Connect to 802.1X wired network on TP-Link TL-WR841ND

Connect to 802.1X wired network on TP-Link TL-WR841ND

When there is only one Ethernet socket and no wireless signal in your apartment, you may resort to Wi-Fi routers…

Unfortunately, in some situations the wired internet is based on 802.1X authentication. Does it matter? Yup.. Most routers only support static IP, DHCP, PPPoE on WAN port by default . That is, we need some more steps to achieve our goal.

Requirements:

  1. A router that supports LEDE (now is merged into OpenWrt project1) firmware. You can check in this page.
  2. Suitable environment to run image generator. (for those devices whose flashes are not larger than 4MB)
  3. Proper environment to communicate with router. For example, Terminal on macOS, PuTTY and WinSCP on Windows.
  4. Certificate, username, and password for the 802.1X authentication.

Okey, I suggest you having these things already. So…, Let’s do it now!

Steps:

In my case (TP-Link TL-WR841ND v8 international), the 4MB flash is not enough to install packages on the default LEDE firmware. I have to rebuild the image…

  • Download and uncompress image generator on the 64bit Linux system. Since it uses Atheros AR71xx CPU, we download the image generator here (17.01.4 release).
wget https://downloads.openwrt.org/releases/17.01.4/targets/ar71xx/generic/lede-imagebuilder-17.01.4-ar71xx-generic.Linux-x86_64.tar.xz
tar Jxvf lede-imagebuilder-17.01.4-ar71xx-generic.Linux-x86_64.tar.xz
  • Login to 192.168.1.1 to set the correct date/time. The certificate may be invalid if the date/time is wrong.
  • Find the PROFILE name, tl-wr841-v8 in my case. You can find the profile name by typing
make info

  • We have to add two more packages: luci and wpad, and remove wpad-mini since it doesn’t have authentication methods we need. Thus, the command is
make image PROFILE=tl-wr841-v8 PACKAGES="luci wpad -wpad-mini"

If the flash is only 4MB, you may encounter an error. 🙁

We need to remove more packages… I think ppp and ppp-mod-pppoe are not essential in my case, so I removed them:

(2018.3.20 update: At the time I built the image in 2017, I have to remove unused packages. If you are able to build the firmware without removing other packages like ppp, congratulation! This may happen due to different versions of packages.)

Now, the firmware is completely built! We can find the file (lede-ar71xx-generic-tl-wr841-v8-squashfs-factory.bin) in the bin/targets/ar71xx directory.

  • Next, upload this file to the router. If the router is not running original firmware, you may use scp and mtd:
scp YourBinFile root@192.168.1.1:/tmp
ssh root@192.168.1.1
cd /tmp && mtd -r write YourBinFile firmware
  • After that, we have to setup config file for authentication. In my case, the Ethernet is running EAP-TTLS and PAP authentication protocol. We have the config file like this:

Certificate file must be in pem or der format. For other authentication methods and more information, you can check here.

  • Now we can run for testing!
wpa_supplicant -i eth0 -D wired -c PathToYourConfigFile -dd -t

(Suppose wired interface is eth0.) If all things work correctly, we can connect to the Internet via the router now. 🙂

  • Furthermore, we can create an init file for running the command automatically after router powered on.


Put this file in /etc/init.d directory, and enable it:

/etc/init.d/wpasupplicant.init enable

(Remember to chmod it before executing!)

That’s it. Have fun. 😛

References:

http://www.wohnheimnetz-bielefeld.de/weitergehende-infos/anleitung-zur-einrichtung-von-openwrt/

https://christiantietze.de/posts/2013/09/wpa-enterprise-wired-openwrt-wa901nd/


2018.03.20 update:

As the recent announcement shown in OpenWrt website, LEDE has merged under OpenWrt project. Therefore, I replaced the old links listed in this tutorial with new ones.

Leave a reply