lawik

lawik

Nerves Core Team

VintageNet with Wired 802.1x under Nerves

This is some ongoing work I’m doing for [ REDACTED ] (one of my favorite clients, makes me seem very cool and mysterious). I am reporting the progress and procedure here to gives some findable context for others who want to do this stuff and also some context for the PR.

Wired 802.1x using EAP-TLS with device certificates is a pretty decent bump in network security and control, or so I hear.

I’ve confirmed the Linux setup for wired 802.1x using this helpful note and a freeradius server along with a Unifi managed switch. So we have a Raspbian OS install doing the right song and dance.

Currently we are hacking apart VintageNetWiFi and VintageNetEthernet to reproduce the config and setup.

We got the thing working but hit a fairly unexpected snag. No wired driver for wpa_supplicant.

So Add wired driver to WPA Supplicant by tomielee · Pull Request #234 · nerves-project/nerves_system_rpi4 · GitHub should address the immediate need we have and we’re currently building that system to see if it works out. It passes then smell check at least.

@fhunleth is this handled in each system separately or should this go somewhere in nerves_system_br?

Most Liked

lawik

lawik

Nerves Core Team

BOOM!

Quick note. It works:

{:ok, engine} = NervesKey.PKCS11.load_engine()
{:ok, i2c} = ATECC508A.Transport.I2C.init([])

signer_cert = X509.Certificate.to_der(NervesKey.signer_cert(i2c))
cert = X509.Certificate.to_der(NervesKey.device_cert(i2c))
%{key_id: uri} = NervesKey.PKCS11.private_key(engine, {:i2c, 1})
File.write("/tmp/client_cert.der", cert)
File.write("/tmp/ca_cert.der", signer_cert)

path = Path.join(Application.app_dir(:nerves_key_pkcs11), "priv/nerves_key_pkcs11.so")
VintageNet.configure("eth0", %{
       type: VintageNetEthernet,
       ipv4: %{method: :dhcp},
       vintage_net_ethernet: %{
        wpa_supplicant_conf: """
        pkcs11_engine_path=/usr/lib/engines/libpkcs11.so
        pkcs11_module_path=#{path}
        network={
          key_mgmt=WPA-EAP
          identity="User"
          eap=TLS
          eapol_flags=3
          client_cert="/tmp/client_cert.der"
          private_key="#{uri}"
        }
        """
       }
     })

Skip ca_cert to avoid CA verification unless you are doing more CA-related stuff and it matters to you. If it matters, add your signer cert to your CA list. Should not be hard.

On the freeradius side (what I tested against). I only really had to replace the ca cert in freeradius with the signer cert and then also add the signer cert to my system CA list so that it was in the root of trust or whatever that’s called.

Will post updates require on the system as well as the forked vintage_net stuff that will later need to be integrated. I did this on nerves_system_rpi3 but it should work on any.

Where Next?

Popular in Discussions Top

arcanemachine
https://nitter.net/josevalim/status/1744395345872683471 https://twitter.com/josevalim/status/1744395345872683471
New
sashaafm
I’m trying to evaluate the best combo/stack for a BEAM Web app. Right now I’m exploring Yaws a bit, after having dealt with Phoenix for a...
New
mmport80
I have put far too much effort into Dialyzer over the last year or so - and basically - I doubt it’s worth the effort. It’s not as easy ...
New
crabonature
I’m still quite new to Elixir. As I understand we got in Elixir “multi guards” as convention to simplify one large guard with or’s?: de...
New
sergio
There’s a new TIOBE index report that came out that shows Elixir is still not in the top 50 used languages. It also goes on to call Elix...
New
und0ck3d
Hello everyone! A few days ago I’ve created a topic here about how people were creating CMSs with Elixir and Phoenix. I’ve been studying...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
joeerl
I’m playing with Elixir - It’s fun. I think @rvirding does give Elixir courses these days. Re: files and database - when I given Erlang ...
New
scouten
I’m looking for a host for the server part of a small (personal) side project that I’m working on. It’s currently written in Node.js and ...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New

Other popular topics Top

New
AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39467 209
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 48342 226
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54120 245
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement