OpenWrt Forum Archive

Topic: How bridge 8021x wireless network with a WPA2 Personal network

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
droidvideo
28 Dec 2017, 02:09

I work in an environment that uses 802.1x WiFi network that uses client certificates. I am looking for a creative solution that makes this WiFi network accessible to devices that can understand WPA2 Personal style only. This is how it works now.

   

  • Users first connect to "Lenovo Guest" network. This is WPA2 Personal style network.

  • When you try to access google.com, the web browser gets redirected to a page that prompts user to download and run an application. I believe it is Cisco or Aruba clearpass installer or something of that sort. After running this application, the local certificate store on my PC is getting updated with certs injected by this utility.

  • Then I see "Lenovo BYOD" wifi network when I scan for WiFi. I make my PC forget "Lenova Guest" and then connect to "Lenova BYOD" network without any authentication. It connects fine and I have access to internet.

What I am trying to do is use a router that understands 802.1x; provision it with same certificate so that it connects to "Lenova BYOD" as a client and bridge its WiFi clients through NAT'ed.

If there is a device that I can buy for $50 r less and configure it, that would be perfect. I looked at OpenWRT forums. Looks like it is possible if I burn OpenWRT firmware on a supported router. Before I go that route, I thought I ask if this one was tried and any solutions exist.

If you have suggestions to try OpenWRT configs, please share as well.

(Last edited by droidvideo on 28 Dec 2017, 02:10)

Post #2
mk24
28 Dec 2017, 02:50

Administrators take a really dim view of people doing this.  With that said, if you only want Internet access and not a true bridge to the LAN, you can set up a routed client quite simply.  You will need the full version of wpad (instead of the stripped down "mini" version that is included by default) to connect to an 802.1x network.  Installing that will be much easier if your router has at least 8MB of flash instead of 4.

Post #3
droidvideo
28 Dec 2017, 02:53

Thats great! Can I buy off the shelf router to do this?
Do you have recommendations?

Thanks

Post #4
mk24
28 Dec 2017, 15:31

Look at the GL-Inet devices.  I prefer Atheros-based.  The new model that looks like a flash drive would be suitable for this.

Post #5
droidvideo
28 Dec 2017, 20:37

I just purchased GL.inet AR300M on Amazon. Once it arrives, I guess the fun starts. smile

Post #6
droidvideo
30 Dec 2017, 06:39

My GLinet router AR300M arrived. I set it up currently to use a wired port on my internet router and setup a test wifi.
I see "Advanced settings" on its web UI. But when I click on it, it is not taking me to Luci interface.


How do I get to Luci interface?
Eventually I like to ssh/telnet to the router and configure it.

Thanks

Post #7
mk24
30 Dec 2017, 14:14

They ship with a modified OpenWrt with custom web interface, and a lot of optional packages like VPN already built in.  I've never used it. You can replace the whole OS with a standard build.  Probably if you administer by ssh it will be the same.

(Last edited by mk24 on 30 Dec 2017, 14:15)

The discussion might have continued from here.