Add EAPOL login support
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	mb300sd
	Jun 21 2019, 6:32 PM

Description

Some ISPs require EAPOL on the WAN interface.

I made a very basic implementation, right now it just takes a wpa_supplicant config as an argument to get it working.

cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet/node.tag/eapol/node.def
priority: 382

type: txt

help: wpa_supplicant config file for EAPOL


create:
        sudo /sbin/wpa_supplicant -B -d -Dwired -i$VAR(../@) \
            -c$VAR(@) \
            -f/var/log/wpa_supplicant-$VAR(../@).log \
            -P/var/run/wpa_supplicant-$VAR(../@).pid

delete:
        sudo kill `cat /var/run/wpa_supplicant-$VAR(../@).pid`

update:
        sudo kill `cat /var/run/wpa_supplicant-$VAR(../@).pid`
        sudo /sbin/wpa_supplicant  -d -Dwired -i$VAR(../@) \
            -c$VAR(@) \
            -f/var/log/wpa_supplicant-$VAR(../@).log \
            -P/var/run/wpa_supplicant-$VAR(../@).pid

I suppose a proper implementation needs to write the wpa_supplicant config instead of taking a file argument.

Is it possible to use the new xml method, when the rest of the interface is using the old method?

I only know the options needed for EAP-TLS, so I'm not sure of all the options that need to be included.

Let me know if I should submit it as a PR.

Details

Version: 1.3-rolling
Is it a breaking change?: Perfectly compatible

Related Objects
Search...

Status	Subtype	Assigned	Task
In progress	FEATURE REQUEST	None	T3355 Remove all remaining legacy Vyatta code
Resolved	FEATURE REQUEST	None	T1579 Rewrite all interface types in new XML/Python style
Resolved	FEATURE REQUEST	c-po	T1637 Rewrite ethernet interface in new style XML syntax
Resolved	FEATURE REQUEST	c-po	T1466 Add EAPOL login support
Resolved	FEATURE REQUEST	c-po	T6709 Add EAPOL Bonding Support

Event Timeline

mb300sd created this task.Jun 21 2019, 6:32 PM

mb300sd created this object in space S1 VyOS Public.

Trying to figure out how to do this via xml. Seems like it generates the .def files from the xml Does it require rebuilding the whole image to test?

mb300sd changed the subtype of this task from "Task" to "Feature Request".Jun 25 2019, 11:13 PM

pasik subscribed.Jun 26 2019, 8:46 PM

syncer assigned this task to Unknown Object (User).Aug 31 2019, 12:05 AM

syncer triaged this task as Normal priority.

syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

c-po added a parent task: T1637: Rewrite ethernet interface in new style XML syntax.Sep 12 2019, 6:44 AM

Codec subscribed.Apr 5 2020, 2:21 PM

aficustree subscribed.Dec 28 2020, 6:38 PM

need to use wpa_supplicant on a wired interface. Currently running on 1.3 rolling 2020-08-01 and used a manual entry in /etc/network/interfaces 'wpa-driver wired' . Attempted on rolling 2020-12-24 and it seems that VyOS no longer respects settings in /etc/network/interfaces so would require this capability. On boot, running sudo /usr/sbin/wpa_supplicant -Dwired -ieth0 -c /config/myconfig.conf works but no survivable on reboot

Please share the content of your myconfig.conf file, lets see of we can finally add this.

My ISP uses EAP-TLS. I have a script in firstboot.d that sets up auth on eth0 (my WAN). Its worked for the past year of rolling releases (up to at least VyOS 1.3-rolling-202012260217 that I am currently on.)

Contents of /config/EAPOL/wpa_supplicant.conf:

eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/config/EAPOL/ca-cert.pem"
        client_cert="/config/EAPOL/client-cert.pem"
        eap=TLS
        eapol_flags=0
        identity="88:96:00:00:00:00" # I have to spoof a MAC here.
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/config/EAPOL/private-key.pem"
}

/config/scripts/firstboot.d/EAPOL_setup.sh:

#!/usr/bin/env bash
ln -s /config/EAPOL/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-eth0.conf
systemctl stop wpa_supplicant.service
systemctl disable wpa_supplicant.service
systemctl enable wpa_supplicant-wired@eth0.service
systemctl start wpa_supplicant-wired@eth0.service

interface eth0 config (vlan 0 is specific to my provider I believe):

ethernet eth0 {
    description OUTSIDE
    hw-id a0:36:9f:1c:66:30
    vif 0 {
        address dhcp
        description "VLAN 0 EAPOL"
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
            out {
                name IN-OUTSIDE
            }
        }
        mac 88:96:00:00:00:00
    }
}

There are certainly some things in here that are specific to my provider but hopefully this is helpful.

c-po changed the task status from Open to In progress.Dec 29 2020, 10:08 AM

c-po claimed this task.

c-po edited a custom field.

c-po changed Version from - to 1.3-rolling.

c-po set Is it a breaking change? to Perfectly compatible.

c-po added a subscriber: Unknown Object (User).

