Page MenuHomeVyOS Platform

Add EAPOL login support
Closed, ResolvedPublicFEATURE REQUEST

Description

Some ISPs require EAPOL on the WAN interface.

I made a very basic implementation, right now it just takes a wpa_supplicant config as an argument to get it working.

cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet/node.tag/eapol/node.def
priority: 382

type: txt

help: wpa_supplicant config file for EAPOL


create:
        sudo /sbin/wpa_supplicant -B -d -Dwired -i$VAR(../@) \
            -c$VAR(@) \
            -f/var/log/wpa_supplicant-$VAR(../@).log \
            -P/var/run/wpa_supplicant-$VAR(../@).pid

delete:
        sudo kill `cat /var/run/wpa_supplicant-$VAR(../@).pid`

update:
        sudo kill `cat /var/run/wpa_supplicant-$VAR(../@).pid`
        sudo /sbin/wpa_supplicant  -d -Dwired -i$VAR(../@) \
            -c$VAR(@) \
            -f/var/log/wpa_supplicant-$VAR(../@).log \
            -P/var/run/wpa_supplicant-$VAR(../@).pid

I suppose a proper implementation needs to write the wpa_supplicant config instead of taking a file argument.

Is it possible to use the new xml method, when the rest of the interface is using the old method?

I only know the options needed for EAP-TLS, so I'm not sure of all the options that need to be included.

Let me know if I should submit it as a PR.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTNone
ResolvedFEATURE REQUESTNone
ResolvedFEATURE REQUESTc-po
ResolvedFEATURE REQUESTc-po

Event Timeline

mb300sd created this object in space S1 VyOS Public.

Trying to figure out how to do this via xml. Seems like it generates the .def files from the xml Does it require rebuilding the whole image to test?

mb300sd changed the subtype of this task from "Task" to "Feature Request".Jun 25 2019, 11:13 PM
syncer assigned this task to Unknown Object (User).Aug 31 2019, 12:05 AM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

need to use wpa_supplicant on a wired interface. Currently running on 1.3 rolling 2020-08-01 and used a manual entry in /etc/network/interfaces 'wpa-driver wired' . Attempted on rolling 2020-12-24 and it seems that VyOS no longer respects settings in /etc/network/interfaces so would require this capability. On boot, running sudo /usr/sbin/wpa_supplicant -Dwired -ieth0 -c /config/myconfig.conf works but no survivable on reboot

Please share the content of your myconfig.conf file, lets see of we can finally add this.

My ISP uses EAP-TLS. I have a script in firstboot.d that sets up auth on eth0 (my WAN). Its worked for the past year of rolling releases (up to at least VyOS 1.3-rolling-202012260217 that I am currently on.)

Contents of /config/EAPOL/wpa_supplicant.conf:

eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/config/EAPOL/ca-cert.pem"
        client_cert="/config/EAPOL/client-cert.pem"
        eap=TLS
        eapol_flags=0
        identity="88:96:00:00:00:00" # I have to spoof a MAC here.
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/config/EAPOL/private-key.pem"
}

/config/scripts/firstboot.d/EAPOL_setup.sh:

#!/usr/bin/env bash
ln -s /config/EAPOL/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
systemctl stop wpa_supplicant.service
systemctl disable wpa_supplicant.service
systemctl enable [email protected]
systemctl start [email protected]

interface eth0 config (vlan 0 is specific to my provider I believe):

ethernet eth0 {
    description OUTSIDE
    hw-id a0:36:9f:1c:66:30
    vif 0 {
        address dhcp
        description "VLAN 0 EAPOL"
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
            out {
                name IN-OUTSIDE
            }
        }
        mac 88:96:00:00:00:00
    }
}

There are certainly some things in here that are specific to my provider but hopefully this is helpful.

c-po changed the task status from Open to In progress.Dec 29 2020, 10:08 AM
c-po claimed this task.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Version from - to 1.3-rolling.
c-po set Is it a breaking change? to Perfectly compatible.
c-po added a subscriber: Unknown Object (User).

EAPoL will be part of any rolling release after vyos-1.3-rolling-202012290217-amd64.iso, please give this a spin and feedback any change requests.

https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#authentication-eapol

CLI config:

vyos@vyos# show interfaces ethernet eth1
 description foo
 duplex auto
 eapol {
     ca-cert-file /config/auth/ovpn_test_ca.pem
     cert-file /config/auth/ovpn_test_server.pem
     key-file /config/auth/ovpn_test_server.key
 }
 hw-id 00:50:56:bf:ef:aa
 speed auto

Generated config:

vyos@vyos# cat /run/wpa_supplicant/eth1.conf
### Autogenerated by interfaces-ethernet.py ###

# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

# For UNIX domain sockets (default on Linux and BSD): This is a directory that
# will be created for UNIX domain sockets for listening to requests from
# external programs (CLI/GUI, etc.) for status information and configuration.
# The socket file will be named based on the interface name, so multiple
# wpa_supplicant processes can be run at the same time if more than one
# interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/run/wpa_supplicant

# IEEE 802.1X/EAPOL version
# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
# Note: When using MACsec, eapol_version shall be set to 3, which is
# defined in IEEE Std 802.1X-2010.
eapol_version=2

# No need to scan for access points in EAPoL mode
ap_scan=0

# EAP fast re-authentication
fast_reauth=1

network={
    ca_cert="/config/auth/ovpn_test_ca.pem"
    client_cert="/config/auth/ovpn_test_server.pem"
    private_key="/config/auth/ovpn_test_server.key"

    # list of accepted authenticated key management protocols
    key_mgmt=IEEE8021X
    eap=TLS

    identity="00:50:56:bf:ef:aa"

    # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
    # Dynamic WEP key required for non-WPA mode
    # bit0 (1): require dynamically generated unicast WEP key
    # bit1 (2): require dynamically generated broadcast WEP key
    #      (3) = require both keys; default)
    # Note: When using wired authentication (including MACsec drivers),
    # eapol_flags must be set to 0 for the authentication to be completed
    # successfully.
    eapol_flags=0

    # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
    # used to configure a mode that allows EAP-Success (and EAP-Failure) without
    # going through authentication step. Some switches use such sequence when
    # forcing the port to be authorized/unauthorized or as a fallback option if
    # the authentication server is unreachable. By default, wpa_supplicant
    # discards such frames to protect against potential attacks by rogue
    # devices, but this option can be used to disable that protection for cases
    # where the server/authenticator does not need to be authenticated.
    phase1="allow_canned_success=1"
}
c-po changed the task status from In progress to Needs testing.Dec 29 2020, 11:05 AM

Tested and working for me today on VyOS 1.3-rolling-202012291104.

just confirming 1.4-rolling-202101100217 works as well

Thank you for the response. There is also a smoketest wmbedded which runs during ISO ge erstion ensuring this always works:

https://github.com/vyos/vyos-1x/blob/equuleus/smoketest/scripts/cli/test_interfaces_ethernet.py#L150-L184