How to configure OpenWRT router as 802.1X wired access client.

이 글은 영어로만 작성되었습니다.

I am student of University of Macau who lives in dormitory and struggled with poor WiFi signal. Our campus using 802.1x authentication method in their wireless and wired internet service. I write this guide for another student in UM or other university but I am not sure if this guide works for you. Anyway, this method is working in our university. Please understand I am not English native so ask me if you don't understand any part of this guide.

At the year 1 in my college life, I noticed my room's WiFi quality is really poor. It has full 5-bars signal indicator but it regularly disconnects my device so it is very annoying when I use VoIP or streaming service. As time goes on, college installed additional AP in each room but this is also having problem when there are many people in the college.

Here is our campus' network infrastructure

So when you use campus network, you need to authenticate device before use it. The problem is you can't use your own router to make a stable WiFi network in your dormitory. Since you need to provide your student ID and password even you use wired network, you can't use your own router for your own WiFi. Of course, your laptop/desktop can do this with some configuration but your router can't as they don't know what is PEAP or 802.1x authentication. In order to do this, you should use some special router software which is "OpenWRT". It is light weighted Linux for router.

In this guide, you will use your OpenWRT router to connect wired campus network. Your router will provide your student account and password so you can use your router same as your home or else. I assume you have your OpenWRT based router and can establish SSH connection into your router. I will not explain how to install OpenWRT firmware as they will be different for each device. You can see OpenWRT Wiki and easily install it on your router. Let's login to your router on your browser and use navigation bar, goto Network -> WiFi. Click scan button and you will see available wireless network list.

I am doing this because you will need internet connection on your router to download and install some packages from internet. But if you don't have any public WiFi access, try to use your laptop or simply use your smartphone and use network tethering. If your university is good, than just connect to public network and make sure it has internet connection. (go to google see if you can see it)

Once you are done, connect to SSH shell and install nano( text editor) and wpad (wpa_supplicant).

opkg update
opkg install nano
opkg install wpad

If your shell says like you can't install wpad because you have wpad-mini or similar packages, simply remove it. (opkg remove wpad-mini) In my case, wpad-mini was default installed and it can't connect to our campus network. If your router has wpad already, that's fine. Continue.

Type this commend into your shell.

nano /etc/config/wpa.conf

Copy and paste this to your shell.

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=root

ap_scan=0

network={

        key_mgmt=IEEE8021X

        eap=PEAP

        pairwise=CCMP TKIP

        identity="yourID"

        password="yourPASSWORD"

        phase2="auth=MSCHAPV2"

        priority=2

}

Warning for Windows EDGE users! If you copy and paste something on the web, Edge will put some HIDDEN ASCII code on it and it makes error. Especially be careful when you do programming or this kind of copy and paste. MS should FIX this BUG!

Change your identity (will be your student account) and password. Change other configuration if your organization uses different way to authenticate your device. I have tested this configuration with University of Macau Campus Network so if you are UM student, you only need to put your student ID and password there. I have highlighted these two field for you so make sure don't change other attributes.

Once you finish it, use Ctrl+X and save it. Now you have to make sure that router WAN connector is properly connected to network outlet. Put this command on your shell and you will get internet connection after few seconds.

wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf

If you get message something like "No such device", you should check your WAN's interface. Use "cat /etc/config/network" command and you will see which network interface is for WAN.

Now you want to make it work when you just start router. Let's make init.d script file.

nano /etc/init.d/wpa

Copy and paste this, save and exit.

#!/bin/sh /etc/rc.common

# Example script

# Copyright (C) 2007 OpenWrt.org

START=99

start() {

echo start

wpa_supplicant -D wired -i eth0 -c /etc/config/wpa.conf &

}

Enable init.d script.

/etc/init.d/wpa enable
/etc/init.d/wpa start

You will get error message since wpa_supplicant process is already running.

Now you can see router can connect to 802.1x network when it restarts. If you follow each steps correctly, it should work definitely. Now you should go to your router's configuration page, make your router as wireless AP.

You should consider use WPA2 passphrase to not allow anyone to use your network. Change other configuration such as SSID or channel.

This is all the steps and I found myself the network is very stable. Now you can use your smartphone or tablet without network interruption. Since you're the only user of this router and close to you, you should have stable WiFi access than campus network. Congratulation!