OpenWrt Forum Archive

Topic: [HOWTO] Wired 802.1X

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

It is possible to do wired 802.1X authentication with devices that have a Broadcom switch.
Here is what you need to know.

First off some devices have a WAN port that is internally separated from the switch. If you happen to have such a device it is preferable to use this WAN port for authentication. No special actions ought to be taken and the ordinary wired driver of wpa_supplicant should suffice.

If authentication through a RoboSwitch (the family name of Broadcom switch chipsets) is desired, you need a version of wpa_supplicant with the roboswitch driver included. Note that Kamikaze 8.09 does not have such a version by default.
You can build wpa_supplicant from the trunk sources. If you selected Broadcom/2.4 as your target, the roboswitch driver is included per default. For other targets (i.e. Broadcom/2.6) you need to modify package/wpa_supplicant/config to contain "CONFIG_DRIVER_ROBOSWITCH=y".

Early versions of the roboswitch driver are only able to receive packets sent to the PAE group address. If you need authentication on an "own MAC address" basis there are two things you can do.

ONE
When the internal switch port is untagged in the vlan used for authentication, wpa_supplicant will receive all EAPOL frames on the vlan. This has the disadvantage that frames directed at other clients are treated as if they are part of the local authenticalion. This is no problem when the router is the only device authenticating to an authenticator on the chosen vlan, but violates the IEEE 802.1X.

Example: suppose you wish to authenticate on port 0 (internal numbering) in vlan 1 and the authenticator sends its packets to your MAC address. You can make the internal port untag frames in vlan 1 by giving the following command:

# echo 0 5u > /proc/switch/eth0/vlan/1/ports

Next you run wpa_supplicant on interface eth0.1, with driver roboswitch.

TWO
Use a recent (still unreleased on April 16, 2009) version of the roboswitch driver. New versions are able to receive and filter EAPOL frames in an 802.1X conform way.


IMPORTANT NOTE
When using a new (post 0.6.9) version of wpa_supplicant and the roboswitch driver you should use the multicast_only parameter whenever possible:

# wpa_supplicant -i <interface>.<vlan> -D roboswitch -p multicast_only=1 [etc.]

This is because the new EAPOL filter is a little CPU intensive and can suffer frame drop.
So: if authentication takes place on the PAE group address, just use the parameter. If all EAPOL frames are relevant for authentication, use the parameter, combined with method ONE (above). Else: live with the CPU strain.

jouke wrote:

Precompiled packages of wpa_supplicant and wpa_cli for Kamikaze 8.09 are available at
http://www.liacs.nl/~jwitteve/openwrt/8 … /packages/
and
http://www.liacs.nl/~jwitteve/openwrt/8 … /packages/

They consist of a version 0.6.9 build with backported roboswitch driver (the new revision) so you should read the IMPORTANT NOTE above before use.

Hi!
Thanks for your work, but the files are currently unaccessible! (Access forbidden Error 403)
Would be very nice if you fix that!
Thx

Thanks for reporting! Fixed.

Please keep me informed of any other problem that might arise.

Anybody know if it's possible to do wired 802.1x on a box running atheros chip with adm6996 switch chip?  Note - I'm trying to run as a 802.1x authenticator (not a client).

(Last edited by bob on 13 May 2009, 21:11)

Thanks a lot for your information jouke! It was very usefull in my case. I used your pre-compiled binaries for a couple months on my wrt54GL with success. However because of limited throughput between the router-port and the switch of the 54G (~30mbit) I just bought a new wrt320n. The problem is that these binaries do not appear to work correctly on the new router.

root@router:/#wpa_supplicant -D roboswitch  -i eth0.1 -c /tmp/surfnet2.conf  -p multica
st_only=1

ioctl[SIOCGMIIPHY]: Bad address
Failed to initialize driver interface

I assume this device still uses the roboSwitch chip and the same cpu architecture so the only difference I can find is that I currently use linux kernel 2.6 instead (which is necessary for the 320n).
Is it necessary to recompile wpa_supplicant for 2.6? I have not succeeded in doing so. Is there maybe a pre-compiled binary available for this somewhere?

I've been trying to follow your tutorial to enable 802.1x authentication, while using the pre-compiled packages. However, when using the roboswitch driver, I get the following error:

wpa_driver_roboswitch_init: Could not get port information for VLAN 1

Any ideas? This is my configuration and command structure:

root@OpenWrt:/etc# wpa_supplicant -i eth0.1 -D roboswitch -c /etc/wpa_supplicant.conf
wpa_driver_roboswitch_init: Could not get port information for VLAN 1
Failed to initialize driver interface

root@OpenWrt:/etc# ifconfig
br-lan    Link encap:Ethernet  HWaddr 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2561 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:365724 (357.1 KiB)  TX bytes:1734108 (1.6 MiB)

eth0      Link encap:Ethernet  HWaddr 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3587 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2010961 (1.9 MiB)  TX bytes:1966224 (1.8 MiB)
          Interrupt:5

eth0.0    Link encap:Ethernet  HWaddr 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2739 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2561 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:376680 (367.8 KiB)  TX bytes:1744352 (1.6 MiB)

eth0.1    Link encap:Ethernet  HWaddr 
          inet addr:     Bcast:  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1026 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1523508 (1.4 MiB)  TX bytes:204245 (199.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1419 (1.3 KiB)  TX bytes:1419 (1.3 KiB)

More info:
Router: Linksys WRT54G v2
Firmware: Kamikaze (r18961)
System: Broadcom BCM4712 chip rev 1
Processor: BCM3302 V0.7

If anyone could point me in the right direction, I'd be grateful. Thanks!

Are you running the brcm-2.4 or the brcm-47xx version of the firmware and or the custom wpa package?

I have tried both the brcm-2.4 and brcm-47xx firmware versions, with the respective pre-compiled packages of wpa_supplicant and wpa_cli as listed above. Both cases failed with the above error message...

Thanks,
Mike

The roboswitch driver works with the RoboSwitch chip. According to the wiki your device has an ADM6996L switch chip. Sorry.

Thanks for the info, jouke. Turns out, my router works with the following:

Router: WRT54G V2.0
Firmware: backfire/10.03/brcm-2.4/openwrt-brcm-2.4-squashfs.trx
Command: wpa_supplicant -i eth0.1 -D wired -c /etc/wpa.conf

I have yet to do further testing, but functionality is there. I can post my wpa.conf if anyone would like it.

Also thanks to this tutorial for more information: https://forum.openwrt.org/viewtopic.php?id=19791

Has anyone compiled a version of hostapd with roboswitch wired support?  I want to run hostapd as the authenticator on a WRT54GS unit, but don't get the EAPOL frames... sad

There are a few others posting re: broadcom and hostapd I've noticed - is this impossible to do due to the lack of driver, or...?
(I gather there maybe some way to use CFE/et - but I don't want to JTAG the board JUST for CFE for this one thing)

Hi,

Can I use Backfire x86 recent version for testing wired 802.1x under VMware somehow?

TIA,

Does it exist similar as this Roboswitch-possibility on Atheros-based routers? Or would I need to assume that my WRT160NL was a bad buy and go out buy the E3000?

The discussion might have continued from here.