IPCop and 802.1x Client Auth


(Note: This is a bit dated, but could still be informative.)

First, some background into my computer setup: at college, each student has one Ethernet port that they can connect their computer to (wireless is also available in some dorms). Because of the network setup at Bethel, only one computer may use a port at a time. I discovered this fact when I arrived on campus my first semester, and I immediately set out to figure out a way to have more than one computer hooked up to the network at a time (I have my main computer, a web server, a backup machine, and the odd test/sandbox computer or two).

In my searching, I found IPCop (http://www.ipcop.org/), which is a great Linux based firewall/router. By transforming an old Pentium III into a router with IPCop, my problem was resolved! (At least until fall of my second year...)

Over that summer, Bethel rolled out 802.1x authentication on both the wired and wireless ResNets for security purposes and limitation of liability. I didn’t have any problem with this change for the wireless (because it was long overdue!), but I wasn't so sold with 802.1x on the wired ResNet. It just seems to cause more problems than it solves.

So, when ITS said that there was nothing that they could do to remove the 802.1x auth for me, I turned to my resources of black magic and deep spells (aka Google, personal experience, and a few hints that I found in the documentation supplied to all students on campus). Thanks to the pointers of other IPCop users online, I was able to come up with a solution that allowed me to continue to use IPCop as my firewall. Here’s what I did:

Step 1: Install IPCop (http://www.ipcop.org/)

I have a Pentium III tower with a couple nics in it, and performed a base install of IPCop. In my setup, the RED interface was assigned an IP via DHCP.

Step 2: Download the WLAN AP addon (http://www.ban-solms.de/t/IPCop-wlanap-download.html)

Though this addon is designed to add wireless capabilities to IPCop, the part we are interested in is the wpa_supplicant program that is included. wpa_supplicant (https://w1.fi/wpa_supplicant/) allows us to do the 802.1x authentication, which will then open up the Ethernet port for the following DHCP request and subsequent network traffic from the IPCop box.

After installing the WLAN AP addon, I had to create a wpa_supplicant configuration file and modify the boot scripts.

The wpa_supplicant file (/etc/wpa_supplicant.conf):

ctrl_interface=/var/run/wpa_supplicant ap_scan=0 network={ key_mgmt=IEEE8021X eap=PEAP phase2="auth=MSCHAPV2" identity="[USERNAME]" password="[PASSWORD]" eapol_flags=0 }

The boot script (/etc/rc.d/rc.red):

Find this part of the file:

    ### Red device is ethernet
    ###
    if ($netsettings{'CONFIG_TYPE'} =~ /^(2|3|6|7)$/)
    {
            if ($netsettings{'RED_DEV'} ne '')
            {
                    &General::log("Starting RED device $netsettings{'RED_DEV'}.");
                    if ( $netsettings{'RED_TYPE'} eq 'DHCP')
                    {
                            if (open(FILE, ">${General::swroot}/red/iface")) { print FILE $netsettings{'RED_DEV'}; close FILE; }

and then add these lines:

Added for 802.1x auth

system("/usr/local/sbin/wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i $netsettings{'RED_DEV'} &");

End

Step 3: Reboot and enjoy!

If everything went smoothly, your IPCop box should now be able to successfully authenticate to an 802.1x protected network.

Additional resources:

wpa_supplicant home page: https://w1.fi/wpa_supplicant/

My original thread at IPCops: http://www.ipcops.com/phpbb3/viewtopic.php?f=16&t=11810&p=63567

WLAN AP addon site: http://www.ban-solms.de/t/IPCop-wlanap.html Revision History

2008-09-01: Initial publication