API tools faq
paste
Guest User

Untitled

a guest
Jan 27th, 2021
871
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.26 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env sh
  2. #
  3. # NOTE
  4. # ====
  5. # You must make this script executable (chmod +x /cf/conf/pfatt/pfatt_supplicant.sh).
  6. #
  7. #
  8. # CONFIG
  9. # ======
  10. # ONT_IF                        Physical interface connected to the ONT.
  11. #
  12. # EAP_SUPPLICANT_IDENTITY       MAC address associated with your cert. Used as your EAP-TLS identity.
  13. #                               You must place your certificates (ca.pem, client.pem, private.pem) in the /cf/conf/pfatt/wpa folder.
  14.  
  15.  
  16. # Change these variables
  17. # ===============
  18. ONT_IF="em0"
  19. EAP_SUPPLICANT_IDENTITY="XX:XX:XX:XX:XX:XX"
  20.  
  21.  
  22.  
  23. ##### DO NOT EDIT BELOW #################################################################################
  24.  
  25. /usr/bin/logger -st "pfatt" "starting pfatt..."
  26. /usr/bin/logger -st "pfatt" "configuration:"
  27. /usr/bin/logger -st "pfatt" "  ONT_IF = $ONT_IF"
  28. /usr/bin/logger -st "pfatt" "  EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY"
  29.  
  30. #Netgraph cleanup.
  31. /usr/bin/logger -st "pfatt" "resetting netgraph..."
  32. /usr/sbin/ngctl shutdown waneapfilter: >/dev/null 2>&1
  33. /usr/sbin/ngctl shutdown laneapfilter: >/dev/null 2>&1
  34. /usr/sbin/ngctl shutdown $ONT_IF: >/dev/null 2>&1
  35. /usr/sbin/ngctl shutdown o2m: >/dev/null 2>&1
  36. /usr/sbin/ngctl shutdown vlan0: >/dev/null 2>&1
  37. /usr/sbin/ngctl shutdown ngeth0: >/dev/null 2>&1
  38.  
  39.  
  40. /usr/bin/logger -st "pfatt" "your ONT should be connected to pyshical interface $ONT_IF"
  41. /usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..."
  42. /usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
  43. /usr/sbin/ngctl name $ONT_IF:lower vlan0
  44. /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
  45. /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
  46. /usr/sbin/ngctl msg ngeth0: set $EAP_SUPPLICANT_IDENTITY
  47.  
  48. /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
  49. /sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY
  50. /sbin/ifconfig $ONT_IF up
  51. /sbin/ifconfig $ONT_IF promisc
  52.  
  53. /usr/bin/logger -st "pfatt" "starting wpa_supplicant..."
  54.  
  55. WPA_PARAMS="\
  56.  set eapol_version 2,\
  57.  set fast_reauth 1,\
  58.  ap_scan 0,\
  59.  add_network,\
  60.  set_network 0 ca_cert \\\"/cf/conf/pfatt/wpa/ca.pem\\\",\
  61.  set_network 0 client_cert \\\"/cf/conf/pfatt/wpa/client.pem\\\",\
  62.  set_network 0 eap TLS,\
  63.  set_network 0 eapol_flags 0,\
  64.  set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\
  65.  set_network 0 key_mgmt IEEE8021X,\
  66.  set_network 0 phase1 \\\"allow_canned_success=1\\\",\
  67.  set_network 0 private_key \\\"/cf/conf/pfatt/wpa/private.pem\\\",\
  68.  enable_network 0\
  69. "
  70.  
  71. WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
  72.  
  73.  
  74. #Kill any existing wpa_supplicant process.
  75. PID=$(pgrep -f "wpa_supplicant")
  76. if [ ${PID} > 0 ];
  77. then
  78.   /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
  79.   RES=$(kill ${PID})
  80. fi
  81.  
  82. #Start wpa_supplicant daemon.
  83. RES=$(${WPA_DAEMON_CMD})
  84. PID=$(pgrep -f "wpa_supplicant")
  85. /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."
  86.  
  87. #Set WPA configuration parameters.
  88. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
  89. IFS=","
  90. for STR in ${WPA_PARAMS};
  91. do
  92.   STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
  93.   RES=$(eval wpa_cli ${STR})
  94. done
  95.  
  96. #Create variables to check authentication status.
  97. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
  98. IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
  99. /usr/bin/logger -st "pfatt" "waiting for EAP authorization..."
  100.  
  101. #Check authentication once per 5 seconds for 25 seconds (5 attempts). Continue without authentication if necessary (no WAN).
  102. i=1
  103. until [ "$i" -eq "5" ]
  104. do
  105.   sleep 5
  106.   WPA_STATUS=$(eval ${WPA_STATUS_CMD})
  107.   if [ X${WPA_STATUS} = X"Authorized" ];
  108.   then
  109.     /usr/bin/logger -st "pfatt" "EAP authorization completed..."
  110.  
  111.     IP_STATUS=$(eval ${IP_STATUS_CMD})
  112.  
  113.     if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
  114.     then
  115.       /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
  116.       RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
  117.       IP_STATUS=$(eval ${IP_STATUS_CMD})
  118.     fi
  119.     /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
  120.     /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
  121.  
  122.     break
  123.   else
  124.     /usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..."
  125.     i=$((i+1))
  126.   fi
  127. done
  128.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!