pfSense 2.4.5-p1, supplicant mode 1) failing to authorize, and 2) script is blocking system bootup FIXED

Question

pfSense 2.4.5-p1, supplicant mode 1) failing to authorize, and 2) script is blocking system bootup FIXED

Aerowinder opened this issue 4 years ago · 5 comments

Greetings,

Using certs I pulled from my BGW210-700, pfSense would not authenticate the WAN connection. The certs work fine in MikroTik's RouterOS, so it's an issue with the script. Also, if you fail to authenticate, pfSense gets stuck in the loop waiting for authentication. Console access is necessary to terminate the script. I've fixed both issues. My installs were tested on bare metal SG-2440 and Protectli Vault 6P.

/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
/sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY
/sbin/ifconfig $ONT_IF up
/sbin/ifconfig $ONT_IF promisc

I added changing the MAC of the ONT_IF connection (physical WAN port) to the one associated with the certificates. I think I still had to spoof the WAN MAC with the pfSense webconfigurator, unsure why.

WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"

Authenticate against ONT_IF, not ngeth0.

Failed authentication keeps system from booting fix:

i=1
until [ "$i" -eq "5" ]
do
sleep 5
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
/usr/bin/logger -st "pfatt" "EAP authorization completed..."

IP_STATUS=$(eval ${IP_STATUS_CMD})

if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
then
/usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
IP_STATUS=$(eval ${IP_STATUS_CMD})
fi
/usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
break
else
/usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..."
i=$((i+1))
fi
done
I switched from a never ending while loop to an until loop with a counter. If you fail to authenticate, the loop will still terminate, allowing the system to boot, albeit without WAN connection. The way the script was written is a serious pain if you don't have a console connection.

Answer 1 · 2021-01-24T10:15:27.000Z

Can you post a paste bin of your pfatt.sh ? I am getting authorized but not able to grab an ip

Answer 2 · 2021-01-24T15:24:53.000Z

For 2.4.5:
https://pastebin.com/pQeBgPsV

Be sure to set your WAN NIC and EAP identity in the script. Be advised that this script moves some things around. File names are changed, etc. Look through the script to determine the changes. Then, in pfSense, set your WAN interface to ngeth0. Then, in the WAN interface config (ngeth0), spoof the MAC address to your EAP identity, then reboot.

Answer 3 · 2021-01-24T17:07:21.000Z

Thank you very much. Now, I do have one more question if you do not mind. My assigned gateway MAC is different than my EAP MAC because my my certs are from another router. Do I set the ngeth0 MAC address to my assigned gateway MAC that att gave me and set the EAP MAC to the MAC that I pulled the certs from?

Answer 4 · 2021-01-24T17:10:07.000Z

Your AT&T assigned gateway is irrelevant. The only thing that matters is the MAC of your keys.

Answer 5 · 2021-01-24T17:11:32.000Z

Up and running. Thank you very much.