4x4 adapter. I'm pretty sure these are my cards limits and not the router's. But I could be wrong on this too and maybe it tops out at 500/500ish even with a 4stream adapter.
Anyways I'd like to add eap because it'll bring more people here.
From: hheinreich Sent: Tuesday, 25 October 2022 11:07 AM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
The router I was using was D-Link DIR-2640 A1.
So with wpad-ssl everything worked? Without it you couldn't get it to work?
It works with wpad-wolfssl with OpenWRT. It is suppose to work with wpad-ssl (on OpenWRT) and for some people it did, but it didn't have the correct options to select like wpad-wolfssl.
I'm trying to understand whether the issue is my build or how dd-wrt offers eap. And I assume with wpad-ssl it works with openvpn too?
I don't think it is your build. I think it is the way dd-wrt offers eap.
OpenVPN would not work with either wpad-ssl or wpad-wolfssl on OpenWRT. I could get the router to connect to the WPA2 Enterprise AP and devices could connect to the internet using the router's ethernet ports if I was not using VPN.
You should try the latest builds just in case some of these issues were fixed in config by the joker. It's my intention to have eap fully working so I'd like to get this right.
I can try again, but it won't be until later this week. I tried to get official support for the D-Link DIR-2640 A1. I asked about it in the dd-wrt forumhttps://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1258894#1258894 and they requested I upload a default firmware dump. Then whoever was in charge of the forum blocked my ability to upload the default firmware dump. It appeared they wanted nothing to do with this router so I continued to use OpenWRT.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1290877398, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG33MYZQYFJADZ67T33WFAHUNANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
Below are the missing items from ddwrt. There are variations or multiple combinations of the choices. However the ones that I'm interested in using are part of the 802.1x, Eduroam which is used by universities all over the world. So this would help to get your release more exposure.
The specific information that needs to be specified is: EAP-Method: PEAP, Authentication: EAP-MSCHAPv2, Identity: Username, and Password: Password. None of these options are available for any of the WPAx-EAP choices on ddwrt.
I'll help by testing to see if ddwrt can connect after you make the changes.
thanks man i'll look into this.
just wondering: why are your HWADDRs showing as 00s? did you set them to that via nvram just to anonymise?
i was kind of concerned seeing that 😜
From: hheinreich @.> Sent: October 25, 2022 4:02 PM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
Below are the missing items from ddwrt. There are variations or multiple combinations of the choices. However the ones that I'm interested in using are part of the 802.1x, Eduroamhttps://eduroam.org/how/ which is used by universities all over the world. So this would help to get your release more exposure.
The specific information that needs to be specified is: EAP-Method: PEAP, Authentication: EAP-MSCHAPv2, Identity: Username, and Password: Password. None of these options are available for any of the WPAx-EAP choices on ddwrt.
[2022-03-21 15_03_36-Window]https://user-images.githubusercontent.com/57774075/159355044-4f4696cb-514b-4e88-9e77-b28a7a77e4ff.png
I'll help by testing to see if ddwrt can connect after you make the changes.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1291190325, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG2RXEU4KYNEYUMPBFDWFBKIBANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
so i have been speaking to @paldier about this
i had the right program but it needed a big update to accommodate the new authentication protocols (PEAP, MSCHAPv2).
the first thing i realised after thinking about your request is that you need to put the radio in station mode (I THINK). maybe you're already doing that.
you're asking the router radio to act as a client, so this is the first hurdle and explains why you're not seeing those options inthe menu.
the second hurdle is figuring out how to configure the /tmp/RT2860{_pci}.dat file to authenticate you.
i will be uploading a new build shortly here with an updated rtdot1x program. if you really want this to work i would recommend you check out the README file here:
https://github.com/SWRT-dev/swrt-gpl/tree/cd1ba230af0e545ae1450860d8a4741e3226540b/release/src/router/8021xd
you should be able to play with the dat files without me having to change the GUI. really that's how i've been able to test the current features people see in the menus before adding them.
i am pretty sure this program does what you want. the question is whether we can get the radio in station mode and have this program authenticate.
actually instead of uploading a new build now, i can just give you the program.
scp it to your ~ and make a symlink:
ln -s rt2860apd rtinicapd
call rt2860apd if you want to test it out on 2.4ghz radio, and rtinicapd if you want to test it on the 5ghz radio.
i think i figured out the problem.
i never built my stuff with WPA_SUPPLICANT2=y
this is probably why you couldn't do this. i am in the process of adding it as we speak
hehehe
the weird thing is i don't know how to get it to show up in the GUI. i think you'd have to put it in repeater mode or something? if you set the nvram variable "{wl0,wl1}_security_mode=8021X" , the menu shows up.
posting it now. let me know where to find this option. it has to be there somewhre.
you're asking the router radio to act as a client, so this is the first hurdle and explains why you're not seeing those options in the menu.
