-
-
Save physhster/ed0ce1d776e09fd5047c7a7c1c7bcd62 to your computer and use it in GitHub Desktop.
*Important note to pay attention to* | |
You'll most likely use eth0 on a USG and eth2 or eth3 on a USG-Pro, edit the files accordingly. Do not run the supplicant on virtual interfaces (e.g. eth0.0), as it will not work. | |
*Pre-requisites* | |
Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file | |
In the archive generated by the tool, edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files: | |
network={ | |
ca_cert="/config/auth/CA_xxxxxx.pem" | |
client_cert="/config/auth/Client_xxxxxx.pem" | |
eap=TLS | |
eapol_flags=0 | |
identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address | |
key_mgmt=IEEE8021X | |
phase1="allow_canned_success=1" | |
private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem" | |
} | |
Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip | |
Create wpa_supplicant.sh and make sure it matches your WAN port | |
#!/usr/bin/env bash | |
#Start EAP-TLS on eth0 | |
#Check if already running to avoid multiple instances | |
IF_WAN=eth0 | |
PROCESS_NAME=wpa_supplicant | |
PROCESS_PATH=/config/scripts/wpa_supplicant | |
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME) | |
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then | |
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid | |
fi | |
SCP into usg and drop the following files into the following locations: | |
/config/scripts/wpa_supplicant (the binary file from 2.) | |
/config/scripts/post-config.d/wpa_supplicant.sh | |
/config/scripts/wpa_supplicant.conf | |
3 certificate PEM files to /config/auth | |
Run the following commands: | |
sudo chmod +x /config/scripts/wpa_supplicant | |
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh | |
sudo chmod -R 0600 /config/auth | |
Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0. | |
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the interface and MAC address are updated: | |
{ | |
"interfaces":{ | |
"ethernet":{ | |
"eth0":{ | |
"mac":”AA:AA:AA:AA:AA:AA" | |
} | |
} | |
} | |
} | |
Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2 | |
Reboot the gateway. | |
Monitor logs on the gateway by running | |
tail -n 50 -f /var/log/messages |
On line 33, wpa_supplicant.conf is at /config/scripts/, but on line 39, it is at /config/.
Fixed
Couple of notes:
Here's a one-liner for making the wpa_supplicant.sh
cat <<EOF > /config/scripts/post-config.d/wpa_supplicant.sh
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
EOF
Backup your router config
mca-ctrl -t dump-cfg > /root/config_orig.txt
Enable Legacy mode on your controller.
https://support.hostifi.com/en/articles/6240303-unifi-how-to-change-between-unifi-interface-versions
After you have Legacy mode enabled, then you can set your VLAN ID to 0 on WAN. Save, and let the USG provision.
Here is how to change the MAC and set VLAN via command line.
configure
set interfaces ethernet eth0 vif 0
set interfaces ethernet eth0 mac XX:XX:XX:XX:XX:XX
commit
save
exit
Manually call the script like this:
/config/scripts/wpa_supplicant -s -B -Dwired -ieth0 -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
Backup your new config:
mca-ctrl -t dump-cfg > /root/config_new.txt
On the controller do:
find / -name "config.gateway.json"
If you're not using multi-site you may not find one or even a sites directory. To make it, do the following. If you are using multi-site, change default
to reflect the **siteID**
found in url for the dashboard https://127.0.0.1:8443/manage/s/**siteID**/dashboard
Ubuntu cloud controllers: mkdir /usr/lib/unifi/data/sites/default
or mkdir /usr/lib/unifi/data/sites/**siteID**
Cloud key controllers: mkdir /srv/unifi/data/sites/default
or mkdir /srv/unifi/data/sites/**siteID**
To make your config.gateway.json
edit the mac and the path respectively:
cat <<EOF > /usr/lib/unifi/data/sites/default/config.gateway.json
{
"interfaces":{
"ethernet":{
"eth0":{
"mac":”XX:XX:XX:XX:XX:XX"
}
}
}
}
EOF
Then set ownership of the directories and file. Change the path respectively.
chown -R unifi:unifi /usr/lib/unifi/data/sites
On line 33, wpa_supplicant.conf is at /config/scripts/, but on line 39, it is at /config/.