Hi people, anyone use EAP-TLS with certificates on NS5? This feature is not available on the ubnt firmware.
I'm trying to recompile with SDK. In the system.cfg i put the lines below:

wpasupplicant.status=enabled
wpasupplicant.device.1.status=enabled
wpasupplicant.device.1.devname=ath0
wpasupplicant.device.1.driver=madwifi
wpasupplicant.profile.1.network.1.proto.1.name=RSN
wpasupplicant.profile.1.network.1.pairwise.1.name=CCMP
wpasupplicant.profile.1.network.1.group.1.name=CCMP
wpasupplicant.profile.1.network.1.ssid=test-eaptls
wpasupplicant.device.1.profile=WPA-EAP-TLS
wpasupplicant.profile.1.name=WPA-EAP-TLS
wpasupplicant.profile.1.network.1.key_mgmt.1.name=WPA-EAP
wpasupplicant.profile.1.network.1.eap.1.name=TLS
wpasupplicant.profile.1.network.1.identity=Diego Russo
wpasupplicant.profile.1.network.1.ca_cert=/usr/etc/cert/cacert.pem
wpasupplicant.profile.1.network.1.client_cert=/etc/cert/CPE_cert.pem
wpasupplicant.profile.1.network.1.private_key=/etc/cert/CPE_key.pem

but the generated file (/etc/wpasupplicant_WPA-EAP-TLS.conf) is:

eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="test-eaptls"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=TLS
scan_ssid=1
priority=1
identity="Diego Russo"
}

It seems that ignore the last three line, where i set the certificates. Besides it ignore this line:
wpasupplicant.profile.1.network.1.group.1.name=CCMP

Maybe ubntbox doesn't recognize these parameters.
So i can set the wpa_supplicant file configuration throught script positioned on /etc/persistent/rc.poststart (or another rc.* file)?

Hello,

yes, you are right, current plugin of the wpasupplicant does not support the certificate paramaters.
The support will be added in future FW versions. Until then, please use the rc persistent scripts to generate/copy the required wpasupplicant configuration file.

Thank you.

Hello,

yes, you are right, current plugin of the wpasupplicant does not support the certificate paramaters.
The support will be added in future FW versions. Until then, please use the rc persistent scripts to generate/copy the required wpasupplicant configuration file.

Thank you.

Thanks for you answer! I have solved to customize the firmware putting the needed files on /usr/etc/ and through linuxrc copying them on right position.

For now i don't have any question! :)

Thanks.

Thanks for the feedback, Diegor.

Feel free to describe your EAP-TLS customizations in forum. I suppose many UBNT customers will send you thanks for this, until full TLS support will be implemented in the GUI.

Thanks for the feedback, Diegor.

Feel free to describe your EAP-TLS customizations in forum. I suppose many UBNT customers will send you thanks for this, until full TLS support will be implemented in the GUI.

Ok, but now i don't have in front of me the NS5, so i'll follow my memory.
However it's very simple.
Download the sdk and go to ubnt-lsX-SDK-v3.0.3117/rootfs/xs5. In this folder you can create two directories: preinst and postinst.
If you put files onto those folders and you launch "make", it transfer your files in the filesystem of the NS5. The "." of both directory is the root of new filesystem.
In this way you can modify directly all you could want.
This is my example:

diegor@vandrew:~/svn-ubnt/ubnt-lsX-SDK-v3.0.3117/rootfs/xs5$ ls -R
.:
Makefile postinst

./postinst:
linuxrc usr

./postinst/usr:
etc

./postinst/usr/etc:
cert hostapd-eap-test.conf inittab system.cfg wpa-eaptls.conf

./postinst/usr/etc/cert:
AP_cert.pem AP_key.pem cacert.pem CPE_cert.pem CPE_key.pem


So when i build my firmware i have in /usr/etc/ all my files.
Remember of don't create "etc" directory. In fact the "etc" folder is only a symbolic link to /var/etc and /tmp to /var/tmp. Besides /var is mounted on tmpfs.
When the NS5 boot, some obscure binary, copy the content of the /usr/etc/ on /etc/. In this way you can do your customization.
There's another way to modify your filesystem withous sdk. You can use the /etc/persistent/ directory on the NS5.
I don't explain how to do this.. because it's already explained in the forum.

I hope that my explanation will be useful for someone! :)

Hello,

Is it not possible just to modify the wpa_supplicant.conf file with the parameters I need instead of rebuilding entire software?
I need to use WPA/TKIP/PEAP/MSCHAPv2.

Thank you.
Susu

Current version of the AirOS does not provide the user interface for PEAP or TLS as there are no certificate management routines implemented in the GUI.
Manual configuration of the TLS and PEAP/MSCHAP can be used as workaround while changing the wpasupplicant configuration file, however this will require advanced administration skills as the changes should be applied in the command shell (or uploaded with FTP).

The overwriting the wpa_supplicant configuration file is the only way to setup PEAP connection in Station mode as the GUI does not allow this option currently.

Manual changes should be (re)stored using the /etc/persistent/rc.poststart file (each time system will boot) and saved using cfgmtd:

include manual changes in /etc/persistent/rc.poststart file
(otherwise they will reset each time system starts)
Please use
cfgmtd -w -p /etc
command to save the changes permanently.

there is the sample configuration:

network={
ssid="an ssid"
bssid=00:11:22:33:44:55
scan_ssid=1
key_mgmt=WPA-EAP IEEE8021X NONE
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
eap=PEAP
identity="DOMAIN\user"
password="password"
phase1="peaplabel=0"
}

I suppose You can find more examples from other customers in our support forum.

Thank you.