Yes, I want it to ONLY act as a client. I want to use it for WiFi-to-ethernet and not using the radios for AP.
well? did you try it?
Sorry, I have not had a chance YET.
i had the right program but it needed a big update to accommodate the new authentication protocols (PEAP, MSCHAPv2).
I was waiting until after your update. Tonight, I will put the update on my router and bring it with me tomorrow to test on the same WPA2 Enterprise network as when I first asked about this in March. Are you interested in anything in particular that I should look for?
It has to be in station mode.
You need to see if wl0_net_mode is 'sta' or 'apsta'
If it's not, then you have to set it to one of those before the option shows up.
From: hheinreich Sent: Wednesday, 9 November 2022 8:57 AM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
I tried it and I can't get the option to show up.
[2022-11-09 09_53_54-RichoMP (build 50813M) - Wireless Security]https://user-images.githubusercontent.com/57774075/200878206-39a06a7f-a6cd-4fcc-86ac-a75b10c0bd7d.png
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1308976119, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEGYJPN236YDJFR63EF3WHPCXPANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
sorry i meant wl0_mode should be 'sta'
or wl1_mode should be 'sta'.
i will probably add an apsta macro in there too but if you have sta it should show up.
From: Gagan Sidhu @.> Sent: November 9, 2022 9:02 AM To: hheinreich @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
It has to be in station mode.
You need to see if wl0_net_mode is 'sta' or 'apsta'
If it's not, then you have to set it to one of those before the option shows up.
From: hheinreich Sent: Wednesday, 9 November 2022 8:57 AM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
I tried it and I can't get the option to show up.
[2022-11-09 09_53_54-RichoMP (build 50813M) - Wireless Security]https://user-images.githubusercontent.com/57774075/200878206-39a06a7f-a6cd-4fcc-86ac-a75b10c0bd7d.png
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1308976119, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEGYJPN236YDJFR63EF3WHPCXPANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
sorry i meant wl0_mode should be 'sta' or wl1_mode should be 'sta'.
Here's the list of modes that show up:
thanks for bringing this to my attention.
it turns out the way BS configured hte code, you wouldn't be able to select 8021x from the menus if you were in STA because the 'client' option isn't ther.e
nor would you have been able to select 8021x in APSTA mode (repeater) because he didn't add the 'apsta' check for rt2880, which meant the menu didn't show up.
50843 will have this fixed, and i'm going to build and push it out right away here.
stay tuned.
From: hheinreich @.> Sent: November 9, 2022 9:17 AM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
sorry i meant wl0_mode should be 'sta' or wl1_mode should be 'sta'.
Here's the list of modes that show up: [2022-11-09 10_14_59-]https://user-images.githubusercontent.com/57774075/200883169-9e74f09e-cb62-419b-9d96-2127a82b80d5.png
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309005502, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG4SM3WM3MQTDPUWYHDWHPFCVANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
This is not really a big deal, but I also noticed when I disabled a radio, the LED remains on. If disabled, then it will start OFF after a reboot.
What router do you have?
From: hheinreich Sent: Wednesday, 9 November 2022 9:38 AM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
This is not really a big deal, but I also noticed when I disabled a radio, the LED remains on. If disabled, then it will start OFF after a reboot.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309032229, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG5AKFXEDPW6U6DN7ODWHPHP5ANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
i can't tell you why that's happening right now. i have an 882 and i'll check it out in an hour or so, but nothing in the code has changed for radios.
i do test this feature here and there but have not tested it recently.
i think that behaviour, of disabling the raido and rebooting with it 'off', is how it's supposed to work.
i didn't change anything there. all i did was add a little bit of code for the LEDs on the MT_WIFI driver. i didn't touch anything else.
From: hheinreich @.> Sent: November 9, 2022 9:40 AM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
What router do you have?
DIR-2640
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309035564, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG5N4NL2CX43HHFWEPLWHPHZXANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
how do you know it's disabled without seeing the light off?
usually when i tested it, i would hold the button until the light turned off, then hold it again until it turned on.
