I have AT&T fiber. It terminates into an ONT, which is fine, but AT&T wants you to run all your traffic through their residential gateway, which is not fine. The gateway authenticates the line with 802.1X (EAP-TLS) using a certificate baked into the device. If you pull that certificate out and run wpa_supplicant on your own router, the router can do the handshake itself and you can retire the AT&T box. On a UDM-Pro you can run wpa_supplicant right on the WAN port and plug straight into the ONT.
I first wrote this in 2020 pointing at a couple of community scripts. The idea is the same; the way I run it now is cleaner and survives firmware updates. This is how it works on a current UniFi OS.
Bring your own binary, keep everything in /data
UniFi OS does not include a wpa_supplicant you can rely on, so you supply your own. The trick that makes it hold up is to keep the binary and everything it needs in /data, which survives reboots and firmware updates. An update replaces the entire base OS image, so anything you put in /etc or borrow from the system can vanish. Keep the binary, libraries, certs, and config in /data and an update can swap the whole OS out from under you without touching your setup.
Layout
Everything lives under /data/att-supplicant/ on the UDM-Pro:
/data/att-supplicant/
bin/wpa_supplicant # you supply this; the OS doesn't include one
lib/libpcsclite.so.1 # the one extra lib the binary needs
conf/wpa_supplicant.conf
conf/ca.pem
conf/client.pem
conf/private_key.pem
/data persists across reboots and firmware updates; it is where the UniFi controller keeps its own database. The base OS image gets replaced on an update, so keeping the binary, libs, certs, and config in /data keeps your setup intact no matter what the update does.
Get the certificates
You need the EAP-TLS certificate and private key from an AT&T gateway: a CA chain, the client certificate, and the private key. Extracting them from the gateway’s manufacturing data is its own topic and well documented elsewhere (search for mfg_dat_decode). The EAP identity is the gateway’s WAN MAC address. Drop the three PEM files in conf/, and guard them closely: don’t share them, and don’t lose them.
Get a wpa_supplicant binary
The UDM-Pro is aarch64 with a Debian bullseye userland, so the official Debian arm64 package is a drop-in. Pull it apart on any machine and copy the binary over:
# arm64 wpa_supplicant
curl -fsSLO https://deb.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.9.0-21+deb11u3_arm64.deb
ar x wpasupplicant_*.deb && tar xf data.tar.xz
# binary is ./sbin/wpa_supplicant
# its one extra dependency, libpcsclite
curl -fsSLO https://deb.debian.org/debian/pool/main/p/pcsc-lite/libpcsclite1_1.9.1-1_arm64.deb
ar x libpcsclite1_*.deb && tar xf data.tar.xz
# lib is ./usr/lib/aarch64-linux-gnu/libpcsclite.so.1.0.0 (copy it as libpcsclite.so.1)
Put wpa_supplicant in bin/ and libpcsclite.so.1 in lib/. Confirm it runs and nothing else is missing:
LD_LIBRARY_PATH=/data/att-supplicant/lib ldd /data/att-supplicant/bin/wpa_supplicant | grep "not found"
LD_LIBRARY_PATH=/data/att-supplicant/lib /data/att-supplicant/bin/wpa_supplicant -v
The config
conf/wpa_supplicant.conf, pointing at the certs by their /data path:
eapol_version=1
ap_scan=0
fast_reauth=1
network={
ca_cert="/data/att-supplicant/conf/ca.pem"
client_cert="/data/att-supplicant/conf/client.pem"
private_key="/data/att-supplicant/conf/private_key.pem"
identity="XX:XX:XX:XX:XX:XX"
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
}
identity is the gateway WAN MAC. No MAC cloning on the UDM is required; the certificate is what authenticates.
The systemd unit
/etc/systemd/system/att-supplicant.service. It runs the /data binary, sets LD_LIBRARY_PATH so the loader finds the bundled lib, and restarts if it ever dies:
[Unit]
Description=AT&T EAP-TLS wired supplicant (eth8)
After=local-fs.target
[Service]
Type=simple
Environment=LD_LIBRARY_PATH=/data/att-supplicant/lib
ExecStart=/data/att-supplicant/bin/wpa_supplicant -s -Dwired -ieth8 -c/data/att-supplicant/conf/wpa_supplicant.conf
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Two things. eth8 is the UDM-Pro’s WAN port; confirm yours with ip -br link and match where the ONT is plugged in. And do not order this After=network-online.target, which is tempting but wrong: this service is what brings the network online, so waiting on the network deadlocks after a firmware update.
Enable and start it, then watch for the handshake:
systemctl daemon-reload
systemctl enable --now att-supplicant.service
journalctl -u att-supplicant -f # look for CTRL-EVENT-EAP-SUCCESS
Once you see EAP-SUCCESS, the WAN DHCP lease shows up within a few seconds and you are online.
After a firmware update
Most updates need nothing; the unit lives in /etc and everything it runs lives in /data. If the WAN is down after a big jump:
- The update resets the SSH password and changes the login prompt. Re-set the password in the console UI before you try to get in.
- Usually
systemctl restart att-supplicantis all it takes. - If the binary won’t start, the base OS moved to a newer Debian and a shared library went missing. Run the
lddcheck above and bundle whatever it names intolib/the same way aslibpcsclite(libssl and libnl are the likely candidates). This is the whole reason for keeping the binary self-contained.
Older references
Background on the concept and extracting the certs:
- https://github.com/pbrah/wpa_supplicant-udmpro
- https://github.com/unifi-utilities/unifi-common (formerly boostchicken/udm-utilities)