lawik
VintageNet with Wired 802.1x under Nerves
This is some ongoing work I’m doing for [ REDACTED ] (one of my favorite clients, makes me seem very cool and mysterious). I am reporting the progress and procedure here to gives some findable context for others who want to do this stuff and also some context for the PR.
Wired 802.1x using EAP-TLS with device certificates is a pretty decent bump in network security and control, or so I hear.
I’ve confirmed the Linux setup for wired 802.1x using this helpful note and a freeradius server along with a Unifi managed switch. So we have a Raspbian OS install doing the right song and dance.
Currently we are hacking apart VintageNetWiFi and VintageNetEthernet to reproduce the config and setup.
We got the thing working but hit a fairly unexpected snag. No wired driver for wpa_supplicant.
So Add wired driver to WPA Supplicant by tomielee · Pull Request #234 · nerves-project/nerves_system_rpi4 · GitHub should address the immediate need we have and we’re currently building that system to see if it works out. It passes then smell check at least.
@fhunleth is this handled in each system separately or should this go somewhere in nerves_system_br?
Most Liked
lawik
BOOM!
Quick note. It works:
{:ok, engine} = NervesKey.PKCS11.load_engine()
{:ok, i2c} = ATECC508A.Transport.I2C.init([])
signer_cert = X509.Certificate.to_der(NervesKey.signer_cert(i2c))
cert = X509.Certificate.to_der(NervesKey.device_cert(i2c))
%{key_id: uri} = NervesKey.PKCS11.private_key(engine, {:i2c, 1})
File.write("/tmp/client_cert.der", cert)
File.write("/tmp/ca_cert.der", signer_cert)
path = Path.join(Application.app_dir(:nerves_key_pkcs11), "priv/nerves_key_pkcs11.so")
VintageNet.configure("eth0", %{
type: VintageNetEthernet,
ipv4: %{method: :dhcp},
vintage_net_ethernet: %{
wpa_supplicant_conf: """
pkcs11_engine_path=/usr/lib/engines/libpkcs11.so
pkcs11_module_path=#{path}
network={
key_mgmt=WPA-EAP
identity="User"
eap=TLS
eapol_flags=3
client_cert="/tmp/client_cert.der"
private_key="#{uri}"
}
"""
}
})
Skip ca_cert to avoid CA verification unless you are doing more CA-related stuff and it matters to you. If it matters, add your signer cert to your CA list. Should not be hard.
On the freeradius side (what I tested against). I only really had to replace the ca cert in freeradius with the signer cert and then also add the signer cert to my system CA list so that it was in the root of trust or whatever that’s called.
Will post updates require on the system as well as the forked vintage_net stuff that will later need to be integrated. I did this on nerves_system_rpi3 but it should work on any.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance










