• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ATT Uverse RG Bypass (0.2 BTC)

Bounties
80
555
1.2m
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jasonsansone @stephenw10
    last edited by Dec 22, 2023, 11:40 PM

    @stephenw10 @GPz1100

    I upgraded to 23.09.1 and changed to using the method detailed here. However, wpa_cli status reports "connecting" and "unauthorized". The exact same hardware and certs authenticate fine on 22.05 using the old pfatt wpa_supplicant script. Any recommendations?

    D 1 Reply Last reply Dec 23, 2023, 12:02 AM Reply Quote 0
    • D
      dreamdenizen @jasonsansone
      last edited by dreamdenizen Dec 23, 2023, 12:03 AM Dec 23, 2023, 12:02 AM

      @jasonsansone

      I put my certs and wpa_supplicant.conf file in /root/wpa and used the following earlyshellcmd and shellcmd. Worked perfectly fine on 23.09.1 until I bailed to OPNsense last week. Same commands are also working great on OPNsense 23.7.10 using rc.syshook.d scripts.

      earlyshellcmd

      ifconfig igb0 ether "xx:xx:xx:xx:xx:xx" && wpa_supplicant -s -dd -B -Dwired -i igb0 -c /root/wpa/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid && sleep 10 && wpa_cli logon
      

      Plug your RG ethernet MAC in place of the xx:xx... above

      shellcmd

      wpa_cli logoff && sleep 10 && wpa_cli logon
      

      the -s and -dd flags in my earlyshellcmd will cause wpa_supplicant to push all debug log activity to syslog, so look there for clues as to what's happening if you still can't auth.

      You may have caused your ONT to flag due to too many failed auth attempts, so make sure to push the reset pin in on the back before your first boot with these commands.

      Good luck.

      J 1 Reply Last reply Dec 23, 2023, 12:20 AM Reply Quote 1
      • J
        jasonsansone @dreamdenizen
        last edited by Dec 23, 2023, 12:20 AM

        @dreamdenizen can you please post your .conf just so I can verify? Thank you. Your method is what I was testing, except I will enable debug logging to better investigate. I had it working once, and then it stopped, which lead me to also suspect I got flagged for too many repeat authentications. Except it’s strange that a reboot into the old boot environmental using the supplicant script works. I would have thought that if I was blocked or suspended, it would fail regardless of method.

        D 1 Reply Last reply Dec 23, 2023, 12:34 AM Reply Quote 0
        • D
          dreamdenizen @jasonsansone
          last edited by dreamdenizen Dec 23, 2023, 12:34 AM Dec 23, 2023, 12:34 AM

          @jasonsansone your flags may vary based on what was extracted from your BGW210-700 or NVG so I would not recommend changing anything produced by the devicelocksmith extraction tool. My wpa_supplicant.conf is exactly what was spit out by the tool with the addition of

          ctrl_interface=DIR=/var/run/wpa_supplicant
          

          to account for running patched versions of wpa_supplicant prior to vlan0 handling being added to mainline. That added line works fine with mainline as well, so I never removed it.

          ctrl_interface=DIR=/var/run/wpa_supplicant
          eapol_version=1
          ap_scan=0
          fast_reauth=1
          network={
                  ca_cert="/root/wpa/CA.pem"
                  client_cert="/root/wpa/Client.pem"
                  eap=TLS
                  eapol_flags=0
                  identity="xx:xx:xx:xx:xx:xx" # Internet (ONT) interface MAC address must match this value
                  key_mgmt=IEEE8021X
                  phase1="allow_canned_success=1"
                  private_key="/root/wpa/PrivateKey.pem"
          }
          
          J 1 Reply Last reply Dec 23, 2023, 12:43 AM Reply Quote 0
          • J
            jasonsansone @dreamdenizen
            last edited by Dec 23, 2023, 12:43 AM

            @dreamdenizen thank you. Unfortunately the originally extracted conf has been lost. I was trying to avoid doing the extraction process again.

            J 1 Reply Last reply Dec 23, 2023, 2:47 PM Reply Quote 0
            • J
              jasonsansone @jasonsansone
              last edited by Dec 23, 2023, 2:47 PM

              Here is the syslog output:

              Dec 23 08:38:29 pfsense pfatt[63277]: starting wpa_supplicant... Dec 23 08:38:29 pfsense wpa_supplicant[63663]: Successfully initialized wpa_supplicant Dec 23 08:38:33 pfsense pfatt[71584]: wpa_supplicant running on PID 70876... Dec 23 08:38:33 pfsense pfatt[72244]: setting wpa_supplicant network configuration... Dec 23 08:38:33 pfsense wpa_supplicant[70876]: igb0: Associated with 01:80:c2:00:00:03 Dec 23 08:38:33 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 Dec 23 08:39:34 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Dec 23 08:39:48 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-EAP-STARTED EAP authentication started

              And here is the output from wpa_cli status:

              `wpa_cli status
              Selected interface 'igb0'
              bssid=01:80:c2:00:00:03
              freq=0
              ssid=
              id=0
              mode=station
              pairwise_cipher=NONE
              group_cipher=NONE
              key_mgmt=IEEE 802.1X (no WPA)
              wpa_state=ASSOCIATED
              address=74:8a:0d:5f:be:21
              Supplicant PAE state=CONNECTING
              suppPortStatus=Unauthorized
              EAP state=IDLE
              uuid=666db3f9-54bb-5d96-8859-3fd4bbaa9546

              wpa_cli status
              Selected interface 'igb0'
              bssid=01:80:c2:00:00:03
              freq=0
              ssid=
              id=0
              mode=station
              pairwise_cipher=NONE
              group_cipher=NONE
              key_mgmt=IEEE 802.1X (no WPA)
              wpa_state=ASSOCIATED
              address=74:8a:0d:5f:be:21
              Supplicant PAE state=HELD
              suppPortStatus=Unauthorized
              EAP state=FAILURE
              uuid=666db3f9-54bb-5d96-8859-3fd4bbaa9546`

              J 1 Reply Last reply Dec 23, 2023, 6:33 PM Reply Quote 0
              • J
                jasonsansone @jasonsansone
                last edited by Dec 23, 2023, 6:33 PM

                Extracted certs and conf from RG again. Used exact conf parameters and certs. Tested with and without PCP 1 and/or -vlanhwfilter. Same result.

                D G 2 Replies Last reply Dec 23, 2023, 7:37 PM Reply Quote 0
                • D
                  dreamdenizen @jasonsansone
                  last edited by Dec 23, 2023, 7:37 PM

                  @jasonsansone is that mac address listed in your post the MAC of the RG ethernet? If not, make sure to override the MAC address in Interfaces > WAN with that of your ethernet RG. I also recommend redacting it in your last post.

                  J 1 Reply Last reply Dec 23, 2023, 8:00 PM Reply Quote 0
                  • G
                    GPz1100 @jasonsansone
                    last edited by Dec 23, 2023, 7:40 PM

                    @jasonsansone Did you read my comments in post # 544?

                    1 Reply Last reply Reply Quote 0
                    • J
                      jasonsansone @dreamdenizen
                      last edited by Dec 23, 2023, 8:00 PM

                      @dreamdenizen Good point on redacting, but it will no longer let me edit the post. Yes, the MAC is what was provided in the extracted conf and is also written on the RG. I have used the same MAC in pfatt.sh for years. Do I need to override the MAC in Interfaces > WAN in addition to setting it with ifconfig in the script?

                      @GPz1100 I attempted to, but admittedly wasn't able to fully track. I understand something with openssl has changed in 23.09, but it appears others have been successful using the same release. I may need an idiots guide to 23.09.1 because I have thus far failed.

                      Thank you both!

                      D G 2 Replies Last reply Dec 23, 2023, 8:02 PM Reply Quote 0
                      • D
                        dreamdenizen @jasonsansone
                        last edited by Dec 23, 2023, 8:02 PM

                        @jasonsansone mine wouldn't work without the MAC override in Interfaces > WAN

                        1 Reply Last reply Reply Quote 0
                        • G
                          GPz1100 @jasonsansone
                          last edited by Dec 23, 2023, 8:10 PM

                          @jasonsansone I haven't tested the new pf versions yet. Will be starting my migration project in the next few weeks.

                          The details are fairly self explanatory I thought. Basically openssl disables certain weaker ciphers. The config file re-enables them for the wpa_supplicant session. Depending on which wpa_supplicant is in use, this is either done simply through the wpa_supplicant.conf file (example at the end of the file), or through a config file for openssl that's referenced in the command line launching wpa_supplicant.

                          @dreamdenizen Mac for wpa_supplicant doesn't have to be that of RG, or even RG where certs came from. What matters is the mac in wpa_supplicant.conf file match that of the wan interface mac requesting dhcp. Otherwise, you'll get eapol authentication, but never received an IP because of the mismatch.

                          1 Reply Last reply Reply Quote 0
                          553 out of 555
                          • First post
                            553/555
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.