You will need to install Podman first by unziping the contents of https://github.com/boostchicken-dev/udm-utilities/suites/4551796675/artifacts/122216505 into your root directory on your UDM-SE.
This guide has primarily been written for authenticating to AT&T Fiber using wpa_supplicant on a UDM-SE. It is assumed that you've already retrieved your certificates from a modem supplied by AT&T. If you have not, you can purchase a used modem on ebay, such as the NVG589 and then root it to get the certificates.
Before moving on to the next section, make sure you've copied your root certificate into the CA_*.pem file per the instructions of the 802.1x Credential Extraction Tool (mfg_dat_decode).
- scp your certs and wpa_supplicant.conf to the UDM Pro
scp -r *.pem [email protected]:/tmp/
[email protected]'s password:
CA_001E46-xxxx.pem 100% 3926 3.8KB/s 00:00
Client_001E46-xxxx.pem 100% 1119 1.1KB/s 00:00
PrivateKey_PKCS1_001E46-xxxx.pem 100% 887 0.9KB/s 00:00
scp -r wpa_supplicant.conf [email protected]:/tmp/
wpa_supplicant.conf 100% 680 0.7KB/s 00:00
- ssh to the UDM-SE, create a directory for the certs and wpa_supplicant.conf in the data directory then copy the files over.
mkdir /mnt/data/wpa_supplicant/
cp -arfv /tmp/*pem /tmp/wpa_supplicant.conf /mnt/data/wpa_supplicant/
- Update the wpa_supplicant.conf to reflect the correct paths for our container. Do not run these more than once or you will end up with incorrect paths.
sed -i 's,ca_cert=",ca_cert="/etc/wpa_supplicant/conf/,g' /mnt/data/wpa_supplicant/wpa_supplicant.conf
sed -i 's,client_cert=",client_cert="/etc/wpa_supplicant/conf/,g' /mnt/data/wpa_supplicant/wpa_supplicant.conf
sed -i 's,private_key=",private_key="/etc/wpa_supplicant/conf/,g' /mnt/data/wpa_supplicant/wpa_supplicant.conf
After running the sed commands, verify your paths in wpa_supplicant.conf look something like this:
# cat wpa_supplicant.conf
# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 linux amd64
#
# Change file names to absolute paths
eapol_version=1
ap_scan=0
fast_reauth=1
network={
ca_cert="/etc/wpa_supplicant/conf/CA_001E46-xxxxxxxx.pem"
client_cert="/etc/wpa_supplicant/conf/Client_001E46-xxxxxx.pem"
eap=TLS
eapol_flags=0
identity="10:05:B1:xx:xx:xx" # Internet (ONT) interface MAC address must match this value
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/etc/wpa_supplicant/conf/PrivateKey_PKCS1_001E46-xxxxxx.pem"
}
# WARNING! Missing AAA server root CA! Add AAA server root CA to CA_001E46-xxxxxx.pem
#
- Pull the image while you have an internet connection on the UDM-SE. This step is optional if you plan on running step 5 while you have an internet connection.
podman pull pbrah/wpa_supplicant-udmpro:v1.0
- Run the wpa_supplicant podman container, the podman run command below assumes you are using port 10 (SFP) or eth9 for your wan. If not, adjust accordingly.
podman run --privileged --network=host --name=wpa_supplicant-udmpro -v /mnt/data/wpa_supplicant/:/etc/wpa_supplicant/conf/ --log-driver=json-file --restart unless-stopped -d -ti pbrah/wpa_supplicant-udmpro:v1.0 -Dwired -ieth9 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf
Lastly, you need to install the boot script to ensure your UDM-SE autostarts wpa_supplicant on reboot:
curl -fsL "https://raw.githubusercontent.com/boostchicken/udm-utilities/HEAD/on-boot-script/remote_install.sh" | /bin/sh
Copy this boot script for wpa_supplicant to /mnt/data/on_boot.d https://github.com/boostchicken-dev/udm-utilities/blob/master/on-boot-script/examples/udm-files/on_boot.d/10-wpa_supplicant.sh
This will ensure that upon reboot, your UDM-SE autostarts WPA_Supplicant.
If you are having issues connecting after starting your docker container, the first thing you should do is check your docker container logs.
podman logs -f wpa_supplicant-udmpro
From a recent case I assisted in troubleshooting, the user saw the following in their logs. The was due to their wpa_supplicant.conf having incorrect paths to the certificates. Refer to my example in the instructions to ensure yours are pointing to the correct location.
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory
OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file
OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory
OpenSSL: pending error: error:20074002:BIO routines:file_ctrl:system lib
OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.