Skip to content

AT&T 802.1X Bypass on Firewalla Gold Pro

AT&T fiber requires 802.1X EAP-TLS authentication, normally handled by their residential gateway (BGW210/NVG599). This bypass runs wpa_supplicant directly on the Firewalla Gold Pro with the GPON SFP plugged into port 3 (eth1), eliminating the gateway entirely.

Prerequisites

  • AT&T 802.1X EAP-TLS certificates extracted from a residential gateway, converted from .der to .pem using the devicelocksmith mfg_dat_decode tool
  • GPON SFP module compatible with AT&T fiber
  • Firewalla Gold Pro with SSH access

File Layout

All files live in /home/pi/wpa/ on the Firewalla Gold Pro — this is the source of truth that survives firmware updates.

File Purpose
ca_certs_<CERT_ID>.pem CA certificate chain
client_cert_<CERT_ID>.pem Client certificate
private_key_<CERT_ID>.pem Private key
wpa_supplicant.conf Supplicant configuration
wpa_supplicant-eth1.service systemd unit file (source copy)

<CERT_ID> is unique to your extracted cert set (format: XXXXXX-XXXXXXXXXXXXXX).

The boot hook lives at /home/pi/.firewalla/config/post_main.d/att_bypass.sh and installs/enables the systemd unit on each boot.

Configuration

wpa_supplicant.conf

eapol_version=1
ap_scan=0
fast_reauth=1
openssl_ciphers=DEFAULT@SECLEVEL=0
network={
    ca_cert="/home/pi/wpa/ca_certs_<CERT_ID>.pem"
    client_cert="/home/pi/wpa/client_cert_<CERT_ID>.pem"
    eap=TLS
    eapol_flags=0
    identity="XX:XX:XX:XX:XX:XX"
    key_mgmt=IEEE8021X
    phase1="allow_canned_success=1"
    private_key="/home/pi/wpa/private_key_<CERT_ID>.pem"
}

Replace <CERT_ID> with your cert set identifier and identity with the MAC address from your extracted certs.

Critical quirks:

  • openssl_ciphers=DEFAULT@SECLEVEL=0 — required because AT&T certs use older weak crypto that modern OpenSSL rejects by default.
  • phase1="allow_canned_success=1" — AT&T-specific EAP quirk. This is why FortiOS's built-in supplicant couldn't be used (it doesn't support this parameter).

wpa_supplicant-eth1.service

[Unit]
Description=wpa_supplicant for AT&T 802.1X on eth1
After=network-pre.target
Wants=network-pre.target
Before=firerouter_dhclient@eth1.service

[Service]
Type=simple
ExecStart=/sbin/wpa_supplicant -s -Dwired -ieth1 -c/home/pi/wpa/wpa_supplicant.conf
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

The Before=firerouter_dhclient@eth1.service ordering ensures 802.1X authentication completes before DHCP tries to get a lease on eth1.

att_bypass.sh (boot hook)

#!/bin/bash
set -e

UNIT_SRC=/home/pi/wpa/wpa_supplicant-eth1.service
UNIT_DST=/etc/systemd/system/wpa_supplicant-eth1.service

# Install/update unit file if missing or changed
if ! sudo cmp -s "$UNIT_SRC" "$UNIT_DST" 2>/dev/null; then
  sudo cp "$UNIT_SRC" "$UNIT_DST"
  sudo systemctl daemon-reload
fi

# Enable if not already
if ! systemctl is-enabled --quiet wpa_supplicant-eth1.service; then
  sudo systemctl enable wpa_supplicant-eth1.service
fi

# Start if not running
if ! systemctl is-active --quiet wpa_supplicant-eth1.service; then
  sudo systemctl start wpa_supplicant-eth1.service
fi

# Remove old dhclient hook if it exists (legacy bypass method)
if [ -f /etc/dhcp/dhclient-enter-hooks.d/att_bypass ]; then
  sudo rm /etc/dhcp/dhclient-enter-hooks.d/att_bypass
fi

This script is idempotent — safe to run on every boot. The post_main.d directory is invoked by Firewalla at the appropriate boot stage.

Initial Setup

  1. Place certs, wpa_supplicant.conf, and wpa_supplicant-eth1.service in /home/pi/wpa/
  2. Place att_bypass.sh in /home/pi/.firewalla/config/post_main.d/ and chmod +x
  3. Run once manually:
sudo /home/pi/.firewalla/config/post_main.d/att_bypass.sh
  1. Verify authentication:
systemctl status wpa_supplicant-eth1.service
sudo journalctl -u wpa_supplicant-eth1.service

Look for EAP authentication completed successfully in the journal output.

Verification

systemctl is-enabled wpa_supplicant-eth1.service   # expected: enabled
systemctl is-active wpa_supplicant-eth1.service     # expected: active
sudo journalctl -u wpa_supplicant-eth1.service -b   # EAP SUCCESS on boot

Design Notes

Why a systemd unit instead of dhclient hooks

The previous approach used dhclient-enter-hooks.d with cron polling that restarted firerouter_dhclient@eth1 to trigger the hook. This had race conditions — wpa_supplicant didn't reliably come back after reboots because dhclient service readiness was unpredictable.

The current systemd unit with explicit Before= ordering against firerouter_dhclient@eth1 gives clean lifecycle management, proper restart behavior, and no dhclient hook dance.

Why not edit /etc/systemd/system/ directly

Firewalla firmware updates may overlay or reset /etc. Keeping the unit source in /home/pi/wpa/ with a post_main.d installer makes the setup firmware-update-safe.