EAPoL will be part of any rolling release after vyos-1.3-rolling-202012290217-amd64.iso, please give this a spin and feedback any change requests.

https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#authentication-eapol

CLI config:

vyos@vyos# show interfaces ethernet eth1
 description foo
 duplex auto
 eapol {
     ca-cert-file /config/auth/ovpn_test_ca.pem
     cert-file /config/auth/ovpn_test_server.pem
     key-file /config/auth/ovpn_test_server.key
 }
 hw-id 00:50:56:bf:ef:aa
 speed auto

Generated config:

vyos@vyos# cat /run/wpa_supplicant/eth1.conf
### Autogenerated by interfaces-ethernet.py ###

# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

# For UNIX domain sockets (default on Linux and BSD): This is a directory that
# will be created for UNIX domain sockets for listening to requests from
# external programs (CLI/GUI, etc.) for status information and configuration.
# The socket file will be named based on the interface name, so multiple
# wpa_supplicant processes can be run at the same time if more than one
# interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/run/wpa_supplicant

# IEEE 802.1X/EAPOL version
# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
# Note: When using MACsec, eapol_version shall be set to 3, which is
# defined in IEEE Std 802.1X-2010.
eapol_version=2

# No need to scan for access points in EAPoL mode
ap_scan=0

# EAP fast re-authentication
fast_reauth=1

network={
    ca_cert="/config/auth/ovpn_test_ca.pem"
    client_cert="/config/auth/ovpn_test_server.pem"
    private_key="/config/auth/ovpn_test_server.key"

    # list of accepted authenticated key management protocols
    key_mgmt=IEEE8021X
    eap=TLS

    identity="00:50:56:bf:ef:aa"

    # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
    # Dynamic WEP key required for non-WPA mode
    # bit0 (1): require dynamically generated unicast WEP key
    # bit1 (2): require dynamically generated broadcast WEP key
    #      (3) = require both keys; default)
    # Note: When using wired authentication (including MACsec drivers),
    # eapol_flags must be set to 0 for the authentication to be completed
    # successfully.
    eapol_flags=0

    # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
    # used to configure a mode that allows EAP-Success (and EAP-Failure) without
    # going through authentication step. Some switches use such sequence when
    # forcing the port to be authorized/unauthorized or as a fallback option if
    # the authentication server is unreachable. By default, wpa_supplicant
    # discards such frames to protect against potential attacks by rogue
    # devices, but this option can be used to disable that protection for cases
    # where the server/authenticator does not need to be authenticated.
    phase1="allow_canned_success=1"
}

c-po mentioned this in rVYOSONEXda23f084863d: xml: T1466: provide common includes for SSL certificate CLI nodes.Dec 29 2020, 10:55 AM

c-po mentioned this in rVYOSONEXd59354e52a8a: ethernet: T1466: add EAPoL support.

c-po changed the task status from In progress to Needs testing.Dec 29 2020, 11:05 AM

jack9603301 subscribed.Dec 29 2020, 12:13 PM

c-po mentioned this in rVYOSONEX29e32d39ddd9: smoketest: T1466: add eapol tests.Dec 29 2020, 8:09 PM

c-po mentioned this in rVYOSONEXd5e4561955b7: smoketest: interfaces: adjust to internal API changes.Dec 29 2020, 8:19 PM

Tested and working for me today on VyOS 1.3-rolling-202012291104.

c-po closed this task as Resolved.Dec 29 2020, 10:13 PM

just confirming 1.4-rolling-202101100217 works as well

Thank you for the response. There is also a smoketest wmbedded which runs during ISO ge erstion ensuring this always works:

https://github.com/vyos/vyos-1x/blob/equuleus/smoketest/scripts/cli/test_interfaces_ethernet.py#L150-L184

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 8:40 PM