Wednesday, March 20, 2013

FreeBSD 9 Authenticate to 802.1X Wired Ethernet (LAN)

I've been searching high and low for a single solution to this problem, but there seem to be no good blog/guide that answers this.

The scenario is that my workplace, NUS is slowly rolling up 802.1X authentication for wired ethernet, that's the LAN socket on the wall you connect your computer to. Yes, we now have to use our AD username and password to authenticate before we can get any sort of network connectivity after connecting to the LAN socket. Now, of course, there are guides for staff/students to get connectivity, but the guides are only for windows, mac, and (surprise!) Ubuntu. And even the Ubuntu guide is only configuring through the GUI, nothing on the actual command-line and configuration files stuff.

After spending more than half a day (spread out in a 2-3 days period) hunting high and low, plus a little bit of reading and digging through the rc.d scripts, I finally managed to get my FreeBSD box to automatically authenticate, and obtain a DHCP lease from the wall socket. Phew!

It's actually only a 2 step process. First, create a /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
 key_mgmt=IEEE8021X
 eap=PEAP
 identity="Username"
 password="secretpassword"
 eapol_flags=0
}
UPDATE: keymgmt should be key_mgmt with an underscore (ref). Thanks, Ryan Stark

Basically, the important thing you need is ap_scan=0. Also, I believe keymgmt=IEEE8021X will ensure you're not using WPA or WEP or something of those sorts. The following lines are pretty well documented. My organisation uses PEAP, as for eapol_flags, I have no idea what it does. You can try taking it out, I believe it worked for me either way. The first two lines are just to create an admin listening socket so that wpa_cli can poll it for changes, or just to query the status of the wpa_supplicant daemon. For my case, I am limiting the admin interface to members of group 'wheel' only.

Then, configure /etc/rc.conf like so:
ifconfig_bge0="WPA DHCP"
UPDATE: should be WPA instead of WAP (ref), thanks Thor Erik!

Where bge0 is your network interface. At first, I was wondering how to include the -Dwired in the rc.conf, but apparently, the rc.d/wpa_supplicant script has already catered that for wired interfaces. How neat!

Oh, by the way, if you want to test whether your configuration is right, you can run wpa_supplicant with verbose debugging as below:
wpa_supplicant -dd -Dwired -c /etc/wpa_supplicant.conf \
-i bge0
Bear in mind that if it succeeds, the daemon will be in the foreground and will not return you to shell, you will need to Ctrl-Z it, and bg it to the background if you wish to continue working.

Next up, I'd wanna get it to join AD, register its IP address in AD's built-in DDNS, disallow AD user to login, but allow AD user to access Samba file share.

4 comments:

  1. Hello,

    thanks for this post. It definitely helped get me down the line in getting 802.1x over wired setup.

    The first error I encountered was that the key management config line in the network stanza within wpa_supplicant.conf was missing an underscore.


    key_mgmt=IEEE8021X

    This worked as expected.


    The 2nd issue, which I have not yet resolved is that the network interface throws an error when using the WAP option, but it does apepar to work...

    rc.conf:
    ifconfig_re0="WAP DHCP"


    running: "/etc/rc.d/netif restart"

    shows the error: "ifconfig: WAP: bad value"

    however, having run wpa_supplicant with -dd in the background as mentioned in your post while restarting re0 shows that I do successfully connect and authenticate.

    "wpa_cli status" is another useful commend to test your connectivity.




    ReplyDelete
    Replies
    1. WAP is probably ment to be WPA, ref https://www.freebsd.org/doc/handbook/network-wireless.html

      Delete
    2. Thanks Ryan, I've updated the settings.

      Delete
    3. Thanks Thor, looks like you're right. But somehow with the earlier version I used, WAP just somehow worked... Not sure why. But updated it anyway.

      Delete