From: Gagan Sidhu @.> Sent: November 9, 2022 9:55 AM To: i3roly/glibc_ddwrt @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
i can't tell you why that's happening right now. i have an 882 and i'll check it out in an hour or so, but nothing in the code has changed for radios.
i do test this feature here and there but have not tested it recently.
i think that behaviour, of disabling the raido and rebooting with it 'off', is how it's supposed to work.
i didn't change anything there. all i did was add a little bit of code for the LEDs on the MT_WIFI driver. i didn't touch anything else.
From: hheinreich @.> Sent: November 9, 2022 9:40 AM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
What router do you have?
DIR-2640
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309035564, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG5N4NL2CX43HHFWEPLWHPHZXANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
how do you know it's disabled without seeing the light off?
I have not used the buttons on the back. I was disabling in the menu. It also does not turn on when enabled in the menu.
lollllll
you're using network mode 'disabled'. i never even tested that hahahhahahahah that's hilariuos
From: hheinreich @.> Sent: November 9, 2022 10:06 AM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
how do you know it's disabled without seeing the light off?
I have not used the buttons on the back. I was disabling in the menu. It also does not turn on when enabled in the menu.
[2022-11-09 11_04_28-RichoMP (build 50813M) - Info]https://user-images.githubusercontent.com/57774075/200894478-600af5d6-f01c-4e1a-8f9a-9bc77fd9a40f.png
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309069061, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEGZWY242SGZJ436F2B3WHPKZVANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
you're using network mode 'disabled'. i never even tested that hahahhahahahah that's hilariuos
Yes, when it is disabled, the radio status changes to Inactive. If the radio is not active, then the LED should be off. Anyway, I thought I would point this out since you are doing a rebuild. If it's not easy to change, then don't worry about it.
it should be fixedin the next build.
have to rebuild for the extra line i needed to add to turn off the radio if you have it set as disabled.
should work in next build. it'll be up in 20 or 30 mins
From: hheinreich @.> Sent: November 9, 2022 10:11 AM To: i3roly/glibc_ddwrt @.> Cc: gagan sidhu @.>; Comment @.> Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
you're using network mode 'disabled'. i never even tested that hahahhahahahah that's hilariuos
Yes, when it is disabled, the radio status changes to Inactive. If the radio is not active, then the LED should be off. Anyway, I thought I would point this out since you are doing a rebuild. If it's not easy to change, then don't worry about it.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309075110, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEG7NZUUTVHOXESMOYCTWHPLKJANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>
There's now an option for station mode and the security mode has option for PEAP but is it really using MSCHAPv2 for the phase 2 authentication?
I also can't access the router after making the changes in the above screenshot. I have done reboot and still can't access router, but maybe I'm just impatient and will get it working. Here's some good news, the LED is on for the radio now that it is active. I didn't get to see if it goes off when set to inactive because I can't access router YET.
I'll try more tomorrow to see what happens. Thank you for your interest in this issue.
I don't get why your mac addresses are showing up as 0..
It's possible I need to tweak a few settings.
It's also not unlikely that when you apply the settings or reboot you can't access the router because something happens in the supplicant part of the code.
The first thing is to ensure you're getting a mac address and hjust zeroing it for the screenshot.
The next thing is: can you access the router via ssh via wired at all after applying the settings?
From: hheinreich Sent: Wednesday, 9 November 2022 3:42 PM To: i3roly/glibc_ddwrt Reply To: i3roly/glibc_ddwrt Cc: gagan sidhu; Comment Subject: Re: [i3roly/glibc_ddwrt] WPA2 Enterprise (Issue #13)
There's now an option for station mode and the security mode has option for PEAP but is it really using MSCHAPv2 for the phase 2 authentication?
[2022-11-09 16_26_35-Window]https://user-images.githubusercontent.com/57774075/200956942-af4a1232-b33e-4f72-b95b-603e1d34b75f.png
I also can't access the router after making the changes in the above screenshot. I have done reboot and still can't access router, but maybe I'm just impatient and will get it working. Here's some good news, the LED is on for the radio now that it is active. I didn't get to see if it goes off when set to inactive because I can't access router YET.
I'll try more tomorrow to see what happens. Thank you for your interest in this issue.
— Reply to this email directly, view it on GitHubhttps://github.com/i3roly/glibc_ddwrt/issues/13#issuecomment-1309485406, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AITLEGYZN5H7ZEF3K3DD2RDWHQSFNANCNFSM5RIZECEQ. You are receiving this because you commented.Message ID: @.***>